More than a month after the Heartbleed bug caused panic across the country, no less than 40,000 computer and network systems in Canada are still “exploitable” through the OpenSSL vulnerability, according to a Montreal-based cyber security firm.
Among the industries deemed vulnerable by Logicnet are: several technology hosting and security consulting companies; two large political parties; large pharmaceutical companies; various online retailers; several law firms and accounting firms; some investment companies; as well as online gaming and casino sites.
Logicnet released the information following research by Logicnet and its EVA-Technologies division into 200 million Internet systems covering Canada, Switzerland and France. The company said systems in France and Switzerland are also vulnerable.
As of May 5th, 1.17 per cent of exposed systems in Canada remain exploitable through the Heartbleed bug, compare to 1.43 per cent in Switzerland and 4.75 per cent in France.
“Our results are a clear indication that Canada is doing well compared to other European countries,” said Eric Parent, president of EVA Technologies. However, he warned “too many risks remain.”
“Many managers in large enterprises still do not realize that this vulnerability impacts many more systems than anticipated and not just Web servers,” Parent said. “They must thoroughly examine all systems and ensure they adopt all the corrective actions required.
For example, he said, Logicnet found vulnerabilities on the mail systems of two large political parties. Parent did not identify the parties.
Logicnet said it tested more than 81 million Internet Protocol addresses assigned to Canada. Ports tested were: 21, 25, 110, 143, 389, 443, 465, 587, 636, 993, 995 and 5222.
The company said it believes the actual number of Heartbleed threats could be significantly more if the research covered all 65,536 ports.
Of the 1.9 million email systems services tested, Logicnet found more than 23,000 Heartbleed exploitable occurrences.
Of the more than 764,000 secured Web services systems tested, there were there in excess of 10,000 exploitable occurrences. Out of some 425,000 file transfer systems tested, there were about 4,800 exploitable occurrences found.
Of the more than 300,000 enterprise directory assistance systems checked, the company found 165 exploitable occurrences and out of the 43,000 private chat systems tested, there were 105 exploitable occurrences.
Last week, another Internet service company warned that even Canadian organizations that that have issued the required Heartbleed patch are still vulnerable. Among those at risk are the Canadian and Quebec governments, according to Netcraft.
The study by Netcraft claims that while web sites patched vulnerable OpenSSL installations after Heartbleed was exposed early in April, replacing their SSL certificates and revoking the old ones, some actually re-used the same potentially compromised private key in the new certificate.
More than 30,000 affected certificates have been revoked and were reissued, but re-used the affected private key, the Netcraft study says.
Many organizations are failing to completely secure their systems, according to Logicnet. Among the common errors are:
- Changing passwords without securing the entire system
- Re-issuing new SSL certificates without generating new private keys on their target systems prior the requesting generation of new certificate
- Securing Web servers but ignoring other servers that may also be using the OpenSSl Library
- Not taking into account cross system information leakage
- Not coordinating security procedures with partners
Leaving even just one system exposed can lead to a system-wide breach. Companies also have to be aware of the security posture of partners.
“Who are you doing business with and exchanging important and sensitive information?” asked Parent. “Have they been thoroughly checked out?”