* Internet security companies working to contain Heartbleed threat
The Heartbleed Web security flaw that had companies all over the world scrambling last spring is still a threat to thousands of corporate computer servers, routers and other Internet devices. That's keeping Internet security companies such as Radware Inc., whose North American headquarters is in Mahwah, busy.
The bug refers to an error in OpenSSL software, which is often used by companies that want to secure its cyber-information. This error leaves websites vulnerable, allowing hackers access to its once-protected information. SSL refers to an encryption protocol known as Secure Sockets Layer and its use is indicated by a closed padlock appearing on browsers next to a website's address.
Kevin Bocek, vice president for security strategy and threat intelligence at the Sandy, Utah-based company Venafi Inc., declined to name any companies found to be vulnerable, though he said they were in health care, retail, banking and other sectors.
"Heartbleed was a very powerful story because it was so endemic to IT operations and not so easy to deal with," said Carl Herberger, vice president of security solutions at Radware, during a phone interview from Tel Aviv, where Radware is based. "It requires multifaceted changes."
Herberger said that when the bug was made public last spring, Radware updated its Internet security product, DefensePro, to monitor their customers' exposure to the bug. As part of this process, the company is continuously updating its solutions. However, Heartbleed "is still a viable problem and manifesting itself," said Herberger.
Venafi electronically probed thousands of corporate companies on Aug. 22. The company found that 1,219 businesses in the Forbes Global 2000 had a combined 448,000 servers that weren't fully secured from Heartbleed.
According to Herberger, OpenSSL software is popular with companies because it is cost-effective. However, one downside to the open software is that it's "inherently less secure," in comparison to a closed network. He added that "there's a lot of action required of application owners."
Experts say it's important for a company to identify that its network has been affected in order to fix it. A company's response time to fixing a network can affect the amount of time hackers have to penetrate it.
"There's definitely a chance that other organizations during the window in which Heartbleed had not been patched were exploited," said Nick Sullivan, an engineer with the network security company CloudFlare Inc. in San Francisco.
According to researchers who discovered Heartbleed, the bug existed for two years before it was made public April 7. They've warned that it might have affected as many as two-thirds of the world's almost 1 billion active websites, though the warning has not been verified.
It may never be known how many data breaches actually occurred since companies are under no obligation to report them unless they involve protected data, such as patient records or credit-card numbers. A public company might report a breach if it decides its shareholders need to know about an attack.