One Year Later, Heartbleed Still Kicking

One year ago, news broke about Heartbleed, a bug within OpenSSL, the open-source encryption standard. The headlines were dire, and advice confusing (Change your password! No, that won't work!), but eventually, the panic died down.

It turns out, however, that most businesses didn't exactly do the most thorough Heartbleed clean-up job. As of this month, most Global 2000 organizations have "failed to completely remediate Heartbleed," according to a report from Venafi Labs.

That's not to say they ignored Heartbleed; they just "failed to take all the necessary steps" to fully wipe it from systems, Venafi said.

As of August 2014, about 76 percent of Global 2000 firms were vulnerable to Heartbleed, and little progress has been made since then. As of April 2015, it's only down to 74 percent, "leaving almost 3 in every 4 of these companies open to breach," Venafi said.

At issue are SSL keys and certificates that signal a website or system is safe. "If SSL keys and certificates could be comprised, websites would be spoofed for phishing attacks and encrypted communications decrypted via man-in-the-middle tactics resulting in customer data loss and intellectual property theft."

In August, one of the country's biggest hospital operators, Community Health System, fell victim to a breach that Venafi said was carried out by exploiting Heartbleed and unprotected keys.

In the wake of Heartbleed, experts warned that all SSL keys and certificates needed to be replaced. But that didn't happen. "Organizations have either given up on properly replacing keys and certificates, mostly likely not grasping the full risk exposure this creates, or do not have the knowledge to understand how to complete remediation," Venafi said.

Venafi said it found 580,000 hosts that were patched against Heartbleed but did not replace private keys or revoke old certificates. About 92,000 (or 15 percent) took the necessary steps to wipe out Heartbleed.

Complicating matters is that the average Global 2000 organization has about 24,000 keys and certificates, and 54 percent don't even know where all of them are located, Venafi said.

Broken down by country, Australia is the most vulnerable; only 16 percent of companies there are fully remediated. About 59 percent of Global 2000 companies in the U.S. are vulnerable.

What can be done? Venafi recommended that companies locate all keys and certificates, revoke them, and generate new ones, which must be tested to make sure they work.

About Our Expert

Chloe Albanesius

Executive Editor, News

My Experience

I started out covering tech policy in DC for The National Journal, where my beat included state-level tech news and all the congressional hearings and FCC meetings I could handle. I later covered Wall Street trading tech before switching gears to consumer tech. I now lead PCMag's news coverage.

My Areas of Expertise

Getting my start in DC means I still have a soft spot for tech policy; Congressional hearings can sometimes be as entertaining as a Bravo reality show, for better or worse. But PCMag is all about the technology we use every day, as well as keeping an eye out for the trends that will shape the industry in the years ahead (or flop on arrival). I've covered the rise of social media, the iOS vs. Android wars, the cord-cutting revolution that's now left us with hefty streaming bills, and the effort to stuff artificial intelligence into every product you could imagine. This job has taken me to CES in Vegas (one too many times), IFA in Berlin, and MWC in Barcelona. I also drove a Tesla 1,000 miles out west as part of our Best Mobile Networks project. Of late, my focus is on our hard-working team of reporters at PCMag, guiding and editing their robust coverage.

Read the latest from Chloe Albanesius

Read full bio