A lock icon, signifying an encrypted Internet connection, is seen on an Internet Explorer browser in Paris

Exclusive: FBI warns healthcare sector vulnerable to cyber attacks

BOSTON (Reuters) – The FBI has warned healthcare providers their cybersecurity systems are lax compared to other sectors, making them vulnerable to attacks by hackers searching for Americans’ personal medical records and health insurance data.

Health data is far more valuable to hackers on the black market than credit card numbers because it tends to contain details that can be used to access bank accounts or obtain prescriptions for controlled substances.

“The healthcare industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely,” the Federal Bureau of Investigation said in a private notice it has been distributing to healthcare providers, obtained by Reuters.

The notice, dated April 8, did not mention the Obamacare website, Healthcare.gov, which has been criticized by opponents of the Obama administration for security flaws. It urged recipients to report suspicious or criminal activity to local FBI bureaus or the agency’s 24/7 Cyber Watch.

FBI spokeswoman Jenny Shearer declined comment on the private industry notification, or PIN. In January the FBI issued a PIN advising retailers to expect more credit card breaches following last year’s unprecedented attack on Target Corp.

Details of PINs are typically unclassified, but generally only shared with affected organizations who are asked to keep their contents private.

A series of privately commissioned reports published over the past few years have urged healthcare systems to boost security. Experts applauded the FBI for responding with its own warning.

“I’m really happy to see the FBI doing this. It’s nice to see the attention,” said Shane Shook, an executive with cybersecurity firm Cylance Inc who helps companies respond to breaches.

Retailers and financial institutions have taken steps to bolster security of financial information after the attack on Target as well as smaller breaches at Neiman Marcus, Michaels and other merchants. Hackers accessed millions of bank card numbers and other customer data.

As those stolen payment card numbers flooded underground markets, the value of that information dropped, leading to “fire sales” by criminals seeking to unload them, said Angel Grant, senior manager for fraud and risk intelligence at EMC Corp’s RSA security division.

Demand for medical information, however, remains strong on criminal marketplaces, experts said, partly because it takes victims longer to realize the information has been stolen and report it, and because of the different ways the information can be used.

Cyber criminals were getting paid $20 for health insurance credentials on some underground markets, compared with $1 to $2 for U.S. credit card numbers prior to the Target breach, according cybersecurity firm Dell SecureWorks.

Some criminals use medical records to impersonate patients with diseases so they can obtain prescriptions for controlled substances, Grant said. Several U.S. states, including Massachusetts, have reported a surge in opiate addiction, along with a jump in heroin overdoses that the Obama administration has called a “public health crisis”.

Others criminals are purely interested in using the medical data for financial fraud.

“They are harvesting information to make it easier to conduct identity theft, to open new accounts,” Grant said.

Pieces of health information are also sometimes combined with other pieces of data into complete packages known as “fullz” and “kitz” on underground exchanges where they can fetch$1,000 or more when bundled with counterfeit documents, according to Dell.

The two-page FBI alert cited a February 2014 report from the non-profit SANS Institute, which trains cybersecurity professionals. SANS had warned the healthcare industry was not well-prepared to fight growing cyber threats, pointing to hundreds of attacks on radiology imaging software, video conferencing equipment, routers and firewalls.

(Reporting by Jim Finkle; Editing by Richard Valdmanis and Mohammad Zargham)

NSA data gathering facility in Bluffdale, south of Salt Lake City, Utah

Brazil conference will plot Internet’s future post NSA spying

SAO PAULO/BRASILIA (Reuters) – A global conference in Brazil on the future of the Internet in the wake of U.S. spying revelations might be much less anti-American than first thought after Washington said it was willing to loosen its control over the Web.

Bowing to the demands of Brazil and other nations following revelations last year of its massive electronic surveillance of Internet users, the United States has agreed to relinquish oversight of the Internet Corporation for Assigned of Names and Numbers (ICANN), a non-profit group based in California that assigns Internet domain names or addresses.

“The focus has changed from a political reaction to the NSA allegations to one of more constructive criticism and talk about the future of the Internet,” said William Beer, a cyber security expert based in Sao Paulo.

The two-day Net Mundial conference in Sao Paulo, which will be opened on Wednesday by Brazilian President Dilma Rousseff, will discuss cyber security and how to safeguard privacy and freedom of expression on the Internet, as well as the shape of a future international body to oversee the decentralized digital network.

