News

FFIEC warns about Heartbleed; Codenomicon explains how to stop it

April 11, 2014

No sooner had "XP Armageddon" come (and gone, anti-climactically) than a new calamity with much greater potential to wreak financial havoc took over the headlines. It even had a more interesting name — Heartbleed.

According to Codenomicon, the Finnish security software development company that discovered the bug:

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

Codenomicon has set up a comprehensive Heartbleed website with information about the bug and how to stop it.

And stopping it is an urgent matter, the FFIEC said in a statement released late yesterday:

The Federal Financial Institutions Examination Council  members expect financial institutions to incorporate patches on systems and services, applications, and appliances using OpenSSL and upgrade systems as soon as possible to address the vulnerability. Financial institutions should consider replacing private keys and X.509 encryption certificates after applying the patch for each service that uses OpenSSL and consider requiring users and administrators to change passwords after applying the patch. Financial institutions relying upon third-party service providers should ensure those providers are aware of the vulnerability and are taking appropriate mitigation action.