A year after its exposure, Heartbleed bug remains a serious threat
Just over a year after it was first revealed, the vast majority of听global corporations听remain vulnerable to the security bug known as听Heartbleed that could give hackers access to encrypted data.
Since being made public, the flaw has been blamed for a data breach last year at听Community Health Systems Inc., one of the nation's largest hospital chains, that exposed听personal information on听4.5 million patients.
Without doing more to mend听the vulnerability within secure communications, other companies could be leaving themselves open to similar incursions and data thefts, says Kevin Bocek, vice president for security strategy at Venafi Inc.
"Heartbleed is a silent killer. It鈥檚 an attack from the outside, where there is no evidence of an intrusion," said听Mr. Bocek, whose firm听released a study Monday night showing the response so far to Heartbleed.
Venafi scanned publicly accessible servers and discovered that only 416 of the 2,000 companies listed on the听Forbes Global 2000 鈥 a ranking of the largest public companies in the world 鈥 have听fully completed Heartbleed remediation. That鈥檚 a marginal improvement over the 387 companies that Venafi identified in a July survey as taking action to fix the bug.
targets the security library OpenSSL, which is used to protect secure communications over the Web.听The vulnerability allows an attacker to steal data from a server's memory. That data often includes private keys used to encrypt data sent to the site,听including usernames and passwords.
The problem, says Bocek, is not that companies are ignoring Heartbleed, but that they've followed only the first step or two in a three step protocol to fix the problem. After patching the bug, companies also need to generate new private keys and revoke old security certificates. Otherwise, the hosts will keep accepting potentially compromised communications.
鈥淚've seen recent reports from the Dutch police giving advice on how to deal with Heartbleed [that are] wrong,鈥 he says. 鈥淭hey said you only had to install the patch and issue a new certificate. But without changing the keys, that might not mean anything."
Of course, not all of the servers Venafi identified as vulnerable even went as far as issuing new certificates with old keys.
The many steps involved in correctly fixing Heartbleed could be causing confusion, says听Jonathan Katz, director of the Maryland Cybersecurity Center at the University of Maryland. But he also said companies may not want to spend the money to complete a security overhaul.听
鈥淧atching computers doesn鈥檛 cost anything,鈥 he says. 鈥淏ut having new certificates issued costs money. There has always been some speculation that incomplete fixes were a cost/benefit decision. Customers can鈥檛 distinguish between sites that made the proper changes and the ones that didn鈥檛.鈥
But whether or not customers notice, he says,听鈥淵ou could call [not properly dealing with Heartbleed] by now negligent."
听
