A year after its exposure, Heartbleed bug remains a serious threat
A new study shows that most large corporations haven't done enough to protect themselves against the flaw that can give hackers access to sensitive data.
A new study shows that most large corporations haven't done enough to protect themselves against the flaw that can give hackers access to sensitive data.
Just over a year after it was first revealed, the vast majority of聽global corporations聽remain vulnerable to the security bug known as聽Heartbleed that could give hackers access to encrypted data.
Since being made public, the flaw has been blamed for a data breach last year at聽Community Health Systems Inc., one of the nation's largest hospital chains, that exposed聽personal information on聽4.5 million patients.
Without doing more to mend聽the vulnerability within secure communications, other companies could be leaving themselves open to similar incursions and data thefts, says Kevin Bocek, vice president for security strategy at Venafi Inc.
"Heartbleed is a silent killer. It鈥檚 an attack from the outside, where there is no evidence of an intrusion," said聽Mr. Bocek, whose firm聽released a study Monday night showing the response so far to Heartbleed.
Venafi scanned publicly accessible servers and discovered that only 416 of the 2,000 companies listed on the聽Forbes Global 2000 鈥 a ranking of the largest public companies in the world 鈥 have聽fully completed Heartbleed remediation. That鈥檚 a marginal improvement over the 387 companies that Venafi identified in a July survey as taking action to fix the bug.
Heartbleed targets the security library OpenSSL, which is used to protect secure communications over the Web.聽The vulnerability allows an attacker to steal data from a server's memory. That data often includes private keys used to encrypt data sent to the site,聽including usernames and passwords.
The problem, says Bocek, is not that companies are ignoring Heartbleed, but that they've followed only the first step or two in a three step protocol to fix the problem. After patching the bug, companies also need to generate new private keys and revoke old security certificates. Otherwise, the hosts will keep accepting potentially compromised communications.
鈥淚've seen recent reports from the Dutch police giving advice on how to deal with Heartbleed [that are] wrong,鈥 he says. 鈥淭hey said you only had to install the patch and issue a new certificate. But without changing the keys, that might not mean anything."
Of course, not all of the servers Venafi identified as vulnerable even went as far as issuing new certificates with old keys.
The many steps involved in correctly fixing Heartbleed could be causing confusion, says聽Jonathan Katz, director of the Maryland Cybersecurity Center at the University of Maryland. But he also said companies may not want to spend the money to complete a security overhaul.聽
鈥淧atching computers doesn鈥檛 cost anything,鈥 he says. 鈥淏ut having new certificates issued costs money. There has always been some speculation that incomplete fixes were a cost/benefit decision. Customers can鈥檛 distinguish between sites that made the proper changes and the ones that didn鈥檛.鈥
But whether or not customers notice, he says,聽鈥淵ou could call [not properly dealing with Heartbleed] by now negligent."