The Heartbleed bug, a security hole in widely used encryption software, is probably just one of many weak points in the Internet that haven’t been found yet, according to Verizon Communications Inc.
Heartbleed “underscores the possibility that there are potentially so many vulnerabilities out there right now, right under our noses, that we don’t quite realize,” said Bryan Sartin, director of Verizon’s risk team. “One of these days someone will -- and I hope the good guys find it first.”
The bug, which can let attackers circumvent encryption and gain access to data stored on a server protected by OpenSSL software, was discovered this month, more than two years after it was inserted into the code. Widespread security gaps are becoming more dangerous as attackers muster computing resources and become more opportunistic, said Sartin, who was presenting results from Verizon’s annual data breach investigations report.
Attacks are often successful even without bugs like Heartbleed or complex programming to make them happen. Two-thirds of entries into a system come by way of using default or easily guessable or weak user-login credentials, the security executive said.
“That’s a staggering figure if you think about it,” Sartin said.
Once they’ve gained access to a system, hackers have more time than ever to retrieve data like credit-card or bank-account information because the target companies or authorities aren’t getting any quicker at discovering breaches, Sartin said.
After Heartbleed’s existence was revealed, companies rushed to update their vulnerable OpenSSL versions. Still, there was a window of opportunity for hackers. Capital Group Cos., the third-largest manager of U.S. mutual funds, urged 800,000 customers to change passwords and other information to protect themselves after finding that Heartbleed may have exposed some accounts, the company said.