Hundreds of thousands of corporate computer servers, routers and other Internet devices worldwide remain vulnerable to the Heartbleed Web-security flaw nearly six months after its existence was disclosed, security researchers say.
More than half of the Forbes Global 2000 listing of the world's most profitable companies have servers that are still not fully protected, according to the security company Venafi Inc. which electronically probed them Aug. 22.
"We expect that the most sophisticated attackers will use this at the time of their liking," Kevin Bocek, vice president for security strategy and threat intelligence at the Sandy, Utah-based company, in a phone interview.
He declined to name any companies found to be vulnerable, though said they were in the health care, retail, banking and other sectors. The biggest public company known to be hacked through Heartbleed was Community Health Systems Inc., which disclosed Aug. 18 it had been attacked in April and June.
Separately, Errata Security, a consulting company based in Atlanta, Georgia, scanned publicly available devices on the Internet on June 20 and found as many as 300,000 routers, servers and other Internet devices were still vulnerable.
The lag in responding to one of the most widespread Internet vulnerabilities ever uncovered means hackers can still intercept user names, passwords and other sensitive data, just like they did by stealing 4.5 million patient records from Community Health earlier this year.
Chinese hackers exploited Community Health's Heartbleed vulnerability more than a week after the security hole was publicized, said a person involved in the investigation. The timetable illustrates how attackers often move faster than corporate security teams to exploit flaws once they become known.
Community Health was required to notify patients and regulators and said in an Aug. 18 regulatory filing that it "completed eradication of the malware from its systems and finalized the implementation of other remediation efforts that are designed to protect against future intrusions of this type." The company didn't say whether the breach occurred due to Heartbleed.
In the wake of the Heartbleed disclosure, much attention was focused on concerns that websites might be hacked. It may be that devices companies depend on to connect to customers, medical patients and users are most vulnerable to the flaw, Kevin Hamlen, an associate professor at the University of Texas in Dallas, said in a phone interview.
Heartbleed is a programming mistake in OpenSSL, which is used by companies to secure traffic flowing between servers and computers. SSL refers to an encryption protocol known as Secure Sockets Layer and its use is indicated by a closed padlock appearing on browsers next to a website's address.
Venafi found 1,219 companies on the Forbes Global 2000 had a combined 448,000 servers that weren't fully secured from Heartbleed. The company sent automated browser requests to the firms to look for hardware and software vulnerabilities and recorded the publicly available information that was returned.
Although security patches had been applied, encryption keys and digital certificates that provide trust and privacy for consumer protection remained unchanged, Venafi found. Security research company Gartner Inc. recommends rotating and replacing keys in order to defend against Heartbleed attacks.
"Definitely expect more" companies to find out they've been infiltrated through the flaw, said Jeff Horne, who investigates data breaches as vice president of research and development and chief architect at Accuvant Inc., a Denver, Colorado-based security firm. "It takes people forever to patch."
Heartbleed, which existed for two years before the public was alerted to the flaw April 7, lets hackers steal the secret keys protecting user names, passwords and other digital data. With keys in hand, hackers can infiltrate deeper into a company's network to obtain other data.
Researchers who discovered Heartbleed warned at the time it might have affected as many as two-thirds of the world's almost 1 billion active websites – a claim that hasn't been borne out.
"Underneath the tip of that iceberg every web-facing server that used OpenSSL for encrypted communication was vulnerable," Hamlen said.
The extent of damage may never be known as companies are under no obligation to report breaches unless they involve protected data – such as patient records, credit-card numbers and other personal information – or unless a public company determines that its shareholders need to know about an attack.
Companies rushed to patch their computers when the flaw became public, however their uneven responses gave hackers a window of opportunity. The flaw got its name because hackers use it to exploit encrypted computer connections in which data packets known as heartbeats are exchanged.
"How a company responds and reacts to vulnerabilities can vary wildly," Raj Samani, chief technology officer for Europe, the Middle East and Africa for McAfee Inc., said in a phone interview.
Community Health, based in Franklin, Tennessee, said in a disclosure that the attacks on its networks occurred in April and June, and a person involved in investigating the breach said it was carried out by exploiting Heartbleed. The person discussed the internal investigation only on the condition of anonymity.
The hackers exploited the Heartbleed flaw in a virtual private networking device made by Juniper Networks Inc. and used by Community Health in order to steal credentials of company employees, said David Kennedy, founder of TrustedSec LLC, a Cleveland-based security consulting company. The claim couldn't be independently verified. Kennedy was first to report on his company's website Aug. 19 that Heartbleed was used in the attack and said he was informed by three people close to the investigation.
Tomi Galin, a spokeswoman for Community Health, declined to comment on the role of Heartbleed or the Juniper device in the attack. She said in an e-mail that although patient identification data was stolen, the hackers didn't obtain medical or financial information. She didn't answer questions about when Community Health received a patch from Juniper or when the company applied the patch.
Lookingglass Cyber Solutions Inc. passively identified signals coming from Community Health's public-facing routers and websites, which indicated the company has computers infected by different malware as far back as January, said Chris Coleman, chief executive officer of Lookingglass, which is based in Baltimore, Maryland.
Coleman equated it to seeing smoke coming from a house on fire, even though there's no way to know for sure how strong the flames are raging inside. Some of the signals indicated presence of the Conficker worm – which was first discovered in 2008 – suggesting the company's systems are either unable to be patched or have simply been ignored.
"If you haven't patched a vulnerability that has been open since 2008, it wouldn't surprise me that they haven't patched a vulnerability since April," Coleman said in a phone interview. Community Health spokesman Galin didn't respond to e-mail and telephone requests for comment on Coleman's findings.
Juniper was among many device manufacturers that had to react to Heartbleed. It issued patches for Heartbleed on its devices on April 8, April 9 and April 11, said Danielle Hamel, spokeswoman for the Sunnyvale, California-based company.
"Juniper is committed to the security and assurance of its products," Hamel said in an e-mail. "When we learned earlier this year about vulnerabilities in OpenSSL, we reacted with speed and transparency and delivered a remediation for effected affected products within a day."
Juniper said it discovered and fixed nearly a dozen vulnerable products, including virtual private networking software for sending encrypted communications, the Junos operating system for managing networks, and Junos Pulse for enabling workers to log into sensitive systems from their smartphones.
Community Health also buys from another device manufacturer, Cisco Systems Inc., which competes with Juniper. Cisco issued security advisories for its customers between April 8 and June 6, Nigel Glennie, spokesman for the San Jose, California-based company, said in an e-mail.
Cisco said it discovered and fixed 77 products that had been vulnerable, including its TelePresence video-calling service, Internet Protocol phones and security-management software.
"There's definitely a chance that other organizations during the window in which Heartbleed had not been patched were exploited," Nick Sullivan, an engineer with the network security company CloudFlare Inc. in San Francisco, said in a phone interview. "It was a hectic time."