Last week, news broke out about the security flaw in Open SSL dubbed "Heartbleed," and credit union core systems are not immune to the risks that are posed by this weakness. FLEX issued a release to our CU clients verifying that all of our secure web services are NOT vulnerable to the Heartbleed SSL exploit, and as an added precaution, we replaced our SSL certificates.
We have received a number of questions from our clients, however, regarding confusion surrounding this vunerability as it relates to all Credit Union technology, and how it impacts disaster recovery plans. For this reason, we have borrowed information from the Credit Union IT company enCompass, who posted the following guide for CU's response to Heartbleed:
What is Heartbleed?
According the Washington Post, "Experts have discovered a major flaw in the security software used by millions of Web sites — including banks, e-mail and social media services — that exposes users’ names and passwords, the content of their communications, and their data to anyone who knows how to exploit the weakness. The bug affects software called OpenSSL, which operates on a huge percentage of servers that store data for the Internet and is meant to keep that data secure.
Basically, It’s the “s” in “https” that is supposed to stand for “secure.” Unlike Web sites that begin with “http,” “https” sites have a lock in browser address bars."
It is important to understand that not all sites are vulnerable, only those that still rely on OpenSSL versions 1.0.1 and 1.0.2-beta. The first step you can take in ensuring your website's vulnerability to is determine what OpenSSL version you are running. Feel free to contact us if you’d like a free assessment of your site’s vulnerability.
How This Could Impact Credit Unions
Many Banks and Credit Unions use SSL for their mobile and internet banking. Your second step in defense is to reach out to your vendors, core, and software providers and ensure they have installed any necessary patches on their SSL run applications.
Most importantly, if any of your software providers issue security updates and patches over the next few days, it is imperative you allow these pushes and install these updates. This is not a time to push off any updates.
Next, take a look at your own website and ensure any SSL pages are patched correctly. Again, if you need assistance with this, please feel free to call us to determine your vulnerability.
What Passwords you Need to Change Right Now
On a personal level, you should tread carefully on the internet this week as patches are enabled across sites. You will also want to consider changing certain passwords, but only after you check the safety of your financial, shopping, remote office access (for business users), or other secure web sites first. I recommend looking at the list here that details what passwords to which sites you should change.
If you are visiting a section of a site that begins with https, be very cautious. Check the list referenced above, and consider waiting on opening any new accounts that require sensitive information until patches can be applied across sites.
Still Have Questions?
As always, FLEX is here to address and help you with any of your concerns. Feel free to call us or fill out our form here and we will contact you within 24 hours.