Two weeks after Heartbleed: Stats for Norway

Since the public disclosure on April 7th, I’ve followed the development of Heartbleed vulnerability, and especially how Norway has been affected.

Update: Charts updated April 22nd. Slight improvement for port 443 over the last 24 hours.

This work has involved regular scans of the ~16 million IP addresses allocated to Norway, and probes of a variety of ports / services throughout these subnets.

Relevant authorities have had exclusive access to the reports I’ve assembled, and I’ve published brief stats updates on Twitter. After two weeks the time seems right to publish some charts.

First off, there’s the change in vulnerable services over time. For each presented service, the total population is that which fulfills the basic premise for vulnerability: HTTPS support, SMTP withSTARTTLS, etc.

1

At any given moment, around 80.000 Norwegian IP addresses listen for, and respond to, HTTPS requests on port 443. On April 8th, around 24 hours after the public disclosure, ~6.8% of these were vulnerable. After 36 hours, roughly 5% were vulnerable. After a week, 2.7% were vulnerable. Today, two weeks after the disclosure, 2.5% are vulnerable.

Looking at the chart, it seems day-to-day patching came to an expected halt over easter. The intra day changes can just as well be attributed to services being switched off and on, as to conscious upgrades.

The second chart shows a breakdown of the Server-header returned by the various services listening on port 443. Curiously, “Microsoft IIS” is in the list – while not vulnerable itself. In this and other cases an intermediate is the actually vulnerable party. The continuing presence of VPN servers is, while not surprising, more alarming.

2

I’m somewhat concerned that web servers got the principal focus, and that all other servers and devices remain overlooked by most. Similarly there’s the risk that mostly front facing services have been patched, and that even bigger actors have forgotten the odd back-of-the-shop device or service.

We’re now entering the long run; meaning servers and devices that weren’t dealt with in the first two weeks, are likely to stay unpatched for a long, long time. Routers, VPN concentrators, network attached storage, video conferencing equipment and even mail servers – these and many more are now at risk of being forgotten.

Please patch your servers.