Heartbleed fixes taking longer as websites work to plug gaps

  • Bloomberg News
  • Monday, April 14, 2014 1:21pm
  • Business

SAN FRANCISCO – Websites afflicted by the Heartbleed security flaw are finding that it’s taking longer than anticipated to recover from the fallout.

Heartbleed, which can expose people to hacking of their passwords and other sensitive information, sent companies rushing to patch their systems after the security flaw came to light last week. What some didn’t foresee was the time and cost needed to restore user data and fix interruptions caused by suppliers and partners.

Team Snap Inc., like many other Internet companies vulnerable to Heartbleed, sought to plug the vulnerability with a software update and minor technical adjustments, yet soon discovered that wasn’t enough. Team Snap’s hosting company, which provides their Internet infrastructure, caused a breakdown when it applied its own fix and disrupted customer websites.

That scenario illustrates the hidden costs faced by individuals and businesses as they seek to fix one of the biggest security threats in Internet history, said Michael Shaulov, chief executive officer and co-founder of Lacoon Security Ltd., a mobile-security company based in San Francisco.

“Just take the salary of all the people in IT and security and divide it by one week — that’s probably for everyone, everyone across the board,” Shaulov said in a telephone interview. “There is a ripple effect.”

Heartbleed is one of the biggest security flaws to hit the Internet. The bug, which was discovered by researchers from Google and a Finnish company called Codenomicon, affects OpenSSL, a type of open-source encryption.

Some BlackBerry software, including its BBM messaging service for iOS and Android, is affected and the company is working on fixes, it said in an April 10 blog post. BlackBerry smartphones and tablets aren’t compromised, the company said. Calls to BlackBerry’s corporate offices weren’t immediately returned yesterday.

Networking equipment from Cisco Systems and Juniper Networks are at risk and millions of smartphones and tablets running Google’s Android operating system are affected by Heartbleed.

Bloomberg News reported Friday that the National Security Agency has known about the bug for two years and exploited it as a basic part of its spying toolkit. The Office of the Director of National Intelligence denied that the agency was aware of the vulnerability before 2014.

Two days after applying the fix, Boulder, Colo.-based Team Snap, whose sports website has 6 million registered users, encountered disruptions. Photos that people had uploaded of their children’s sports teams suddenly stopped rendering, and they couldn’t upload any more. Leagues and clubs that pay the company to run team Web pages saw their logos and information disappear.

Team Snap’s entire staff of 43 was involved in getting the website to work again, notify customers and change passwords, said Ken McDonald, vice president of customer acquisition.

“It definitely snowballed, and I don’t think any of us when it first happened imagined how many people would be touched in so many ways,” McDonald said. “It’s almost as though you’re in neutral. We have this long list of things that customers want to improve, and instead of doing that you’re just patching and communicating what’s been going on.”

Yahoo found some of its users’ information spilled onto the Internet after its website was found to vulnerable to the Heartbleed bug a day after its public disclosure.

“As soon as we became aware of the issue, we began working to fix it,” the Sunnyvale, California-based company said in an emailed statement April 9.

Bryn Mawr College in Pennsylvania warned students on April 10 to expect short outages for two days as the school fixed systems affected by Heartbleed. Dartmouth College also told students that they would need to change their passwords after the school patched its systems. Dartmouth representatives didn’t return messages. Tracy Kellmer, a spokeswoman for Bryn Mawr, declined to comment.

While businesses and governments usually rush to apply software patches to defuse security threats, consumers notoriously make the worst choice of all: Doing nothing. Almost six years after the Conficker worm emerged, exploiting a programming flaw in Microsoft’s Windows operating system, the program is still infecting computers.

A major flaw in the Domain Name System that governs Web addresses uncovered by security researcher Dan Kaminsky in 2008 has been mostly neutralized because the companies patched the flaw quickly.

Heartbleed takes more steps to fix. The bug concerns a programming error in OpenSSL, which protects information flowing between servers and customers’ computers. Left unaddressed, the flaw allows hackers to spy on private communications and extract the data from computers with compromised connections.

While early estimates placed the bug inside potentially hundreds of millions of websites, subsequent inquiry revealed a far lower figure. Before Heartbleed was disclosed publicly on April 7, just half a million websites had it and were vulnerable to attack, according to Netcraft Ltd., a British-based cyber- security firm.

Large websites such as Google and Facebook pounced on the issue and plugged any Heartbleed security gaps. Smaller and medium-sized businesses are taking longer, potentially exposing sensitive information.

