Subscribe
Modern field guide to security and privacy

A year after its exposure, Heartbleed bug remains a serious threat (+video)

A new study shows that most large corporations haven't done enough to protect themselves against the flaw that can give hackers access to sensitive data.

of

Just over a year after it was first revealed, the vast majority of global corporations remain vulnerable to the security bug known as Heartbleed that could give hackers access to encrypted data.

Since being made public, the flaw has been blamed for a data breach last year at Community Health Systems Inc., one of the nation's largest hospital chains, that exposed personal information on 4.5 million patients.

Without doing more to mend the vulnerability within secure communications, other companies could be leaving themselves open to similar incursions and data thefts, says Kevin Bocek, vice president for security strategy at Venafi Inc.

"Heartbleed is a silent killer. It’s an attack from the outside, where there is no evidence of an intrusion," said Mr. Bocek, whose firm released a study Monday night showing the response so far to Heartbleed.

Venafi scanned publicly accessible servers and discovered that only 416 of the 2,000 companies listed on the Forbes Global 2000 – a ranking of the largest public companies in the world – have fully completed Heartbleed remediation. That’s a marginal improvement over the 387 companies that Venafi identified in a July survey as taking action to fix the bug.

Heartbleed targets the security library OpenSSL, which is used to protect secure communications over the Web. The vulnerability allows an attacker to steal data from a server's memory. That data often includes private keys used to encrypt data sent to the site, including usernames and passwords.

The problem, says Bocek, is not that companies are ignoring Heartbleed, but that they've followed only the first step or two in a three step protocol to fix the problem. After patching the bug, companies also need to generate new private keys and revoke old security certificates. Otherwise, the hosts will keep accepting potentially compromised communications.

“I've seen recent reports from the Dutch police giving advice on how to deal with Heartbleed [that are] wrong,” he says. “They said you only had to install the patch and issue a new certificate. But without changing the keys, that might not mean anything."

Of course, not all of the servers Venafi identified as vulnerable even went as far as issuing new certificates with old keys.

The many steps involved in correctly fixing Heartbleed could be causing confusion, says Jonathan Katz, director of the Maryland Cybersecurity Center at the University of Maryland. But he also said companies may not want to spend the money to complete a security overhaul. 

“Patching computers doesn’t cost anything,” he says. “But having new certificates issued costs money. There has always been some speculation that incomplete fixes were a cost/benefit decision. Customers can’t distinguish between sites that made the proper changes and the ones that didn’t.”

But whether or not customers notice, he says, “You could call [not properly dealing with Heartbleed] by now negligent."

About these ads
Sponsored Content by LockerDome
 

We want to hear, did we miss an angle we should have covered? Should we come back to this topic? Or just give us a rating for this story. We want to hear from you.

Loading...

Loading...

Loading...

Save for later

Save
Cancel

Saved ( of items)

This item has been saved to read later from any device.
Access saved items through your user name at the top of the page.

View Saved Items

OK

Failed to save

You reached the limit of 20 saved items.
Please visit following link to manage you saved items.

View Saved Items

OK

Failed to save

You have already saved this item.

View Saved Items

OK