TORONTO – One year ago, security researchers drew our attention to a serious encryption flaw now known as the Heartbleed bug. The flaw made it possible for hackers to snoop on encrypted Internet traffic, leaving users’ information vulnerable.
To date, Heartbleed has been blamed for the theft of roughly 900 social insurance numbers from the Canada Revenue Agency’s website and breach of 4.5 million patient records from U.S. hospital group Community Health Systems.
But, despite these widespread breaches, a new study alleges many big companies have not yet taken action to protect their public-facing systems from the security flaw.
According to a scan of Forbes’ Global 2000 companies by U.S.-based security firm Venafi, 74 per cent of those companies have not taken all of the necessary steps to fix the Heartbleed bug.
That number has remained virtually unchanged since August 2014, according to Venafi.
“A year after Heartbleed revealed massive vulnerabilities in the foundation for global trust online, a major alarm needs to be sounded for this huge percentage of the world’s largest and most valuable businesses who are still exposed to attacks like those executed against Community Health Systems,” said Jeff Hudson, CEO of Venafi, in a press release.
READ MORE: What we learned from the Heartbleed bug
Heartbleed affected technology called OpenSSL – a widely used open-source set of software libraries for encrypting online services.
The bug created an opening in SSL/TLS, an encryption technology marked by the small, closed padlock and “https:” on Web browsers to show that traffic between a computer and a website is secure. This allowed hackers to snoop on Internet traffic even if the padlock was closed, leaving users’ information vulnerable.
What made it more frightening was that hackers could also grab the keys for deciphering encrypted data and leave no trace of ever being there.
In order for companies to fix the vulnerability, they would first need to update to the latest version of OpenSSL to prevent the bug from being exploited. According to Venafi’s report, every company had accomplished this step.
But, organizations also need to create new private keys, which would prevent anyone who may have exploited the vulnerability prior to the patch from being able to spy on encrypted traffic. Finally, the organization should reissue its security certificates. Venafi said companies must follow all three of these steps to be fully protected against Heartbleed’s fallout.
“This leaves these organizations vulnerable to cyberattacks, future brand damage, and intellectual property loss,” read the report.