Heartbleed fixes taking longer as websites work to plug gaps

  • Bloomberg News
  • Monday, April 14, 2014 1:21pm
  • Business

SAN FRANCISCO – Websites afflicted by the Heartbleed security flaw are finding that it’s taking longer than anticipated to recover from the fallout.

Heartbleed, which can expose people to hacking of their passwords and other sensitive information, sent companies rushing to patch their systems after the security flaw came to light last week. What some didn’t foresee was the time and cost needed to restore user data and fix interruptions caused by suppliers and partners.

Team Snap Inc., like many other Internet companies vulnerable to Heartbleed, sought to plug the vulnerability with a software update and minor technical adjustments, yet soon discovered that wasn’t enough. Team Snap’s hosting company, which provides their Internet infrastructure, caused a breakdown when it applied its own fix and disrupted customer websites.

That scenario illustrates the hidden costs faced by individuals and businesses as they seek to fix one of the biggest security threats in Internet history, said Michael Shaulov, chief executive officer and co-founder of Lacoon Security Ltd., a mobile-security company based in San Francisco.

“Just take the salary of all the people in IT and security and divide it by one week — that’s probably for everyone, everyone across the board,” Shaulov said in a telephone interview. “There is a ripple effect.”

Heartbleed is one of the biggest security flaws to hit the Internet. The bug, which was discovered by researchers from Google and a Finnish company called Codenomicon, affects OpenSSL, a type of open-source encryption.

Some BlackBerry software, including its BBM messaging service for iOS and Android, is affected and the company is working on fixes, it said in an April 10 blog post. BlackBerry smartphones and tablets aren’t compromised, the company said. Calls to BlackBerry’s corporate offices weren’t immediately returned yesterday.

Networking equipment from Cisco Systems and Juniper Networks are at risk and millions of smartphones and tablets running Google’s Android operating system are affected by Heartbleed.

Bloomberg News reported Friday that the National Security Agency has known about the bug for two years and exploited it as a basic part of its spying toolkit. The Office of the Director of National Intelligence denied that the agency was aware of the vulnerability before 2014.

Two days after applying the fix, Boulder, Colo.-based Team Snap, whose sports website has 6 million registered users, encountered disruptions. Photos that people had uploaded of their children’s sports teams suddenly stopped rendering, and they couldn’t upload any more. Leagues and clubs that pay the company to run team Web pages saw their logos and information disappear.

Team Snap’s entire staff of 43 was involved in getting the website to work again, notify customers and change passwords, said Ken McDonald, vice president of customer acquisition.

“It definitely snowballed, and I don’t think any of us when it first happened imagined how many people would be touched in so many ways,” McDonald said. “It’s almost as though you’re in neutral. We have this long list of things that customers want to improve, and instead of doing that you’re just patching and communicating what’s been going on.”

Yahoo found some of its users’ information spilled onto the Internet after its website was found to vulnerable to the Heartbleed bug a day after its public disclosure.

“As soon as we became aware of the issue, we began working to fix it,” the Sunnyvale, California-based company said in an emailed statement April 9.

Bryn Mawr College in Pennsylvania warned students on April 10 to expect short outages for two days as the school fixed systems affected by Heartbleed. Dartmouth College also told students that they would need to change their passwords after the school patched its systems. Dartmouth representatives didn’t return messages. Tracy Kellmer, a spokeswoman for Bryn Mawr, declined to comment.

While businesses and governments usually rush to apply software patches to defuse security threats, consumers notoriously make the worst choice of all: Doing nothing. Almost six years after the Conficker worm emerged, exploiting a programming flaw in Microsoft’s Windows operating system, the program is still infecting computers.

A major flaw in the Domain Name System that governs Web addresses uncovered by security researcher Dan Kaminsky in 2008 has been mostly neutralized because the companies patched the flaw quickly.

Heartbleed takes more steps to fix. The bug concerns a programming error in OpenSSL, which protects information flowing between servers and customers’ computers. Left unaddressed, the flaw allows hackers to spy on private communications and extract the data from computers with compromised connections.

While early estimates placed the bug inside potentially hundreds of millions of websites, subsequent inquiry revealed a far lower figure. Before Heartbleed was disclosed publicly on April 7, just half a million websites had it and were vulnerable to attack, according to Netcraft Ltd., a British-based cyber- security firm.

