When you visit a webpage, your computer actually accesses the server where the files displayed on your screen are located. If you enter a password on this site, it will also go to the server, where it will be stored. Companies use secure protocols, like the popular OpenSSL, which encrypt communications of computers connected to the network.
So when in April 2014 a serious vulnerability in the software package of OpenSSL was published, companies all around the world held their breath. Since 2012, the open source SSL protocol version was not complying with its protection duty.
The ultimate responsible for the finding was Google’s engineer Neel Mehta, who found it after thoroughly reviewing the tool’s open source code. Mehta along with team members of Codenomicon gave CVE-2014-0160 a simplest name: Heartbleed. With a logo of a bleeding heart to expose the severity of the fault.
The vulnerability allowed cybercriminals to access users information (passwords, bank accounts, and other sensitive information) stored on the Internet servers using OpenSSL.
The news kept on edge thousands of companies that used this system to encrypt communications in their webpages or between internal servers. Even ‘routers’ use the SSL system. One of the affected organizations was the Community Health System (CHS) in the United States: compromising the data of 4.5 million patients until the authorities fixed the error.
Fortunately, as with any other security breach, a fix was found. OpenSSL team developed a software update which made it disappear. Professionals had only to follow a few steps to safeguard their communications again.
However, a recent report carried out by a group of security experts revealed that 74% of the largest companies in the world are still at risk. The reason being that those companies have not yet gotten rid of the malware. In addition to installing the new version (1.0.1g or higher) they had to cancel and change the encryption keys and the library certificates. This process requires some computer skills and, in many cases, contact with the digital certificates’ suppliers. Something many of them left half done.
Although some experts doubted the test results, the fact is that Heartbleed is not a regular ‘bug’. When vulnerabilities affect only one program they can be quickly fixed but during its two years of life the OpenSSL breach infected 66% of the active pages on the Internet, according to Netcraft. Even Yahoo! or Flickr were affected and had to fix the problem.
The cryptographic library is one of the companies most used software, from an online shop to a simple user identification on a corporate platform. OpenSSL is often used to protect mail servers, chats and virtual private networks.
Internet users couldn’t do anything about it, just trust that the people responsible for their most visited websites had solved the security breach. Companies did have homework to do in order to solve the problem. We just hope that, at least, the report results make the stragglers get down to work.
More | Heartbleed, how bad was it?
The post Heartbleed. Why do the vast majority of companies remain vulnerable? appeared first on MediaCenter Panda Security.