WASHINGTON – Hundreds of thousands of corporate computer servers, routers and other Internet devices worldwide remain vulnerable to the Heartbleed security flaw nearly six months after its existence was disclosed, security researchers say.
More than half of the Forbes Global 2000 listing of the world's most profitable companies have servers that are still not fully protected, according to Venafi Inc. of Sandy, Utah, the security company that tested them Aug. 22.
“We expect that the most sophisticated attackers will use this at the time of their liking,” said Kevin Bocek, vice president for security strategy at Venafi.
The flaw got its name because hackers use it to exploit encrypted computer connections in which data packets known as heartbeats are exchanged.
The biggest public company known to be hacked through Heartbleed was Community Health Systems Inc., which disclosed Aug. 18 that it had been attacked in April and June. Community Health Systems is the parent of Lutheran Health Network in Fort Wayne.
Separately, Errata Security in Atlanta scanned publicly available devices on the Internet on June 20 and found as many as 300,000 routers, servers and other Internet devices that were still vulnerable.
The lag time in responding to one of the most widespread Internet vulnerabilities ever uncovered means that hackers can still intercept user names, passwords and other sensitive data, just like they did by stealing 4.5 million patient records from Community Health this year.
Chinese hackers exploited Community Health's Heartbleed vulnerability more than a week after the security hole was publicized, said a person involved in the investigation. The timetable illustrates how attackers often move faster than corporate security teams to exploit flaws once they become known.
Community Health was required to notify patients and regulators and said in an Aug. 18 regulatory filing that it “completed eradication of the malware from its systems and finalized the implementation of other remediation efforts that are designed to protect against future intrusions of this type.”
Heartbleed is a programming mistake in OpenSSL, which is used by companies to secure traffic flowing between servers and computers.
Venafi found 1,219 companies on the Forbes Global 2000 with a combined 448,000 servers that weren't fully secured against Heartbleed. The company sent automated browser requests to those firms to look for hardware and software vulnerabilities and recorded the publicly available information that was returned.
Although security patches had been applied, encryption keys and digital certificates that provide trust and privacy for consumer protection were unchanged, Venafi found. Security research company Gartner Inc. recommends rotating and replacing keys in order to defend against Heartbleed attacks.
“Definitely expect more” companies to find out they've been infiltrated through the flaw, said Jeff Horne, who investigates data breaches as vice president of research and development and chief architect at Accuvant Inc., a Denver security firm. “It takes people forever to patch.”
Heartbleed, which existed for two years before the public was alerted to the flaw in April, lets hackers steal the secret keys protecting user names, passwords and other digital data. With keys in hand, hackers can infiltrate deeper into a company's network to obtain other data.
Companies rushed to patch their computers when the flaw became public; however, their uneven responses gave hackers a window of opportunity.
“How a company responds and reacts to vulnerabilities can vary wildly,” said Raj Samani, McAfee Inc.'s chief technology officer for Europe, the Middle East and Africa.
The extent of damage may never be known because companies are under no obligation to report breaches unless they involve protected data – such as patient records, credit card numbers and other personal information – or unless a public company determines that its shareholders need to know about an attack.