Large websites such as Google and Facebook pounced on the issue and plugged any Heartbleed security gaps. Smaller and medium-sized businesses are taking longer, potentially exposing sensitive information.

The security industry’s response to the bug went exactly as anticipated, according Pat Peterson, co-founder and CEO of Agari Data, a San Mateo, Calif.-based e-mail security company.

Fixing vulnerable Android devices will require investments by handset makers and wireless carriers, and companies that haven’t updated will test the patch and ensure it won’t disrupt their systems, Peterson said. He compared it to distributing a new vaccine.

“Certainly it would be easy to get to health-care workers in developed countries,” Peterson said. “But how about packaging it up and getting it to Sub-Saharan Africa or the jungles of Brazil. The supply chains in those countries need to be able to reliably get the vaccine to every nook and cranny.”

Talk to us

> Give us your news tips.

> Send us a letter to the editor.

> More Herald contact information.

More in Business

Simreet Dhaliwal speaks after winning during the 2024 Snohomish County Emerging Leaders Awards Presentation on Wednesday, April 17, 2024, in Everett, Washington. (Ryan Berry / The Herald)
Simreet Dhaliwal wins The Herald’s 2024 Emerging Leaders Award

Dhaliwal, an economic development and tourism specialist, was one of 12 finalists for the award celebrating young leaders in Snohomish County.

Lynnwood
New Jersey company acquires Lynnwood Land Rover dealership

Land Rover Seattle, now Land Rover Lynnwood, has been purchased by Holman, a 100-year-old company.

Szabella Psaztor is an Emerging Leader. (Olivia Vanni / The Herald)
Szabella Pasztor: Change begins at a grassroots level

As development director at Farmer Frog, Pasztor supports social justice, equity and community empowerment.

Owner and founder of Moe's Coffee in Arlington Kaitlyn Davis poses for a photo at the Everett Herald on March 22, 2024 in Everett, Washington. (Annie Barker / The Herald)
Kaitlyn Davis: Bringing economic vitality to Arlington

More than just coffee, Davis has created community gathering spaces where all can feel welcome.

Simreet Dhaliwal is an Emerging Leader. (Olivia Vanni / The Herald)
Simreet Dhaliwal: A deep-seated commitment to justice

The Snohomish County tourism and economic specialist is determined to steer change and make a meaningful impact.

Nathanael Engen, founder of Black Forest Mushrooms, an Everett gourmet mushroom growing operation is an Emerging Leader. (Olivia Vanni / The Herald)
Nathanael Engen: Growing and sharing gourmet mushrooms

More than just providing nutritious food, the owner of Black Forest Mushrooms aims to uplift and educate the community.

Emerging Leader John Michael Graves. (Ryan Berry / The Herald)
John Michael Graves: Champion for diversity and inclusion

Graves leads training sessions on Israel, Jewish history and the Holocaust and identifying antisemitic hate crimes.

Gracelynn Shibayama, the events coordinator at the Edmonds Center for the Arts, is an Emerging Leader. (Olivia Vanni / The Herald)
Gracelynn Shibayama: Connecting people through the arts and culture

The Edmonds Center for the Arts coordinator strives to create a more connected and empathetic community.

Eric Jimenez, a supervisor at Cocoon House, is an Emerging Leader. (Olivia Vanni / The Herald)
Eric Jimenez: Team player and advocate for youth

As an advocate for the Latino community, sharing and preserving its traditions is central to Jimenez’ identity.

Molbak's Garden + Home in Woodinville, Washington closed on Jan. 28 2024. (Photo courtesy of Molbak's)
Molbak’s, former Woodinville garden store, hopes for a comeback

Molbak’s wants to create a “hub” for retailers and community groups at its former Woodinville store. But first it must raise $2.5 million.

DJ Lockwood, a Unit Director at the Arlington Boys & Girls Club, is an Emerging Leader. (Olivia Vanni / The Herald)
DJ Lockwood: Helping the community care for its kids

As director of the Arlington Boys & Girls Club, Lockwood has extended the club’s programs to more locations and more kids.

Alex Tadio, the admissions director at WSU Everett, is an Emerging Leader. (Olivia Vanni / The Herald)
Alex Tadio: A passion for education and equality

As admissions director at WSU Everett, he hopes to give more local students the chance to attend college.

Support local journalism

If you value local news, make a gift now to support the trusted journalism you get in The Daily Herald. Donations processed in this system are not tax deductible.