Heartbleed: Still a security risk

News by Steve Gold

The Heartbleed security issue may be six months old, but it remains a major problem.

That's according to security researchers with TrustedSec and Venafi, who both report that the recently reported data breach at Community Health Systems (CHS) in the US - where information on around 4.5 million patients was exfiltrated in April and June of this year – is down to the OpenSSL flaw.

Venafi - building on its late July analysis of the Heartbleed issue - also says that more than half of the world's major corporates have servers that are still vulnerable to the Heartbleed flaw.

The Bloomberg newswire quotes Kevin Bocek, Venafi's vice president, as saying that he expects cyber-criminals to use the Heartbleed vulnerability at a time of their liking. Bocek was speaking after the latest batch of analysis from Venafi was released on August 22nd.

As previously reported, Heartbleed is an OpenSSL vulnerability that allows attackers to extract data in memory simply by communicating with a host server. According to Venafi, successful exploits show that sensitive data, including passwords, SSL/TLS keys, and X.509 digital certificates, can be extracted.

In addition to applying the OpenSSL patch, Venafi says that organisations must assume that all keys and certificates were compromised, given the extent and duration of the vulnerability.

Venafi found 1,219 companies on the Forbes Global 2000 had a combined 448,000 servers that weren't fully secured from Heartbleed. In these cases, while the security patch had been applied, the encryption keys and digital certificates that provide trust and privacy for consumer protection remained unchanged. Industry experts such Gartner, Inc. have recommended rotating and replacing keys and certificates or risk a Community Health Systems breach. Venafi had sent automated browser requests to the firms to look for hardware and software vulnerabilities and recorded the publicly available information that was returned.

Although security patches had been applied, encryption keys and digital certificates that provide trust and privacy for consumer protection remained unchanged, Venafi found. Research outfit Gartner recommends rotating and replacing keys in order to defend against Heartbleed attacks.

Commenting on the latest Heartbleed assertions, Craig Young, a security researcher with Tripwire's VERT (Vulnerability and Exposures Research Team) operation, said that, whilst it is true that attackers have an upper-hand in the cat and mouse game of cybersecurity, Heartbleed represents something of a unique case.

"The fact that the vulnerability existed in an open source security library consumed by thousands of other projects meant that the OpenSSL project had no choice but to share the vulnerability details with everyone all at once. The time it took me to write a functional Heartbleed exploit was only 15-20 minutes which is a tiny fraction of the time it takes for a company like Juniper to release product updates let alone the time it takes for businesses to schedule maintenance windows to apply updates," he said, adding that this ease of exploitation combined with confusion about which systems were vulnerable to make a perfect storm for attackers.

Amichai Shulman, CTO with Imperva, was more sceptical about the risks from Heartbleed.

“While I do not necessarily want to belittle the importance of the Heartbleed vulnerability, it does seem odd to me that the only incident directly related to this vulnerability is the recent Community Health breach," he said.

"This is especially intriguing given the claim by Venafi that so many Internet devices remain vulnerable. It just does not add up. I've said it in the past with respect to Heartbleed and I'll say it again now – we have seen vulnerabilities who received far less media attention than Heartbleed being successfully and massively exploited in the wild," he said.

Lucas Zaichkowsky, enterprise defence architect with AccessData, the digital forensics firm, said that, unlike other forms of cyber-attack which require hackers to break into a system and plant malware to exfiltrate data, exploiting the Heartbleed vulnerability can be carried out over the internet against web servers, without needing to break in.

“[Security researcher] Brian Krebs noted six months ago that there were already publicly available tools such as a python script that allows anyone to exploit the Heartbleed vulnerability over the internet. Although these tools were intended to test for the vulnerability, attackers are actively using them to steal sensitive data from websites that haven't been patched yet,” he said,

“If an organisation has data that is sought after by a determined and skilled adversary, they have an extremely high likelihood of being breached. Those organisations need to take security very seriously at the board level and allocate the resources necessary to mature their security operations to deal with real-world threats,” he added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews