Heartbleed fixes taking longer as websites work to plug gaps

SAN FRANCISCO – Websites afflicted by the Heartbleed security flaw are finding that it’s taking longer than anticipated to recover from the fallout.

Heartbleed, which can expose people to hacking of their passwords and other sensitive information, sent companies rushing to patch their systems after the security flaw came to light last week. What some didn’t foresee was the time and cost needed to restore user data and fix interruptions caused by suppliers and partners.

Team Snap Inc., like many other Internet companies vulnerable to Heartbleed, sought to plug the vulnerability with a software update and minor technical adjustments, yet soon discovered that wasn’t enough. Team Snap’s hosting company, which provides their Internet infrastructure, caused a breakdown when it applied its own fix and disrupted customer websites.

That scenario illustrates the hidden costs faced by individuals and businesses as they seek to fix one of the biggest security threats in Internet history, said Michael Shaulov, chief executive officer and co-founder of Lacoon Security Ltd., a mobile-security company based in San Francisco.

“Just take the salary of all the people in IT and security and divide it by one week — that’s probably for everyone, everyone across the board,” Shaulov said in a telephone interview. “There is a ripple effect.”

Heartbleed is one of the biggest security flaws to hit the Internet. The bug, which was discovered by researchers from Google and a Finnish company called Codenomicon, affects OpenSSL, a type of open-source encryption.

Some BlackBerry software, including its BBM messaging service for iOS and Android, is affected and the company is working on fixes, it said in an April 10 blog post. BlackBerry smartphones and tablets aren’t compromised, the company said. Calls to BlackBerry’s corporate offices weren’t immediately returned yesterday.

Networking equipment from Cisco Systems and Juniper Networks are at risk and millions of smartphones and tablets running Google’s Android operating system are affected by Heartbleed.

Bloomberg News reported Friday that the National Security Agency has known about the bug for two years and exploited it as a basic part of its spying toolkit. The Office of the Director of National Intelligence denied that the agency was aware of the vulnerability before 2014.

Two days after applying the fix, Boulder, Colo.-based Team Snap, whose sports website has 6 million registered users, encountered disruptions. Photos that people had uploaded of their children’s sports teams suddenly stopped rendering, and they couldn’t upload any more. Leagues and clubs that pay the company to run team Web pages saw their logos and information disappear.

Team Snap’s entire staff of 43 was involved in getting the website to work again, notify customers and change passwords, said Ken McDonald, vice president of customer acquisition.

“It definitely snowballed, and I don’t think any of us when it first happened imagined how many people would be touched in so many ways,” McDonald said. “It’s almost as though you’re in neutral. We have this long list of things that customers want to improve, and instead of doing that you’re just patching and communicating what’s been going on.”

Yahoo found some of its users’ information spilled onto the Internet after its website was found to vulnerable to the Heartbleed bug a day after its public disclosure.

“As soon as we became aware of the issue, we began working to fix it,” the Sunnyvale, California-based company said in an emailed statement April 9.

Bryn Mawr College in Pennsylvania warned students on April 10 to expect short outages for two days as the school fixed systems affected by Heartbleed. Dartmouth College also told students that they would need to change their passwords after the school patched its systems. Dartmouth representatives didn’t return messages. Tracy Kellmer, a spokeswoman for Bryn Mawr, declined to comment.

While businesses and governments usually rush to apply software patches to defuse security threats, consumers notoriously make the worst choice of all: Doing nothing. Almost six years after the Conficker worm emerged, exploiting a programming flaw in Microsoft’s Windows operating system, the program is still infecting computers.

A major flaw in the Domain Name System that governs Web addresses uncovered by security researcher Dan Kaminsky in 2008 has been mostly neutralized because the companies patched the flaw quickly.

Heartbleed takes more steps to fix. The bug concerns a programming error in OpenSSL, which protects information flowing between servers and customers’ computers. Left unaddressed, the flaw allows hackers to spy on private communications and extract the data from computers with compromised connections.

While early estimates placed the bug inside potentially hundreds of millions of websites, subsequent inquiry revealed a far lower figure. Before Heartbleed was disclosed publicly on April 7, just half a million websites had it and were vulnerable to attack, according to Netcraft Ltd., a British-based cyber- security firm.

Large websites such as Google and Facebook pounced on the issue and plugged any Heartbleed security gaps. Smaller and medium-sized businesses are taking longer, potentially exposing sensitive information.

The security industry’s response to the bug went exactly as anticipated, according Pat Peterson, co-founder and CEO of Agari Data, a San Mateo, Calif.-based e-mail security company.

Fixing vulnerable Android devices will require investments by handset makers and wireless carriers, and companies that haven’t updated will test the patch and ensure it won’t disrupt their systems, Peterson said. He compared it to distributing a new vaccine.

“Certainly it would be easy to get to health-care workers in developed countries,” Peterson said. “But how about packaging it up and getting it to Sub-Saharan Africa or the jungles of Brazil. The supply chains in those countries need to be able to reliably get the vaccine to every nook and cranny.”

