What Treasurers Need to Know About Heartbleed
This week, a serious new vulnerability was discovered in the OpenSSL encryption software. Affecting about two thirds of all web servers, untold devices, and potentially compromising data such as SSL certificates, private keys, usernames, and passwords, this vulnerability has spread fear among treasuries who now must ask themselves if their data is secure.
To understand how Heartbleed affects BELLIN customers, we approached (security manager) Mirek Pijanowski, CISM to ask what this means for treasurers.
First, how has Heartbleed affected BELLIN?
As soon as the vulnerability was published our security team performed a full review of our internal and external systems, including servers which use our wildcard mytm5.com or treasurydb.com certificates. We were pleased to find that none of our customer facing sites were susceptible. In fact, the only vulnerable system within our ASP network was an internal-use network device, which was immediately quarantined, and the non-customer facing certificate used was revoked. We’ve since worked with the vendor to update it, reissued the affected certificate, and returned it to full use.
BELLIN customer data is completely safe.
Who is affected by Heartbleed?
Everyone has been potentially compromised; the bug itself was introduced in December 2011 but it was only discovered this month. Considering that exploiting the vulnerability leaves no trace in logs, no one knows exactly how long it may have been exploited for. Many companies affected by the bug have already updated their systems but it is estimated that two thirds of the web was vulnerable at some point. You can get a fairly comprehensive list from Digital Trends.
For the non-techies out there, what is Open SSL?
OpenSSL is used in Apache and nginx based web servers to secure https communications over the internet through the use of SSL and TLS cryptography protocols.
What exactly is Heartbleed?
Heartbleed is a bug in the open source OpenSSL cryptographic software library used to implement SSL and TLS protocols, which when exploited, reveals 64KB of process memory with every heartbeat request. Attackers could target the exploit repeated, revealing data such as SSL certificates, private keys, usernames, and passwords.
What do I need to do to make sure our Treasury is safe?
Contact your treasury management solution provider and ask if your systems are affected¬ [ed: though, obviously, if you use a hosted tm5 you’re fine]. It’s recommended that all users change their passwords immediately, following good practices to use a unique password for each account. If possible, take advantage of two-factor authentication. Whether it’s a smartphone app, keychain token, or 2FA over SMS, all of these are a much better solution than just a password.
If you have any more questions about Heartbleed, please see heartbleed.com, and for a long (but not exhaustive) list of sites affected see Here’s a list of websites allegedly affected by the Heartbleed bug (updated) over at Digital Trends.