You choose, we deliver
If you are interested in this story, you might be interested in others from The Journal Gazette. Go to and pick the subjects you care most about. We'll deliver your customized daily news report at 3 a.m. Fort Wayne time, right to your email.



Heartbleed hacks still pose threat

Companies at risk months after security flaw revealed

WASHINGTON – Hundreds of thousands of corporate computer serv­ers, routers and other Internet devices worldwide remain vulnerable to the Heartbleed security flaw nearly six months after its ex­is­tence was disclosed, security researchers say.

More than half of the Forbes Global 2000 listing of the world's most profitable companies have serv­ers that are still not fully pro­tect­ed, according to Venafi Inc. of Sandy, Utah, the security company that tested them Aug. 22.

“We expect that the most sophis­ticated attackers will use this at the time of their liking,” said Kevin Bo­cek, vice president for security strat­egy at Venafi.

The flaw got its name because hackers use it to exploit en­crypted computer connections in which data packets known as heartbeats are exchanged.

The biggest public company known to be hacked through Heartbleed was Community Health Systems Inc., which disclosed Aug. 18 that it had been attacked in April and June. Community Health Systems is the parent of Lutheran Health Network in Fort Wayne.

Separately, Errata Security in Atlanta scanned publicly available devices on the Internet on June 20 and found as many as 300,000 routers, servers and other Internet devices that were still vulnerable.

The lag time in responding to one of the most widespread Internet vulnerabilities ever uncovered means that hackers can still intercept user names, passwords and other sensitive data, just like they did by stealing 4.5 million patient records from Community Health this year.

Chinese hackers exploited Community Health's Heartbleed vulnerability more than a week after the security hole was publicized, said a person involved in the investigation. The timetable illustrates how attackers often move faster than cor­po­rate security teams to exploit flaws once they become known.

Community Health was required to notify patients and regulators and said in an Aug. 18 regulatory filing that it “completed eradication of the malware from its systems and finalized the implementation of other remediation efforts that are designed to protect against future intrusions of this type.”

Heartbleed is a programming mistake in OpenSSL, which is used by companies to secure traffic flowing between servers and computers.

Venafi found 1,219 companies on the Forbes Global 2000 with a combined 448,000 servers that weren't fully secured against Heartbleed. The company sent automated browser requests to those firms to look for hardware and software vulnerabilities and recorded the publicly available information that was returned.

Although security patches had been applied, encryption keys and digital certificates that provide trust and privacy for consumer protection were unchanged, Venafi found. Se­cu­rity research company Gart­ner Inc. recommends rotating and replacing keys in order to defend against Heartbleed attacks.

“Definitely expect more” companies to find out they've been infiltrated through the flaw, said Jeff Horne, who investigates data breaches as vice president of research and development and chief architect at Accuvant Inc., a Denver security firm. “It takes people forever to patch.”

Heartbleed, which existed for two years before the public was alerted to the flaw in April, lets hackers steal the secret keys protecting user names, passwords and other digital data. With keys in hand, hackers can infiltrate deep­er into a company's network to obtain other data.

Companies rushed to patch their computers when the flaw became public; however, their uneven responses gave hackers a window of opportunity.

“How a company responds and reacts to vulnerabilities can vary wildly,” said Raj Sa­m­a­ni, McAfee Inc.'s chief tech­nology officer for Europe, the Middle East and Africa.

The extent of damage may never be known because companies are under no obligation to report breaches unless they involve protected data – such as patient records, credit card numbers and other personal information – or unless a public company determines that its shareholders need to know about an attack.