Officials from dozens of countries – from China and Cuba to the United States and European nations – will attend, but organizers say they will have no more voice at the event than Internet companies, academics, technical experts and groups representing Internet users.

“All of them should have equal participation in this multi stakeholder process,” said Virgilio Almeida, Brazil’s secretary for IT policy, who will chair the conference.

The event is not expected to result in any binding policy decisions, but Almeida said it will launch a high-profile debate that will “sow the seeds” for future reforms of the way the Internet is governed.

Rousseff was infuriated by revelations last year that the U.S. National Security Agency snooped on her personal emails and telephone calls with secret Internet surveillance programs. Other leaders, including Germany’s Angela Merkel, were also targeted by the NSA surveillance.

The revelations by former NSA analyst Edward Snowden brought

worldwide calls for the United States to reduce its control of the Internet, created 50 years ago to link the computers of American universities to the U.S. defense industry.

Last month, the U.S. government surprised many by announcing it would relinquish oversight of the Internet Corporation for Assigned of Names and Numbers (ICANN), a non-profit group based in California that assigns the network’s domain names or addresses.

Washington said it will hand off control of ICANN by September 2015 to an international body to be decided upon over the next year, with one important caveat – the new organization cannot be controlled by any other government.

The debate over who will run ICANN is likely to create a new focus of tension with countries that want the Internet under the control of a multilateral body such as the United Nations.

As its contribution to the debate this week, China submitted a proposal with Russia, Tajikistan and Uzbekistan for a code of conduct for the Internet to be drawn up at the United Nations.

The proposal, coming from states criticized for censoring Internet content, is unlikely to win broad support at this week’s conference.

“Most participants here want a multi stakeholder model for the Internet,” Almeida told Reuters. “China wants a treaty at the United Nations, but only governments are represented there.”

(Writing by Anthony Boadle; Editing by Kieran Murray and Andre Grenon)

A visitor walks past a stand offering security solutions for the internet at the 2014 CeBIT computer technology trade fair on March 10, 2014 in Hanover, central Germany

Cyber risks can cause disruption on scale of 2008 crisis

Organisations must dramatically improve their response to cyber risks to avoid a new global shock on the scale of the financial crisis that rocked the world in 2008, a study showed Tuesday.

Zurich Insurance said in a statement that even cyber security professionals did not have a clear overview of all the interconnected risks organisations can face.

The Swiss insurance group, which has produced a report on cyber risks in cooperation with the Atlantic Council think tank, warned that “a build-up in these risks could create a failure on a similar scale to the 2008 financial crisis”.

Subprime mortgages were at the root of that crisis which began when the US housing market collapsed, dragging down major banks, and causing panic on world financial markets.

The Zurich Cyber Risk Report said IT risks could pose a threat of a similar scale.

“Few people truly understand their own computers or the Internet, or the cloud to which they connect, just a few truly understood the financial system as a whole or the parts to which they are most directly exposed,” said Zurich risk chief Axel Lehmann.

Outsourcing of server management for example or creating direct connections between organisations for things like corporate joint ventures makes it more difficult to get an overview of the risks involved, Zurich said.

The risk of disruption in the Internet infrastructure itself, malware attacks and major international conflicts can also create system-wide risk, it added.

“The Internet is the most complex system humanity has ever devised. Although it has been incredibly resilient for the past few decades, the risk is that the complexity which has made cyberspace relatively risk-free can, and likely will, backfire,” Lehmann said.

Focus on global effort to ensure cybersecurity

Focus on global effort to ensure cybersecurity

Muscat: With the number of cybersecurity attacks increasing, regional and global cooperation is necessary to face the challenge, speakers at the third annual regional Cybersecurity Summit that opened in Muscat on Monday, stressed.

Organised by the Information Technology Authority (ITA), represented by Oman National CERT (OCERT) in cooperation with the International Telecommunication Union (ITU), IMPACT and French business information group naseba, the 3rd Annual Regional Cybersecurity Summit opened under the auspices of  Yousuf bin Alawi bin Abdullah, Minister of Foreign Affairs.

Commenting on the summit, he said, “This regional conference is very important for the Sultanate as it has assumed responsibility for cybersecurity in the region. The cooperation between the regional countries and other countries that have important interests in this region should be real. The Sultanate welcomes such cooperation, which aims to protect the common electronic interests from theft and other bad behaviours that could result in losses for the business community and companies, investments and others.”