The security industry’s response to the bug went exactly as anticipated, according Pat Peterson, co-founder and CEO of Agari Data, a San Mateo, Calif.-based e-mail security company.

Fixing vulnerable Android devices will require investments by handset makers and wireless carriers, and companies that haven’t updated will test the patch and ensure it won’t disrupt their systems, Peterson said. He compared it to distributing a new vaccine.

“Certainly it would be easy to get to health-care workers in developed countries,” Peterson said. “But how about packaging it up and getting it to Sub-Saharan Africa or the jungles of Brazil. The supply chains in those countries need to be able to reliably get the vaccine to every nook and cranny.”

Talk to us

> Give us your news tips.

> Send us a letter to the editor.

> More Herald contact information.

More in Business

Patrons view the 787 exhibition Thursday morning at the Boeing Future of Flight Musuem at Paine Field on October 8, 2020. (Kevin Clark / The Herald)
Everett Boeing factory tour offers a birds-eye view of jet-making

Our business reporter, who happens to be an airplane buff, offers his take on the popular tour.

x
Peoples Bank announces new manager for Edmonds branch

Sierra Schram moves from the Mill Creek branch to the Edmonds branch to replace Vern Woods, who has retired.

Sultan-based Amercare Products assess flood damage

Toiletries distributor for prisons had up to 6 feet of water in its warehouse.

Senator Marko Liias speaks at the ground breaking of the Swift Orange Line on Tuesday, April 19, 2022 in Lynnwood, Washington. (Olivia Vanni / The Herald)
The Transportation Committee Chairman says new jobs could be created fixing roads and bridges

Senator Marko Liias, D-Edmonds, wants to use Washington’s $15 billion of transportation funding to spur construction jobs

Lynnwood Police Officers AJ Burke and Maryam McDonald with the Community Health and Safety Section Outreach team and City of Lynnwood’s Business Development Program Manager Simreet Dhaliwal Gill walk to different businesses in Alderwood Plaza on Wednesday, June 25, 2025 in Lynnwood, Washington. (Olivia Vanni / The Herald)
Lynnwood advocate helps small businesses grow

As Business Development Program Manager for the city of Lynnwood, Dhaliwal Gill is an ally of local business owners.

Kelsey Olson, the owner of the Rustic Cork Wine Bar, is introduced by Port of Everett Executive Director Lisa Lefebar on Dec. 2, 2025 in Everett, Washington. (Olivia Vanni / The Herald)
Rustic Cork Wine Bar opens its doors at the Port of Everett

It’s the first of five new restaurants opening on the waterfront, which is becoming a hotspot for diners.

Wide Shoes owner Dominic Ahn outside of his store along 205th Street on Nov. 20, 2025 in Edmonds, Washington. (Olivia Vanni / The Herald)
Edmonds shoe store specializes in wide feet

Only 10% of the population have wide feet. Dominic Ahn is here to help them.

Penny Clark, owner of Travel Time of Everett Inc., at her home office on Nov. 21, 2025 in Arlington, Washington. (Olivia Vanni / The Herald)
Arlington-based travel agency has been in business for 36 years

In the age of instant Internet travel booking, Penny Clark runs a thriving business from her home office in suburban Arlington.

Sound Sports Performance & Training owner Frederick Brooks inside his current location on Oct. 30, 2025 in Lynnwood, Washington. (Olivia Vanni / The Herald)
Lynnwood gym moves to the ground floor of Triton Court

Expansion doubles the space of Sound Sports and Training as owner Frederick Brooks looks to train more trainers.

The Verdant Health Commission holds a meeting on Oct. 22, 2025 in Lynnwood, Washington. (Olivia Vanni / The Herald)
Verdant Health Commission to increase funding

Community Health organizations and food banks are funded by Swedish hospital rent.

The entrance to EvergreenHealth Monroe on Monday, April 1, 2019 in Monroe, Wash. (Andy Bronson / The Herald)
EvergreenHealth Monroe buys medical office building

The purchase is the first part of a hospital expansion.

The new T&T Supermarket set to open in November on Oct. 20, 2025 in Lynnwood, Washington. (Olivia Vanni / The Herald)
TT Supermarket sets Nov. 13 opening date in Lynnwood

The new store will be only the second in the U.S. for the Canadian-based supermarket and Asian grocery.

Support local journalism

If you value local news, make a gift now to support the trusted journalism you get in The Daily Herald. Donations processed in this system are not tax deductible.