Cybersecurity experts reveal U.S. admins' flaws in fixing Heartbleed bug

Cybersecurity experts from a university conducted a detailed analysis and found that website administrators nationwide tasked with patching security holes exploited by the Heartbleed bug might not have done enough.

The Heartbleed bug, which was first disclosed in April this year, presents a serious vulnerability to the popular OpenSSL (Secure Sockets Layer) software, allowing anyone on the Internet to read the memory of systems that are compromised by the malicious bug.

A team of cybersecurity experts from the University of Maryland analyzed the most popular websites in the United States, more than one million sites were examined, to better understand the extent to which systems administrators followed specific protocols to fix the problem.

Assistant Research Scientist Dave Levin and Assistant Professor of Electrical and Computer Engineering Tudor Dumitras team, which included researchers from Northeastern University and Stanford University, discovered that while approximately 93 percent of the websites analyzed had patched their software correctly within three weeks of Heartbleed being announced, only 13 percent followed up with other security measures needed to make the systems completely secure.

Levin said that once Heartbleed was made public website administrators everywhere should have immediately taken three steps to regain better control and security over their systems.

He revealed that they needed to patch their OpenSSL software, they needed to revoke their current certificates, and they needed to reissue new ones.

The team's data analysis also highlighted an interesting trend that points to the role that humans play in these complex security systems, said Dumitras. In a graph displaying how many certifications were revoked over the course of the three weeks, their data shows a significant drop in revocation rates during weekends.

Dumitras and Levin hope that the team's findings would spur conversations regarding the multiple factors that influence overall computer security, and how those factors can work together to better strengthen systems.

Levin said that security isn't something to be taken for granted, adding that he sees some of these results and is shocked and surprised and a little bit scared. But he said that at the same time, he sees it as opportunity for improvement.