In his welcome address at the summit, Dr Salim Sultan Al Ruzaiqi, CEO of ITA Oman, said, “The issue of cybersecurity in general  and protecting institutions’ critical infrastructures in particular requires a holistic view. As the number of cybersecurity attacks increase, regional and global cooperation is necessary to face the challenge. The role of regional and national CERTs is to work together to develop plans, share experiences and discuss solutions.”

Highlighting some statistics from Symantec from the past two years, Dr  Al Ruzaiqi stated that the financial loss resulting from cybercrime is estimated at 110 billion dollars per year, and that 556 million people worldwide have fallen victim to cybercrimes. He further pointed out that the sectors most affected by cybercrime are the critical infrastructure facilities around the world. “Only by intensifying our efforts to develop solutions and strategies for the protection of such institutions can we win the war against cybercrime.”

Chairperson for the first day of the event, Eng Badar Ali Al Salehi, Director General of OCERT, explained the importance of such a regional gathering and the impact it can have on the cybersecurity future of the region.

He said, “The conference is being organised to highlight key issues that are affecting most regional countries. It acts as a platform for everyone to come together and address these threats.” He concluded his opening remarks by noting the importance of staying ahead. “It is important to learn from mistakes and figure out the motives behind cyber-attacks. But the main key is prevention.”

The opening keynote address was followed by the address of Ilia Kolochenko, CEO of the Swiss Company, High Tech Bridge. While the keynote address discussed the importance of eliminating vulnerabilities and maximising efficiency in interconnected and interdependent infrastructures, Kolochenko highlighted how protecting all the classified information has become a top priority for nations and businesses all across the world.

© Muscat Press and Publishing House SAOC 2014 Provided by Syndigate.info, an Albawaba.com company

Looking for a job? Clean up your Facebook account first

Are you looking for a job? Clean up your Facebook account first

Having a hard time finding a job? You might want to have a second look at your Facebook profile.

Having a hard time finding a job? You might want to have a second look at your Facebook profile.

Yes, employers extend their background check even to your social media presence. “The prospective employer these days may be more interested in what your name pulls up in search engines than how perfectly coordinated your shoes are with your power suit,” said Robert Siciliano, a personal security and identity theft expert.

That’s why cleaning up your online profiles on Facebook, Twitter, Google+ and other social media networking sites may be the first thing you must do to prepare for an interview.

Here are more reasons why you should start digging up your profiles.

1. Your digital footprint says a lot about you

Your CV is just a piece of paper. Employers would like to look at your personality and, unfortunately, your rants and indecent photos during college give a very bad impression.

2. Most employers use social media to research on people

While calling your character references seem to be a good option, most employers prefer to use the easy way — social media background check. So make sure your online profiles are squeaky clean before you step into that interview.

3. Privacy settings are not always reliable

The truth is that privacy settings among these social media networks are prone to frequent change. That’s the power of social media. Everything you post is visible to everyone but they’re doing a good job at concealing it through privacy settings. Before you upload or type something, always make sure to think about the consequences first.

4. Changing trends in social media

Notice updates on your social network’s settings from time to time? You should pay attention to that and change your settings accordingly. Social media is consistently evolving and as a responsible user, you should always be informed and keep up with the latest trends.

5. It is used for verification

After ‘Googling’ you, there’s a tendency for employers to verify what they just found during the interview in a subtle manner. Employers are more interested about your personality and honesty is always a good virtue to start with. So if you’re always out partying all night and claim that you’re an introvert, that may be a big no-no.

Copyright © 2014 Khaleej Times. All Rights Reserved. Provided by Syndigate.info, an Albawaba.com company

Health care site flagged in Heartbleed review

Health care site flagged in Heartbleed review

WASHINGTON (AP) — People who have accounts on the enrollment website for President Barack Obama’s signature health care law are being told to change their passwords following an administration-wide review of the government’s vulnerability to the confounding Heartbleed computer virus.

Senior administration officials said there is no indication that the HealthCare.gov site has been compromised and the action is being taken out of an abundance of caution. The government’s Heartbleed review is ongoing, the officials said, and users of other websites may also be told to change their passwords in the coming days, including those with accounts on the popular WhiteHouse.gov petitions page.

The Heartbleed computer bug has caused major security concerns across the Internet and affected a widely used encryption technology that was designed to protect online accounts. Major Internet services have been working to insulate themselves against the bug and are also recommending that users change their website passwords.

