Heartbleed Risk Haunts Most Big Companies a Year After Discovery

Businesses have largely stopped shielding themselves against a Web-security flaw called Heartbleed, providing a growing number of attackers with an easy target, according to security company Venafi Inc.

A year after the vulnerability was made public, 74 percent of more than 1,600 Forbes Global 2000 companies examined haven’t fixed their servers and networks completely, said Kevin Bocek, the Salt Lake City, Utah-based company’s vice president for security strategy. That’s a small improvement from the 76 percent recorded in August, he said.

“You’d think that bigger businesses have got this covered,” because most of them have dedicated cybersecurity units, he said. “But as we look at large banks, telcos, manufacturers, they’ve got much more complex computer systems and they just didn’t get around to fixing all their servers.”

Heartbleed -- a hole in a widely used data-protection technology that existed for two years before the public was alerted -- gave hackers the ability to steal secret keys used to encrypt user names, passwords and other information. It sent companies and security researches rushing to patch computer networks.

The fading response to the discovery shows how companies cut corners in responding to an expanding arsenal of cyberweaponry, despite a highly publicized hack into Community Health Systems Inc. in which 4.5 million health records were stolen last year.

Fraudulent Keys

While most companies have replaced older, vulnerable authentication certificates using the OpenSSL encryption software, many new ones were generated using the same keys, Bocek said. That’s bad because those keys can be derived from the old certificates -- a procedure which takes hackers about 5 minutes to complete -- allowing attackers to decipher incoming traffic.

Computer administrators have also failed in many cases to revoke the old security certificates, keeping an avenue open for criminals to impersonate their companies to try and “phish” more data from employees and customers.

Attackers looking to steal user data such as passwords are increasingly seeking to obtain certificates, which let criminals pretend to be the legitimate website operators, Bocek said. Last month, Google Inc. detected unauthorized certificates for several of its domains. They’d been issued through company based in Egypt, which wasn’t supposed to have the right to hand them out.

On mobile devices, the security situation is worse still, because most applications don’t verify at all whether the digital seal is authentic or not, Bocek said.

Before it's here, it's on the Bloomberg Terminal.