Back in April, a dangerous security flaw that leaks information in computer memory was discovered in OpenSSL, a cryptographic software library. The flaw, named Heartbleed, made it easy for professional hackers and even casual hacking hobbyists to access private keys, passwords, user IDs and names through web sites, email, instant messaging and virtual private networks.
It turns out that the flaw was hidden for over two years until it was discovered by a member of Google's security team.
What makes this flaw particularly worrisome is that attacks made by hackers through the flaw cannot be traced to the source.
It was estimated that over 600,000 servers worldwide were potentially vulnerable. A fix for the flaw was released on April 7 (OpenSSL 1.0.1g). However, the rate at which servers are being fixed is estimated at only about half the total of vulnerable ones.
Robert Graham, a researcher with Errata Security, has been tracking the ratio of fixed to still-vulnerable systems. He found that over half of the vulnerable sites were fixed shortly after the flaw was found and a fix made available. But progress seems to have stalled, and the number of vulnerable systems has not changed much since the initial frenzy of fixes.
"This indicates people have stopped even trying to patch. We should see a slow decrease over the next decade as older systems are slowly replaced. Even a decade from now, though, I still expect to find thousands of systems, including critical ones, still vulnerable," said Graham.
In the meantime, computer and Internet users can take these simple steps to protect themselves against the Heartbleed bug:
* Canvass your bookmarks for sites you use for ecommerce, banking, email, messaging, medical purposes, travel and for any other site which is accessed by password, personal information or any other sensitive data
* Access a listing of sites that provides information on the status of those sites regarding their Heartbleed vulnerability status. One such checklist site is LastPass.
* If you know that a particular site is no longer cursed with the Heartbleed bug, go ahead and change your password for that site. If a site still has not been fixed, there is no point in changing your password yet, as the new password will be equally as vulnerable as the old one. In the interim, it would be best to not use a still-buggy site until it gets its act together. The Heartbleed bug makes sensitive data accessible to hackers, but only while that data is in transmission, meaning that your data should be safe if it is not in use.