Officials said the administration was prioritizing its analysis of websites with heavy traffic and the most sensitive user information. A message that will be posted on the health care website starting Saturday reads: “While there’s no indication that any personal information has ever been at risk, we have taken steps to address Heartbleed issues and reset consumers’ passwords out of an abundance of caution.”

The health care website became a prime target for critics of the Obamacare law last fall when the opening of the insurance enrollment period revealed widespread flaws in the online system. Critics have also raised concerns about potential security vulnerabilities on a site where users input large amounts of personal data.

The website troubles were largely fixed during the second month of enrollment and sign-ups ultimately surpassed initial expectations. Obama announced this week that about 8 million people had enrolled in the insurance plans.

The full extent of the damage caused by the Heartbleed is unknown. The security hole exists on a vast number of the Internet’s Web servers and went undetected for more than two years. Although it’s conceivable that the flaw was never discovered by hackers, it’s difficult to tell.

The White House has said the federal government was not aware of the Heartbleed vulnerability until it was made public in a private sector cybersecurity report earlier this month. The federal government relies on the encryption technology that is impacted — OpenSSL — to protect the privacy of users of government websites and other online services.

The Homeland Security Department has been leading the review of the government’s potential vulnerabilities. The Internal Revenue Service, a widely used website with massive amounts of personal data on Americans, has already said it was not impacted by Heartbleed.

“We will continue to focus on this issue until government agencies have mitigated the vulnerability in their systems,” Phyllis Schneck, DHS deputy undersecretary for cybersecurity and communications, wrote in a blog post on the agenda website. “And we will continue to adapt our response if we learn about additional issues created by the vulnerability.”

Officials wouldn’t say how government websites they expect to flag as part of the Heartbleed security review, but said it’s likely to be a limited number. The officials insisted on anonymity because they were not authorized to discuss the security review by name.

___

Follow Julie Pace at http://twitter.com/jpaceDC

One in three Android apps on non-Google stores are malicious, study finds

One in three Android apps on non-Google stores are malicious, study finds

Almost a third of Android apps on third-party app stores contain some form of malicious software, according to research from cybersecurity firm Opswat.

Knock-off versions of popular apps such as Twitter and Angry Birds dominate the list of suspicious downloads, while one-shot joke apps such as ‘screen crack’ make up the rest.

The firm downloaded almost 12,000 app files from various sources of Android apps other than the official Google Play store, and loaded them into their proprietary anti-malware system Metascan, which flagged 32% of the apps as suspicious.

Metascan works by using multiple anti-malware libraries, and the majority of the apps it highlighted were marked as malware by just one service. Additionally, many files were picked up because they had been classified as adware, “which is not universally considered malware,” says Opswat’s director of professional services, Dan Lanir.

But even when only counting apps which were flagged by at least two libraries, and which were flagged for something other than being adware, almost one in ten qualified.

The news illustrates a long-running problem for Android: the system’s openness is frequently taken advantage of by malicious actors. While the Google Play store is largely safe – except for scam apps such as Virus Shield, which cost $3.99 and did absolutely nothing – a selling point of Android is that the OS will run apps downloaded from other stores.

‘Fake’ Android antivirus app developer says Virus Shield was a ‘foolish mistake’

This article originally appeared on guardian.co.uk

Who Hacked Russian-American Chamber of Commerce Site?

After Heartbleed, What Other Bugs Lurk On The Internet?

Hacker

In wake of Heartbleed, the Internet security flaw that exposed at least two-thirds of websites to the risk of data theft, security professionals and programmers are warning that other serious vulnerabilities are looming. From so-called injection flaws to faulty authentication systems, hazards and hackers are just around the corner.

“Insecure software is undermining our financial, healthcare, defense, energy, and other critical infrastructure,” the Open Web Application Security Project (Owasp) said in its report of the 10 most critical cybersecurity risks of 2013. “As our digital infrastructure gets increasingly complex and interconnected, the difficulty of achieving application security increases exponentially.”

At the top of the group’s list are injection flaws, which occur when an attacker submits untrusted data to trick a website into performing an unintended command, such as allowing access to private accounts. Owasp ranked injection flaws as the most critical for how easy they are for malicious hackers to exploit, how common they are and how severely they can impact a business.

The second-biggest flaws are authentication (password login) systems that aren’t implemented correctly. There are also cross-site scripting (XSS) flaws, which happen when an application takes untrusted data and sends it to a web browser without validation. The Syrian Electronic Army uses XSS attacks to deface websites and other hackers can use XSS to redirect users to malicious sites or hijack user sessions.

