A year after its exposure, Heartbleed bug remains a serious threat

A new study shows that most large corporations haven't done enough to protect themselves against the flaw that can give hackers access to sensitive data.

Just over a year after it was first revealed, the vast majority of global corporations remain vulnerable to the security bug known as Heartbleed that could give hackers access to encrypted data.

Since being made public, the flaw has been blamed for a data breach last year at Community Health Systems Inc., one of the nation's largest hospital chains, that exposed personal information on 4.5 million patients.

Without doing more to mend the vulnerability within secure communications, other companies could be leaving themselves open to similar incursions and data thefts, says Kevin Bocek, vice president for security strategy at Venafi Inc.

"Heartbleed is a silent killer. It’s an attack from the outside, where there is no evidence of an intrusion," said Mr. Bocek, whose firm released a study Monday night showing the response so far to Heartbleed.

Venafi scanned publicly accessible servers and discovered that only 416 of the 2,000 companies listed on the Forbes Global 2000 – a ranking of the largest public companies in the world – have fully completed Heartbleed remediation. That’s a marginal improvement over the 387 companies that Venafi identified in a July survey as taking action to fix the bug.

Heartbleed targets the security library OpenSSL, which is used to protect secure communications over the Web. The vulnerability allows an attacker to steal data from a server's memory. That data often includes private keys used to encrypt data sent to the site, including usernames and passwords.

The problem, says Bocek, is not that companies are ignoring Heartbleed, but that they've followed only the first step or two in a three step protocol to fix the problem. After patching the bug, companies also need to generate new private keys and revoke old security certificates. Otherwise, the hosts will keep accepting potentially compromised communications.

“I've seen recent reports from the Dutch police giving advice on how to deal with Heartbleed [that are] wrong,” he says. “They said you only had to install the patch and issue a new certificate. But without changing the keys, that might not mean anything."

Of course, not all of the servers Venafi identified as vulnerable even went as far as issuing new certificates with old keys.

The many steps involved in correctly fixing Heartbleed could be causing confusion, says Jonathan Katz, director of the Maryland Cybersecurity Center at the University of Maryland. But he also said companies may not want to spend the money to complete a security overhaul. 

“Patching computers doesn’t cost anything,” he says. “But having new certificates issued costs money. There has always been some speculation that incomplete fixes were a cost/benefit decision. Customers can’t distinguish between sites that made the proper changes and the ones that didn’t.”

But whether or not customers notice, he says, “You could call [not properly dealing with Heartbleed] by now negligent."