A year later, Heartbleed bug still hasn’t been squashed

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

A recent report by cyber­se­cu­ri­ty man­age­ment firm Venafi show­ing that a vast major­i­ty of the world’s largest com­pa­nies remain vul­ner­a­ble to attacks stem­ming from the Heart­bleed flaw sug­gests that many have not grasped the full nature of the threat nor do they think the risk jus­ti­fies the cost of reme­di­at­ing it.

It’s been exact­ly one year since details of the OpenSSL flaw were first pub­licly dis­closed. In the 12 months since then, numer­ous secu­ri­ty researchers, gov­ern­ment agen­cies and ven­dors have stressed the need for orga­ni­za­tions to urgent­ly address the issue, described wide­ly as one of the most seri­ous threats ever to Inter­net security.

Free resource: Stay informed with a free sub­scrip­tion to SPWNR

When the vul­ner­a­bil­i­ty was first report­ed, secu­ri­ty researchers esti­mat­ed that 500,000 or more web­sites, includ­ing some of the worlds’ most traf­ficked ones like Google, Yahoo and Face­book were vul­ner­a­ble to the threat. Con­cerns over the flaw were so pro­nounced that it result­ed in a remark­able 39 per­cent of all Inter­net users either chang­ing their pass­words or clos­ing online accounts, a sur­vey by the Pew Research Cen­ter showed. About 6 per­cent said they believed their per­son­al data had been com­pro­mised as a result of the vulnerability.

Yet, when Venafi eval­u­at­ed the 1,642 Forbes Glob­al 2000 orga­ni­za­tions with pub­lic-fac­ing Web servers that were sus­cep­ti­ble to Heart­bleed last year, it found that three out of four of them had not ful­ly pro­tect­ed them­selves against fall­out from the threat.

A Ponemon Insti­tute sur­vey look­ing at that num­ber in more detail says more than 40 per­cent of the Glob­al 2000 com­pa­nies in the Unit­ed States and Ger­many believe them­selves to have dealt with the issue, while few­er than 15 per­cent of firms in Aus­tralia, and a quar­ter of firms in France, make the same claim.

Busi­ness as usual

Put anoth­er way, some 1,225 of the world’s 2,000 largest com­pa­nies are still exposed to attacks that take advan­tage of infor­ma­tion gath­ered via the Heart­bleed flaw. Venafi found only 419 of the 2,000 largest orga­ni­za­tions in the world have ful­ly com­plet­ed Heart­bleed reme­di­a­tion. It’s a num­ber that’s remained prac­ti­cal­ly unchanged since last August.

While the num­ber of stolen cer­tifi­cates and keys may nev­er be known, secu­ri­ty firm Trust­ed­Sec report­ed that keys stolen using Heart­bleed let attack­ers breach health care provider Com­mu­ni­ty Health Sys­tems in August and steal more than 4.5 mil­lion records. Secu­ri­ty firm Web­sense claims that an uptick in attacks on health care com­pa­nies and hos­pi­tals can be blamed on Heartbleed.

Venafi dis­cov­ered that while many orga­ni­za­tions have imple­ment­ed the rec­om­mend­ed patch­es for Heart­bleed, they have not swapped out the old pri­vate keys and dig­i­tal cer­tifi­cates that sup­port encrypt­ed com­mu­ni­ca­tions on their Web servers.

Cyber crim­i­nals still lurk 

As a result, attack­ers that might have accessed the infor­ma­tion pre­vi­ous­ly, still have a way to decrypt SSL traf­fic on servers that have been patched against Heart­bleed, or they can still use the dig­i­tal cer­tifi­cate to spoof the orig­i­nal website.

They are still vul­ner­a­ble to eaves­drop­ping and spoof­ing,” says Kevin Bocek, Venafi’s vice pres­i­dent of secu­ri­ty strat­e­gy. “The part they haven’t done cor­rect­ly is to change out the keys and the cer­tifi­cates,” as rec­om­mend­ed by numer­ous secu­ri­ty experts, he said.

One of the prob­lems has been a fail­ure by many IT admin­is­tra­tors to ful­ly under­stand the nature of the threat, Bocek says. While many com­pa­nies have patched against the flaw, and some have even revoked their old dig­i­tal cer­tifi­cates, they have not changed their encryp­tion keys. Instead they have request­ed new dig­i­tal cer­tifi­cates and are using them with their old encryp­tion keys.

In doing so, they are ignor­ing the pos­si­bil­i­ty that some­one with access to the old encryp­tion keys can still eaves­drop and steal data from the Web serv­er. “I think it’s a fail­ure of com­mu­ni­ca­tion” by the secu­ri­ty indus­try, Bocek says.

Flaw expos­es data

The Heart­bleed vul­ner­a­bil­i­ty stems from a pro­gram­ming error in mul­ti­ple ver­sions of the OpenSSL pro­to­col that is used to encrypt traf­fic between a brows­er and Web serv­er. The error affects a sort of heart­beat func­tion that is used by clients and Web servers to estab­lish that both sys­tems are real­ly online dur­ing a session.

The client basi­cal­ly sends a small mes­sage to the serv­er, which then echoes the mes­sage back to the client to prove it is still online. Both the mes­sage sent by the client and the server’s response are the same length. The pro­gram­ming error gives attack­ers a way to try and get the serv­er to leak infor­ma­tion from the server’s mem­o­ry, when respond­ing to the client’s mes­sage. So instead of sim­ply telling the client that it is online, the serv­er also pro­vides the client with small snip­pets of mem­o­ry data.

Secu­ri­ty researchers have not­ed that with enough heart­beat requests, attack­ers can get a serv­er to leak all sorts of sen­si­tive data from its mem­o­ry, includ­ing user­names, pass­words and infor­ma­tion on the website’s dig­i­tal cer­tifi­cates and encryp­tion keys. What makes Heart­bleed par­tic­u­lar­ly scary is the fact that it allows attack­ers to eaves­drop or steal data with­out leav­ing a trace.

Orga­ni­za­tions like Gart­ner have not­ed that Heart­bleed, among oth­er things, com­plete­ly under­mines con­fi­dence in the con­fi­den­tial­i­ty of keys used on vul­ner­a­ble servers. “Issu­ing a new cer­tifi­cate is nec­es­sary, but not suf­fi­cient,” the ana­lyst firm has not­ed pre­vi­ous­ly. “Many orga­ni­za­tions per­form “lazy” cer­tifi­cate rota­tions, and do not cre­ate new keys. This is a bad prac­tice.” Cer­tifi­cate rota­tion alone is not enough, Gart­ner has stressed.

Richard Sti­en­non, prin­ci­pal at con­sult­ing firm IT-Har­vest, said it is impor­tant to put Venafi’s find­ings in the right context.

Venafi did not find that many vul­ner­a­ble sys­tems. They found orga­ni­za­tions that could have had their cer­tifi­cates stolen dur­ing the win­dow of vul­ner­a­bil­i­ty and had not replaced them yet,” Sti­en­non said.

Heart­bleed left a lot of sys­tems open to attacks that could have poten­tial­ly led to leaked infor­ma­tion such as cer­tifi­cates, but there is lit­tle evi­dence that this hap­pened,” he said.

I am not sur­prised that orga­ni­za­tions have not gone the extra mile and expense to update their cer­tifi­cates in light of the low risk.”

More on emerg­ing best practices:
Encryp­tion rules ease retail­ers’ burden
Track­ing priv­i­leged accounts can thwart hackers
Impen­e­tra­ble encryp­tion locks down Internet