What’s especially troubling about the list is that top five worst risks in 2013 are the exact same as the worst risks in 2010. Despite the fact that all programmers are taught to avoid these errors, imexperienced programmers working on increasingly more difficult lines of code allows these flaws to continue cropping up. 

“If builders built buildings the way programmers wrote programs, then the first woodpecker that came along would destroy civilization,” Gerald M. Weinberg, a computer scientist, wrote in his 1971 book, “The Psychology of Computer Programming.” The aphorism has since been dubbed “Weinberg’s Second Law,” and Heartbleed showed that it’s just as true today as it was more than 40 years ago.

The people writing the code can’t be entirely blamed. Programmers are often given scant direction in building software, and their efforts often aren’t rewarded. Open-source software like OpenSSL, the software that Heartbleed attacked, are controlled by a nebulous team of volunteers.

Private companies are also often unwilling to spend money on new systems or proper bug testing and correction.

“You don’t wanna know how much relies on very old systems and technology [sic],’ an IT professional using the name “He_knows” wrote on a Reddit thread created to discuss cybersecurity vulnerabilities that the public isn’t aware of.

“We can write good software, but it costs a fortune and business priorities often mean good enough is good enough,” Reddit user “noir_lord” wrote.  

This often means a company will pay for good developers to build software and get it running, only to replace them with less experienced and inexpensive developers to watch after it. Years later, the IT staff is unaware of how the original software was even built in order to modify or change it.

Security firms like Codenomicon, which discovered the Heartbleed vulnerability, have built programs to automatically test computer systems, making bug testing quicker and less expensive. IT professionals talk a lot about “defensive programming,” and urge businesses to realize that is most cost effective to spend time and money testing for bugs than it is trying to recover from a hacker attack.

There is also the problem of computer illiteracy putting everyday Internet users at risk. The majority of people still use default passwords like “password” or “123456,” fail to use malware detection to check for programs that record keystrokes or create a backdoor into the computer, and rely too much on insecure Wi-Fi networks.

“Nearly every single Comcast router I’ve ever tested is vulnerable to a WPS (wifi protected setup) authorization bypass vulnerability,” Reddit user FarcusDimagio said in a page dedicated to discussing cybersecurity risks. WPS allows even inexperienced hackers to easily get around most Wi-Fi passwords and join the network to eavesdrop or do serious damage.

As for individual computer users, there are several small things to be safer online. Users should choose a different password for every website they choose, write them down on paper and store that paper in a safe place. Wi-Fi customers can ask their service providers how to disable WPS and keep their routers safer. People also should take advantage of free malware detection software like Malwarebytes.

In general, security experts think everyone can be safer online with a little bit more computer literacy. In the same way that most car owners may not be mechanics but still understand the basic of how a car works and how to protect it, users need to understand how their computer and the Internet works in order to defend against the next security crisis. 

Terrifying interactive map shows global cyber attacks happening in real time

Terrifying interactive map shows global cyber attacks happening in real time


Cyber Attack News Map

Heartbleed is hardly the only online threat we have to worry about these days. The massive OpenSSL bug should certainly be taken seriously — here are all the passwords you should change immediately because of Heartbleed — but there are threats around just about every corner on the Internet. LaCie on Wednesday confirmed that it was the last company to fall victim to a massive cyber attack where users’ credit card data was compromised, but it is hardly the only recent target.

In fact, you’ll be shocked to learn how many cyber attacks are taking place right now as you read this.


kasperksy-map-3

Antivirus and Internet security software firm Kaspersky recently created a beautiful and terrifying interactive world map that gives us a real-time look at all of the cyberthreats that exist around the globe at any given time.

The design is terrific but the threat it represents is real and should not be taken lightly — malicious hackers are constantly attacking networks, companies and even individuals.


kaspersky-map-2

The two GIF images above represent a static view of cyber attacks occurring in various regions around the world, but the full interactive, real-time cyberthreat map can be seen by following the link below in our source section.

Heartbleed: 95% of detection tools 'flawed', claim researchers

Heartbleed: 95% of detection tools ‘flawed’, claim researchers

Some tools designed to detect the Heartbleed vulnerability are flawed and won’t detect the problem on affected websites, a cybersecurity consultancy has warned.

