Heartbleed remediation "most behind" in Australia: report

Australian companies are "by far the most behind" at remediating the Heartbleed OpenSSL flaw discovered a year ago, according to a global analysis released overnight.

Security and crypto firm Venafi evaluated 1642 of the Global 2000 organisations with public-facing systems vulnerable to the Heartbleed bug in the popular OpenSSL crypto library.

It found that 84 percent of Australian companies have still not fully remediated Heartbleed-vulnerable systems, the worst rate of any country.

The US and Germany lead the world in remediation efforts, "yet they both still have more than 40 percent of organisations without full remediation," according to the Venafi report. Overall, 74 percent of the word's large companies have not fully addressed the bug.

In total, Venafi identified 580,000 "partially remediated" hosts – that is, they have been patched against Heartbleed. It found no organisation that had not patched its systems.

"However, the organisations have either performed, as described by Gartner, 'lazy' remediation, failing to replace the private key, or failed to revoke the old certificate. Failure to replace the private key allows an attacker to decrypt any SSL traffic for the impacted host," the report stated.

This means an attacker who had exploited the bug prior to patching would still be able to spy on encrypted traffic between an affected host and a user.

Further, unless old certificates are revoked and new ones issued, an attacker would still be able to use the old certificate in "phishing" campaigns against the organisation and its customers, Venafi said.

Gartner analyst Eric Heidt emphasised when news of Heartbleed first broke a year ago that "existence of this fault on a server undermines any confidence in the confidentiality of keys that have been used on that server," meaning certificate rotation was not enough and new private keys must be generated.

Heidt took a more measured approach to the question of full remediation, saying it was a matter of assessing priorities for companies faced with the costs of generating new certificates and keys.

"This gets into the kinds of risk calculus questions that actuaries love but business people hate. You can’t simply leap from ‘they didn’t do this very simple concrete behaviour’ to ‘they didn’t make the right decision.'"

In the year since Heartbleed was identified by a security team at Google, millions of attacks have been mounted on systems using OpenSSL. One of the most dangerous characteristics of Heartbleed is that data can be compromised without any trace.