Major companies still vulnerable to ‘Heartbleed’ bug

Most of the world’s largest companies are still vulnerable to the “Heartbleed” glitch that compromised security around the Internet, according to the cybersecurity firm Venafi.

While the bug was disclosed last year, 74 percent of Global 2000 organizations have not taken all the steps necessary to ensure their systems are safe, the firm said.

{mosads}“Heartbleed” is a security weakness in the OpenSSL encryption software that could allow hackers to trick computers into sending them personal information. It was discovered in April 2014 after sitting dormant for two years.

The vulnerability was significant enough that the Department of Homeland Security warned Web users to monitor their bank accounts and other sites for improper activity.

The challenge in addressing “Heartbleed” is that it cannot be fixed with a software patch alone.

Companies also need to rejigger their encryption by revoking old SSL certifications, issuing new ones and generating new keys, according to Dark Reading.

Firms have not pursued these steps because they often don’t keep track of their keys and certificates, a Venafi official told the publication.

“Overall, organizations need to do a better job of being able to change out keys and certificates,” said Kevin Bocek, Venafi vice president of security strategy.

“Google has moved to three-month certificate lifetimes — basically assuming that keys and certificates will be compromised at some point. Being proactive as well as being able to respond to incidents or vulnerabilities like Heartbleed faster is needed for the future.”

Forty-one percent of Global 2000 companies located in the United States have addressed the glitch, compared with only 16 percent in Australia, the firm reported.