The Heartbleed flaw, which undermined the common security software for internet connections called OpenSSL, caused mass panic last week due to the ease with which it could be exploited to acquire passwords or encryption keys, potentially leaking sensitive personal data from popular consumer websites.

A deluge of tools then hit the internet promising to help people determine whether the web services they were using or hosting were affected. But 95% of the most popular ones are not reliable, according to London-based security consultancy and penetration testing firm Hut3.

‘Absolute panic’

“A lot of companies out there will be saying they’ve run the free web tool and they’re fine, when they’re not,” Hut3’s Edd Hardy told the Guardian. “There’s absolute panic. We’re getting calls late at night going ‘can you test everything’.”

Most of the tools checked by Hut3 rely on code designed to highlight the flaw created by developer Jared Stafford, which itself contained problematic bugs, said Hut3 penetration tester Adrian Hayter. These included tools created by major tech companies such as Intel-owned security firm McAfee and password management provider LastPass.

Hayter uncovered three problems with the Heartbleed checkers, which could lead to many cases of sites remaining vulnerable. One of the issues was to do with compatibility with different versions of SSL, the Secure Sockets Layer kind of web encryption affected by the Heartbleed flaw.

“The Heartbleed Checker is designed to work with common system configurations found in the wild,” said Raj Samani, CTO for Europe, the middle east and Asia at McAfee. “There have been reports of detection failure rates of around 2.8% due to these configurations. We were aware of the possibility and have provided a disclosure directly above our checker. We are continually reviewing and revising our code and technique.”

Joe Siegrist, CEO at LastPass, said: “Unlike all other tests, LastPass is not actually attempting to exploit the bug to test if it’s currently present – we’ve been unsure if that’s legal for a US entity to do.

“Our focus has been in ensuring people are updating/revoking their certificates, and that we’re reflecting what major organisations are saying about their exposure. Can you update or make a new certificate and keep the heartbleed bug in place? Sure, but that’s what all the other tests are for.”

Widespread consequences

“It is yet another symptom of the ‘hit the ground running’ approach that has characterised the response to this vulnerability,” said Rik Ferguson, vice president of security research at Trend Micro.

“The consequences are so widespread and the technology involved so arcane or invisible to the average user, that knee-jerk reactions and well-meaning advice have been offered up with little planning. From the initial Tumblr blog advising user to change all passwords everywhere ‘now’, before most of the vulnerable services would have been patched, to self-confessed ‘quick and dirty’ demonstration tools being incorporated into complete vulnerability scanning tools.”

“The key to success with protection and mitigation of Heartbleed is more haste, less speed – otherwise you may well be sitting in the comfortable haze of a false sense of security. Ignorance isn’t bliss, it’s dangerous.”

There are various versions of SSL and servers hosting websites can support some or all of them. If the server doesn’t support the version that the user machine selects, then it will respond by either dropping the connection or trying to use a different type of SSL which the server does support.

Heartbleed: routers and phones also at risk
Developer who introduced Heartbleed error regrets ‘oversight’
US government denies being aware of Heartbleed bug

Herein lies the problem with the detection tools: in many of them, only one version, known as TLSv1.1, is checked. If the server being tested for Heartbleed doesn’t support TLSv1.1, it will either reject the connection or suggest another version. But the failed detectors do not check for another version and assume any server that does not provide a successful response is not vulnerable, said Hayter.

Similar problems lie in compatibility with “cipher suites”, the selections of algorithms used to set up a secure connection over the internet. “Once again, if the server does not support any of the cipher suites that the client sends, the connection will disconnect,” said Hayter.

Most of the tools he examined only told the server they supported about 51 cipher suites, when there are at least 318 cipher suites that could be used by a website. “Granted, most servers will support at least one of the ciphers in the list of 51, but there could be instances where a server does not support any of them, and in these cases, the server would respond with an error, which the scripts interpret as ‘not vulnerable’.”

The third bug was more simplistic: it meant that on slow internet connections some tools would stop working when processing the response of the server, as they would have a time limit. This would again interpret a server as not vulnerable, even if the partially downloaded response would have been enough to confirm the vulnerability, Hayter added.

Given the panic around Heartbleed, with many prematurely being told to change passwords for all web services, even before those sites had been fixed, the latest findings will do nothing to appease the confusion. Hut3 has created its own tool which it believes could help alleviate some of the pain.

Heartbleed: what you need to know to stay secure

This article originally appeared on guardian.co.uk