It’s RunAs Radio, it’s Heartbleed and it’s still got a way to run yet

Day 16: The news headlines continue. Conspiracy theories keep emerging. The FUD evolves as people take further liberties with the truth (no mate, you didn’t get done by Heartbleed, you just chose a crap password).

A few days ago I caught up with Richard Campbell of RunAs Radio fame to talk about Heartbleed. You may remember Richard from such .NET Rocks episodes as talking security with Carl, Richard and Troy and Hacking yourself first with Carl and Richard on .NET Rocks. RunAs tends to be a more IT infrastructure orientated show but the thing about Heartbleed is that it really know no bounds; sys admins, devs and even consumers are copping it left right and centre.

This show panned out to be more about a couple of guys talking through how the bug and the security implications are panning out rather than being about what the Heartbleed bug is per se (read my post on Everything you need to know about the Heartbleed SSL bug if you want to know that). It’s about 33 minutes and you can grab it from the RunAs Radio site or listen to it here:

Oh – one more thing. You may be thinking “Wow, Heartbleed was bad but I’m glad it’s behind us now” and that would be a fair assumption as it’s such a simple bug to patch. Yeah, about that – as I say in the show, there’s evidence of a huge number of websites remaining unpatched. Let me give you one example here and it goes back to this tweet from RawInfoSec on April 10:

@naymzdotcom Are you aware that your site is vulnerable to the HeartBleed OpenSSL Bug?  Pls update.  Also, your login page is not encrypted.

Naymz (they do social media management bits and pieces) responded a few hours later:

@RawInfoSec Thank you for notifying us of this. Our engineering team is investigating and implementing a fix. Cheers.

Fair enough, keep in mind that we first heard of this bug only a few days earlier. So how are things looking today almost a fortnight on? Let’s see:

Heartbleed test - IS VULNERABLE

Assuming this test is correct (and let’s face it, it’s dead easy to check it yourself and exploit a vulnerable system), you’d need to assume that all the data customers are sending to this site is easily retrievable by anyone with an internet connection and a few minutes of spare time on their hands. Guys – it’s more than two weeks already – you know your system is vulnerable and your customers are exposed, what on earth is going on over there?!

I don’t mean to only single Naymz out as they’re one of very, very many that simply haven’t worked out the severity or the risk to customers yet, but I do want to make the point that we’re still a long way from having this issue behind us.

Security Speaking
Tweet Post Update Email RSS

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals