Many Canadian firms still vulnerable to Heartbleed: Consultant

More than 40,000 computer systems, including some run by large enterprises, were still vulnerable to the Heartbleed bug more than a month after the world was alerted to the problem and probably still are, says a Montreal IT security consulting firm.

Logicnet said this morning it came to that conclusion after scanning 12 ports of 200 million Web-facing systems in Canada, France and Switzerland at the beginning of the month. Word about the Heartbleed vulnerability, which affects servers using OpenSSL 1.0.1 through 1.0.1f and OpenSSL 1.0.2-beta, hit headlines  April 8.

But as of May 5, 1.17 per cent of Canadian systems scanned by Logicnet had the bug, company president Eric Parent, said in an interview.

It’s only a small number compared to the 4.75 per cent vulnerable in France, but he believes it’s still too many. His staff had done some sample scans earlier and found that within the first week of the discovery the majority of firms had fixed their systems. But the later, wider test showed that since then few have plugged the hole – or plugged it properly.

Logicnet will release a new test early next month.

“A lot of these big companies don’t necessarily understand the complexity of the problem like Heartbleed,” he said, which allows an attacker to read data held in memory including passwords.

“The problem is what you do to resolve it. A lot of companies told people to change their passwords, and changed their SSL certificates. That’s not necessarily the best course of action – you have to do things in a certain order. For example, before you request a new SSL certificate you have to regenerate your own private keys. If not, you’ll end up with a new certificate with the old private key. That would mean you’re still vulnerable … You have to have to respect certain sequence of events.”

“A lot of our clients that we tested we caught them doing it wrong – they changed the passwords of the users on the systems that were targeted. In fact they had to tell people across the entire enterprise to change their passwords” because many people use one password for accessing many systems.

Ports scanned by Logicnet included  443, 25, 465, 587, 993, 110, 993 and others used by email protocols, plus port 21, used by secure FTP. Also scanned were over 300,000 externally-facing LDAP directories, 165 are vulnerable (“Which is nice,” Parent said, “because there aren’t too many of them”).

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now