A year later, Heartbleed bug still hasn’t been squashed
By Jaikumar Vijayan, ThirdCertainty
A recent report by cybersecurity management firm Venafi showing that a vast majority of the world’s largest companies remain vulnerable to attacks stemming from the Heartbleed flaw suggests that many have not grasped the full nature of the threat nor do they think the risk justifies the cost of remediating it.
It’s been exactly one year since details of the OpenSSL flaw were first publicly disclosed. In the 12 months since then, numerous security researchers, government agencies and vendors have stressed the need for organizations to urgently address the issue, described widely as one of the most serious threats ever to Internet security.
Free resource: Stay informed with a free subscription to SPWNR
When the vulnerability was first reported, security researchers estimated that 500,000 or more websites, including some of the worlds’ most trafficked ones like Google, Yahoo and Facebook were vulnerable to the threat. Concerns over the flaw were so pronounced that it resulted in a remarkable 39 percent of all Internet users either changing their passwords or closing online accounts, a survey by the Pew Research Center showed. About 6 percent said they believed their personal data had been compromised as a result of the vulnerability.
Yet, when Venafi evaluated the 1,642 Forbes Global 2000 organizations with public-facing Web servers that were susceptible to Heartbleed last year, it found that three out of four of them had not fully protected themselves against fallout from the threat.
A Ponemon Institute survey looking at that number in more detail says more than 40 percent of the Global 2000 companies in the United States and Germany believe themselves to have dealt with the issue, while fewer than 15 percent of firms in Australia, and a quarter of firms in France, make the same claim.
Business as usual
Put another way, some 1,225 of the world’s 2,000 largest companies are still exposed to attacks that take advantage of information gathered via the Heartbleed flaw. Venafi found only 419 of the 2,000 largest organizations in the world have fully completed Heartbleed remediation. It’s a number that’s remained practically unchanged since last August.
While the number of stolen certificates and keys may never be known, security firm TrustedSec reported that keys stolen using Heartbleed let attackers breach health care provider Community Health Systems in August and steal more than 4.5 million records. Security firm Websense claims that an uptick in attacks on health care companies and hospitals can be blamed on Heartbleed.
Venafi discovered that while many organizations have implemented the recommended patches for Heartbleed, they have not swapped out the old private keys and digital certificates that support encrypted communications on their Web servers.
Cyber criminals still lurk
As a result, attackers that might have accessed the information previously, still have a way to decrypt SSL traffic on servers that have been patched against Heartbleed, or they can still use the digital certificate to spoof the original website.
“They are still vulnerable to eavesdropping and spoofing,” says Kevin Bocek, Venafi’s vice president of security strategy. “The part they haven’t done correctly is to change out the keys and the certificates,” as recommended by numerous security experts, he said.
One of the problems has been a failure by many IT administrators to fully understand the nature of the threat, Bocek says. While many companies have patched against the flaw, and some have even revoked their old digital certificates, they have not changed their encryption keys. Instead they have requested new digital certificates and are using them with their old encryption keys.
In doing so, they are ignoring the possibility that someone with access to the old encryption keys can still eavesdrop and steal data from the Web server. “I think it’s a failure of communication” by the security industry, Bocek says.
Flaw exposes data
The Heartbleed vulnerability stems from a programming error in multiple versions of the OpenSSL protocol that is used to encrypt traffic between a browser and Web server. The error affects a sort of heartbeat function that is used by clients and Web servers to establish that both systems are really online during a session.
The client basically sends a small message to the server, which then echoes the message back to the client to prove it is still online. Both the message sent by the client and the server’s response are the same length. The programming error gives attackers a way to try and get the server to leak information from the server’s memory, when responding to the client’s message. So instead of simply telling the client that it is online, the server also provides the client with small snippets of memory data.
Security researchers have noted that with enough heartbeat requests, attackers can get a server to leak all sorts of sensitive data from its memory, including usernames, passwords and information on the website’s digital certificates and encryption keys. What makes Heartbleed particularly scary is the fact that it allows attackers to eavesdrop or steal data without leaving a trace.
Organizations like Gartner have noted that Heartbleed, among other things, completely undermines confidence in the confidentiality of keys used on vulnerable servers. “Issuing a new certificate is necessary, but not sufficient,” the analyst firm has noted previously. “Many organizations perform “lazy” certificate rotations, and do not create new keys. This is a bad practice.” Certificate rotation alone is not enough, Gartner has stressed.
Richard Stiennon, principal at consulting firm IT-Harvest, said it is important to put Venafi’s findings in the right context.
“Venafi did not find that many vulnerable systems. They found organizations that could have had their certificates stolen during the window of vulnerability and had not replaced them yet,” Stiennon said.
“Heartbleed left a lot of systems open to attacks that could have potentially led to leaked information such as certificates, but there is little evidence that this happened,” he said.
“I am not surprised that organizations have not gone the extra mile and expense to update their certificates in light of the low risk.”