Talk to us

More in Herald Business Journal

The growing business district along 172nd Street NE in Arlington, looking west toward I-5. At lower left is the construction site of the new Amazon fulfillment center. (Chuck Taylor / The Herald)
Marysville-Arlington road improvements won’t happen at once

Traffic improvement projects near the Cascade Industrial Center will take shape over the next decade.

A line of Southwest Air Boeing 737 jets are parked near the company's production plant while being stored at Paine Field Friday, April 23, 2021, in Everett, Wash. Boeing reported its first quarterly profit since 2019 and revenue topped expectations, as the giant aircraft maker tries to dig out from the most difficult stretch in its history. Boeing said Wednesday, July 28, 2021, that it earned $567 million in the second quarter, compared with a $2.4 billion loss a year ago. (AP Photo/Elaine Thompson)
Boeing, for first time since 2019, has a profitable quarter

The earnings hint at a potential turnaround after one of the worst financial crises in the company’s history.

FILE - In this June 18, 2015, file photo, an Airbus A380 takes off for its demonstration flight at the Paris Air Show in Le Bourget airport, north of Paris. European planemaker Airbus reports that it made 1.87 billion euros profit in the second quarter. That's a relief after a loss in the same quarter a year ago during the depths of the pandemic shutdowns and travel restrictions. (AP Photo/Francois Mori, File)
Airbus, Boeing rivalry is back on as sales campaigns pick up

The improving outlook comes amid a travel reopening that’s gathering pace in some key markets.

Festive seafood specialties, modern delicacies with a beautiful presentation on the plate. Delicious dish - tender fish meat, with greens, lemon and vegetables. Cartoon vector.
You voted: The best seafood in Snohomish County

Even during a pandemic, people have their favorites

File - In this Sept. 24, 2014 file photo, smoke hangs over Reno-Tahoe International Airport as a plane takes off in Reno, Nev. A shortage of jet fuel, coupled with supply chain issues and an urgent demand from firefighting aircraft, continues to cause problems at airports around the West. In Nevada, state and federal lawmakers said they are investigating a possible shortage of jet fuel that could delay cargo delivery and passenger travel at Reno-Tahoe International Airport in the coming days. (AP Photo/Martha Irvine, File)
Airports in the US West dealing with shortage of jet fuel

Supply chain issues and an urgent demand from firefighting aircraft have combined to cause problems.

sandwich with ham, tomatoes, lettuce and toast isolated on white background, healthy breakfast, lunch
You voted: The best darn sandwich in Snohomish County

Even during a pandemic, people have their favorites

FILE - In this Aug. 26, 2019, file photo, Washington Attorney General Bob Ferguson speaks at a news conference in Seattle. Washington state sued Johnson & Johnson on Thursday, Jan. 2, 2020, claiming the company was negligent when it used deceptive marketing to say the drugs were effective for treating pain and were unlikely to cause addiction. The lawsuit filed Thursday says the company that supplies raw materials used to make opiates drove the pharmaceutical industry to recklessly expand the production of the drugs. (AP Photo/Ted S. Warren, File)
Washington AG rejects opioids settlement, wants trial

The proposal would pay Washington about $527.5 million over 18 years if cities and counties opt in.

This photo provided by Blue Origin,   Jeff Bezos, founder of Amazon and space tourism company Blue Origin, exits the  Blue Origin's New Shepard capsule after it parachuted safely down to the launch area with passengers Mark Bezos, Oliver Daemen and Wally Funk, near Van Horn, Texas, Tuesday, July 20, 2021.  (Blue Origin via AP)
Blue Origin’s Bezos reaches space on 1st passenger flight

The Amazon founder is the second billionaire in just over a week to ride his own spacecraft.

The first flight for United Airlines servicing Paine Field taxis to the gate on March 31, 2019. (Kevin Clark / Herald file)
Come October, United Airlines will discontinue flights at Paine Field

The airline is one of two commercial carriers at the Everett airport. United flies to Denver.

Community leaders and officials break ground at the Port of Everett's Norton Terminal at the former Kimberly-Clark mill site along the waterfront Thursday morning in Everett on July 15, 2021. (Kevin Clark / The Herald)
Legacy of pollution makes Everett port project ‘challenging’

The former Kimberly-Clark mill site is nearing the end of a complex cleanup, part of a $36 million terminal project.

FILE - In this Oct. 28, 2020 file photo, a motorcyclist cruises past the Renton, Wash., Boeing plant where 737's are built. Boeing is temporarily lowering its delivery target for the 787 Dreamliner after discovering additional work that will need to be performed on the aircraft. The company said Tuesday, July 13, 2021, that the 787 production rate will temporarily be lower than five per month and will gradually return to that rate. (Ellen M. Banner/The Seattle Times via AP, File)
Boeing cuts production on the 787 to address a new flaw

The problem is on the forward pressure bulkhead, which keeps the plane’s interior pressurized.

State makes low interest loans available to small businesses

The state Department of Commerce is partnering with financial institutions and community-based organizations.