It’s Not Just A Website Issue
Security thought-leaders continue to offer insight into the Heartbleed bug. Avivah Litan, fraud analyst at Gartner Research, calls the issue “mega-serious.”
“I’m just trying to understand why all the news reports are focused on individual communications with websites,” Litan says. “SSL protocols, including OpenSSL, are used in most ‘trusted’ machine to machine communications. The bug affects routers, switches, operating systems and other applications that support the protocol in order to authenticate senders and receivers and to encrypt their communications.”
FFIEC Issues Heartbleed Statement
As news of the Heartbleed bug sinks in, government agencies in the U.S. and Canada are reacting to the newly discovered Internet vulnerability.
The Federal Financial Institutions Examination Council issued a statement April 10 expecting financial institutions to incorporate patches on systems and services, applications and appliances using OpenSSL and upgrade systems as soon as possible to address the Heartbleed vulnerability.
“Financial institutions should consider replacing private keys and X.509 encryption certificates after applying the patch for each service that uses OpenSSL and consider requiring users and administrators to change passwords after applying the patch,” the FFIEC says. “Financial institutions relying upon third-party service providers should ensure those providers are aware of the vulnerability and are taking appropriate mitigation action.”
FDIC Issues Heartbleed Press Release
The Federal Deposit Insurance Corp. on April 10 issued a press release urging financial institutions to utilize available resources to combat threats tied to the Heartbleed bug.
Greg Hernandez, spokesperson at the FDIC, says the advisory was issued because of vulnerabilities with OpenSSL. “The [vulnerability] could expose banks and their customers to risks such as compromise of sensitive information or fraud,” he says. “Many banks rely upon this technology for web-based banking, e-mail, authentication and other critical or sensitive banking functions.”
Hernandez says: “Banks should ensure that OpenSSL vulnerabilities are covered in their patch management, software maintenance or security update procedures as described in existing FFIEC guidance, as well as their risk assessments.”
The FDIC highlights several resources banks should utilize, including U.S. CERT, the Secret Service’s Electronic Crimes Task Force, FBI InfraGard and information sharing and analysis centers.
Canada Reserve Agency Shuts Down Online Tax Return Service
The Canada Revenue Agency on April 9 shut down public access to its online services, halting online tax returns until the situation has been remedied.
“After learning … about the Internet security vulnerability named the Heartbleed Bug that is affecting systems around the world, the CRA acted quickly, as a preventative measure, to temporarily shut down public access to our online services to safeguard the integrity of the information we hold,” the CRA says in a statement posted to its website.