6 Days After Heartbleed, 86 Cloud Providers Still Vulnerable

Posted by skyhighnetworks on May 20th, 2014

The fallout begins

Early reports of the Heartbleed fallout are beginning to emerge from around the globe.  In what is believed to be the first public disclosure, Mumsnet.com, the popular UK parenting site with over 1.5 million members, reported that it believes cyber thieves obtained user data last week before they were able to apply the patch their security flaw on Saturday. In another example, Canadian authorities reported that the confidential information of 900 Canadian taxpayers was stolen before the Canadian Revenue Agency temporally shutdown access to their website.

86 cloud services still vulnerable

Skyhigh’s Service Intelligence Team continues to monitor the vulnerability status of cloud services.  As of this morning at 8:00AM PDT, 282 of the 368 services we originally reported as being vulnerable had been patched.  That means 86 cloud services, even 6 days after Heartbleed, still have not been patched.  The number of cloud services that remain vulnerable to the Heartbleed bug is shown below, and we will continue to monitor our cloud security service registry until this number has reached zero.

Patching not enough

Unfortunately tracking this number down to zero only fixes half of the problem.  Early reports that patching would resolve the issue are incorrect. Patching the site prohibits attackers from continuing to steal data, but if an attacker obtained the site’s certificate and private keys they could impersonate the site on the web,  enabling further fraudulent activity.  After patching, affected cloud services must reissue certificates AND regenerate key pairs.

According to Gartner’s Erik Heidt, “The existence of this fault on a server undermines any confidence in the confidentially of keys that have been used on that server. Issuing a new certificate is necessary, but not sufficient. Many organizations perform ‘lazy’ certificate rotations, and do not create new keys! This is a bad practice. Because this attack enables the recovery of the private key itself, certificate rotation alone will not protect you! New private keys must be generated.”

How can Skyhigh help?

Last week we sent the list of vulnerable services to our customers.  We then helped them identify which employees had used each of the affected services.  This enabled our customers to rapidly advise and protect the specific employees who had used vulnerable services, following the specific steps outlined in last week’s blog.  If you’d like Skyhigh to perform a free a Heartbleed Audit for your organization, enabling you to identify vulnerable services used by your employees and who used them, simply contact us at heartbleedaudit@skyhighnetworks.com.

Author :

Skyhigh Networks, the Cloud Security Services company, enables companies to embrace Cloud Security Services with appropriate levels of security, compliance, and governance while lowering overall risk and cost. With customers in financial services, healthcare, high technology, media, manufacturing, and legal verticals, the company was a finalist for the RSA Conference 2013 Most Innovative Company award and was recently named a "Cool Vendor" by Gartner, Inc. Headquartered in Cupertino, Calif., Skyhigh Networks is led by an experienced team and is venture-backed by Greylock Partners and Sequoia Capital. For more information, visit us at http://www.skyhighnetworks.com or follow us on Twitter@skyhighnetworks.