More than 40,000 computer systems, including some run by large enterprises, were still vulnerable to the Heartbleed bug more than a month after the world was alerted to the problem and probably still are, says a Montreal IT security consulting firm.
Logicnet said this morning it came to that conclusion after scanning 12 ports of 200 million Web-facing systems in Canada, France and Switzerland at the beginning of the month. Word about the Heartbleed vulnerability, which affects servers using OpenSSL 1.0.1 through 1.0.1f and OpenSSL 1.0.2-beta, hit headlines April 8.
But as of May 5, 1.17 per cent of Canadian systems scanned by Logicnet had the bug, company president Eric Parent, said in an interview.
It’s only a small number compared to the 4.75 per cent vulnerable in France, but he believes it’s still too many. His staff had done some sample scans earlier and found that within the first week of the discovery the majority of firms had fixed their systems. But the later, wider test showed that since then few have plugged the hole – or plugged it properly.
Logicnet will release a new test early next month.
“A lot of these big companies don’t necessarily understand the complexity of the problem like Heartbleed,” he said, which allows an attacker to read data held in memory including passwords.
“The problem is what you do to resolve it. A lot of companies told people to change their passwords, and changed their SSL certificates. That’s not necessarily the best course of action – you have to do things in a certain order. For example, before you request a new SSL certificate you have to regenerate your own private keys. If not, you’ll end up with a new certificate with the old private key. That would mean you’re still vulnerable … You have to have to respect certain sequence of events.”
“A lot of our clients that we tested we caught them doing it wrong – they changed the passwords of the users on the systems that were targeted. In fact they had to tell people across the entire enterprise to change their passwords” because many people use one password for accessing many systems.
Ports scanned by Logicnet included 443, 25, 465, 587, 993, 110, 993 and others used by email protocols, plus port 21, used by secure FTP. Also scanned were over 300,000 externally-facing LDAP directories, 165 are vulnerable (“Which is nice,” Parent said, “because there aren’t too many of them”).