Modern field guide to security and privacy

A year after its exposure, Heartbleed bug remains a serious threat

A new study shows that most large corporations haven't done enough to protect themselves against the flaw that can give hackers access to sensitive data.

|
Creative Commons/Codenomicon

Just over a year after it was first revealed, the vast majority of global corporations remain vulnerable to the security bug known as Heartbleed that could give hackers access to encrypted data.

Since being made public, the flaw has been blamed for a data breach last year at Community Health Systems Inc., one of the nation's largest hospital chains, that exposed personal information on 4.5 million patients.

Without doing more to mend the vulnerability within secure communications, other companies could be leaving themselves open to similar incursions and data thefts, says Kevin Bocek, vice president for security strategy at Venafi Inc.

"Heartbleed is a silent killer. It’s an attack from the outside, where there is no evidence of an intrusion," said Mr. Bocek, whose firm released a study Monday night showing the response so far to Heartbleed.

Venafi scanned publicly accessible servers and discovered that only 416 of the 2,000 companies listed on the Forbes Global 2000 – a ranking of the largest public companies in the world – have fully completed Heartbleed remediation. That’s a marginal improvement over the 387 companies that Venafi identified in a July survey as taking action to fix the bug.

Heartbleed targets the security library OpenSSL, which is used to protect secure communications over the Web. The vulnerability allows an attacker to steal data from a server's memory. That data often includes private keys used to encrypt data sent to the site, including usernames and passwords.

The problem, says Bocek, is not that companies are ignoring Heartbleed, but that they've followed only the first step or two in a three step protocol to fix the problem. After patching the bug, companies also need to generate new private keys and revoke old security certificates. Otherwise, the hosts will keep accepting potentially compromised communications.

“I've seen recent reports from the Dutch police giving advice on how to deal with Heartbleed [that are] wrong,” he says. “They said you only had to install the patch and issue a new certificate. But without changing the keys, that might not mean anything."

Of course, not all of the servers Venafi identified as vulnerable even went as far as issuing new certificates with old keys.

The many steps involved in correctly fixing Heartbleed could be causing confusion, says Jonathan Katz, director of the Maryland Cybersecurity Center at the University of Maryland. But he also said companies may not want to spend the money to complete a security overhaul. 

“Patching computers doesn’t cost anything,” he says. “But having new certificates issued costs money. There has always been some speculation that incomplete fixes were a cost/benefit decision. Customers can’t distinguish between sites that made the proper changes and the ones that didn’t.”

But whether or not customers notice, he says, “You could call [not properly dealing with Heartbleed] by now negligent."

 

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to A year after its exposure, Heartbleed bug remains a serious threat
Read this article in
https://www.csmonitor.com/World/Passcode/2015/0406/A-year-after-its-exposure-Heartbleed-bug-remains-a-serious-threat
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe