Days after the HeartBleed bug was announced, Rob Graham got to work.
As the owner of an Atlanta cyber security firm that assesses computer vulnerabilities, he started scanning the Internet for leaky systems affected by the HeartBleed flaw. Each could allow hackers to eavesdrop on information passed between users and web services.
Initially, in April 2014, Graham found roughly 600,000 servers that were still vulnerable; A month later, that number was cut in half. But since then, there hasn’t been much progress.
Today, almost a year after HeartBleed was announced, many servers owned by the federal government are still open to attack.
But not in the way you might think, Graham explains.
“It’s often things like a camera that’s on the Internet, or an email server that’s off to the side,” he said. “So it’s not the main thing that people think of.”
It’s not a question of fixing these flawed devices, Graham said. They aren’t hard to secure. It’s just that, perhaps, the manpower isn’t there to do the job. Or, security experts dismiss the upgrades as trivial.
Graham said he’s discussed the vulnerability with various government contractors and employees of the United States Computer Emergency Readiness Team.
“No one is interested in hearing about their own vulnerabilities,” said Graham.
US-Cert did not immediately respond to a request to discuss the issue.