Sign up for our Technology Newsletter 
Many Websites Still Exposed
The world’s top 1,000 websites have been updated to protect their servers against the “Heartbleed” vulnerability, but up to 2% of the top million remained unprotected as of last week, according to a California security firm.
On Thursday, Menifee, Calif.-based Sucuri Security scanned the top 1 million websites as ranked by Alexa Internet, a subsidiary of Amazon that collects Web traffic data.
Of the top 1,000 Alexa sites, all were either immune or had been patched with the newest OpenSSL libraries, confirmed Daniel Cid, Sucuri’s chief technology officer, in a Sunday email.
Heartbleed, the nickname for the flaw in OpenSSL, an open-source cryptographic library that enables SSL (Secure Sockets Layer) or TLS (Transport Security Layer) encryption, was discovered independently by Neel Mehta, a Google security engineer, and researchers from security firm Codenomicon earlier this month.
The bug had been introduced in OpenSSL in late 2011.
Because of OpenSSL’s widespread use by websites — many relied on it to encrypt traffic between their servers and customers — and the very stealthy nature of its exploit, security experts worried that cyber criminals either had, or could, capture usernames, passwords,\ and even encryption keys used by site servers.
The OpenSSL project issued a patch for the bug on April 7, setting off a rush to patch the software on servers and in some client operating systems.
The vast majority of vulnerable servers had been patched as of April 17, Sucuri said in a blog postthat day.
While all of the top 1,000 sites ranked by Alexa were immune to the exploit by then, as Sucuri went down the list and scanned smaller sites, it found an increasing number still vulnerable. Of the top 10,000, 0.53% were vulnerable, as were 1.5% of the top 100,000 and 2% of the top 1 million.
Other scans found similar percentages of websites open to attack: On Friday, San Diego-based Websense said about 1.6% of the top 50,000 sites as ranked by Alexa remained vulnerable.
Since it’s conceivable that some sites’ encryption keys have been compromised, security experts urged website owners to obtain new SSL certificates and keys, and advised users to be wary of browsing to sites that had not done so.
Sucuri’s scan did not examine sites to see whether they had been reissued new certificates, but Cid said that another swing through the Web, perhaps this week, would. “I bet the results will be much much worse on that one,” Cid said.
Bluetooth 4.1 Goes IPV6
The Bluetooth Special Interest Group (SIG) has announced Bluetooth 4.1, the first version of Bluetooth to lay the foundations for IPV6 capability.
The first hints of what the Bluetooth SIG had planned for this new version were revealed to The INQUIRER in October during our exclusive interview with Steve Hegenderfer at Appsworld. There, he revealed his aspirations for the Bluetooth protocol to become integral to the Internet of Things.
At the front end of Bluetooth 4.1, the biggest change for users is that the retry duration for lost devices has been increased to a full three minutes, so if you wander off with your wireless headphones still on, there’s more of a chance of being able to seamlessly carry on listening upon your return.
Behind the scenes, devices fitted with Bluetooth 4.1 will be able to act as both hub and end point. The advantage of this is that multiple devices can share information between them without going via the host device, so your smartwatch can talk to your heart monitor and send the combined data in a single transmission to your smartphone.
This sort of “pooling” of devices represents an “extranet of things”, and the technology can therefore be applied to a wider area in forming the “Internet of Things” too.
The other major additions are better isolation techniques to ensure that Bluetooth, which broadcasts on an unregulated band, doesn’t interfere either with itself or with signals from other protocols broadcasting at similar frequencies, including WiFi.
The Bluetooth protocol has retained complete backwards compatibility, so a new Bluetooth 4.1 enabled device will work seamlessly with a Bluetooth 1.0 dongle bought in a pound shop.
In addition, Bluetooth 4.0 devices can be Bluetooth 4.1 enabled through patches, so we should see some Bluetooth 4.1 enabled hardware arrive early in 2014.