It is believed to have infected nearly half a million of the Internet’s secure Web servers and just two weeks before the tax filing deadline in April, it forced Canada Revenue Agency (CRA) to shut down its Web site.
The OpenSSL cryptography vulnerability known as the Heartbleed bug which enables hackers to grab data from from computer systems by just communicating with a host server, caused a widespread scare around the globe just five months ago. Now, after many corporations and government agencies are supposed to patched their systems, a security firm is saying that Heartbleed remains a serious threat.
In a recent report, Venafi Inc., a Salt Lake City-based cyber security software company, said its survey of 1,639 Global 2000 companies that many such firms “have not completely remediated Heartbleed.”
This means as much as 97 per cent of external servers of global 2000 companies remain vulnerable to cyber attacks through Heartbleed.
“Even though many Global 2000 organizations have taken basic steps to remediate Heartbleed, most have not entirely remediated their vulnerability,” the firm said. “Only 387 G2000 organizations have fully remediated Heartbleed.”
Venafi said it also evaluated 550,000 host as part of its Heartbleed scan and found that more than 460,000 host were previously or currently “Heartbleed vulnerable.”
Only 5,000 hosts or three per cent of surveyed G2000 companies have been fully remediated from Heartbleed.
The company also repeated warning by many experts that simply patching the Heartbleed vulnerability is not adequate to protect organizations.
“it is required to also replace the private key, re-issue the certificate and revoke the old certificate,” according to the report. “…Failure to revoke the old certificate enables the attacker to use the old certificate in phishing campaigns against the organization and its customers.”
The company said organization should make sure to:
- Know where all keys and certificates are located
- Generate new keys and certificates
- Revoke old keys and certificates
- Validate remediation to ensure new keys and certificates are in place.
“The most concerning issue is there is little movement in the number of legacy, pre-Heartbleed certificates being revoked,” according to Venafi.