In what may become a watershed event in the history of Internet security, the so-called Heartbleed bug detected in the popular OpenSSL security protocol has garnered major media attention, and the interest of the general public. But in the payments industry, where security issues are already forefront in most peoples' minds, disclosure of a weakness in secure sockets layer (SSL) encryption software can be viewed as an opportunity to reassess security procedures that include a simple reset of passwords.
On April 7, 2014, the Heartbleed vulnerability was discovered in OpenSSL, which is described as a cryptographic library used in securing such pervasive online infrastructure as e-commerce sites, email services and file transfer protocol programs. The bug is a weakness in the code that can be exploited by hackers to circumvent encryption and gain access to sensitive cardholder and enterprise data.
Until its discovery, security researchers said Heartbleed had gone undetected for over two years, ample time for hackers to have exploited the weakness and pilfered SSL certificates, which establish encrypted communications for when consumers make online purchases with credit cards, for example, or when system administrators log onto networks.
The scope of the vulnerability is hard to quantify. It has been reported that roughly 60 percent of all web servers employ OpenSSL. But, according to John Miller, Security Research Manager at security firm Trustwave, that figure doesn't do justice to the popularity of the encryption library, since it is a "building block" of secure online communications used in all types of systems, including ATMs and virtual private networks.
"Most likely, almost all users of the Internet use some service that was affected by this in some way," Miller said. "It really does touch everybody."
Since the bug was disclosed, businesses have issued security patches to fix vulnerabilities in their systems. On April 24, Silicon Valley-based mobile security provider Trustlook Inc. said its analysis of the top 1 million websites and over 120,000 apps available on Google Play found that 4.4 percent of SSL-enabled websites and 8.7 percent of apps had not been patched.
Princeton, N.J.-based processor Heartland Payment Systems Inc. said it was proactive in its response to the Heartbleed bug. John South, Chief Security Officer at Heartland, told The Green Sheet that the processor "responded to the OpenSSL vulnerability with a detailed analysis of all of its servers and infrastructure devices to determine which were exposed to the vulnerability. We had a team dedicated to the analysis and remediation efforts. Though no devices in the direct payment stream were subject to the vulnerability, we did ensure that all devices were at the proper patch levels."
Meanwhile, Trustwave disclosed in an April 10 blog post that its first priority was to determine the exposure of its own products and services to the bug and issue patches if necessary. "For the most part, our solutions have avoided exposure to this vulnerability," Miller wrote.
Miller went on to say that Trustwave issued "hotfixes" for its gateway and firewall application and updated its vulnerability scanner to detect the Heartbleed bug on the potentially vulnerable servers of its clients. Miller told The Green Sheet that all payment companies up and down the value chain should be conducting similar activities with their systems.
"This is the responsibility of everybody who is maintaining any kind of encrypted communications, whether that is an email system, or a website, or a file transfer system or a database," he said. "Any system that is using encryption, you need to find out if you are vulnerable to this and get it fixed. And you need to inform the users. It's really across the board. Everyone needs to be communicating what their vulnerability was and how they're going to resolve the issue."
Miller added that when organizations recognize vulnerabilities, they must take the next step of patching those vulnerabilities, then revoke the associated certificates, followed by having new certificates issued to them. Companies like Trustwave operate as certificate authorities for the revocation and issuance of such certificates.
The revocation of exposed certificates and the issuing of new ones is important because hackers could still use old certificates to perpetrate fraud. Miller called the theft of encryption keys and certificates that allow for businesses and individuals to authenticate themselves online the "holy grail" for fraudsters.
"If an attacker is able to access a server's SSL private key, they can decrypt user traffic and impersonate the server – and it would be nearly impossible to detect them," Miller wrote. He said stolen certificates are popular for use in man-in-the-middle attacks perpetrated by fraudsters. Using stolen credentials, such as user passwords, they pose as consumers or network administrators for nefarious purposes.
The Heartbleed bug has caused much angst for a financial services industry and economy suffering from massive and often devastating data breaches, such as the one that hit Target Stores Inc. over the 2013 holiday season. But Abby Ross, Media Relations Manager at Trustwave, sees a silver lining to the Heartbleed disclosure in that it provides businesses an opportunity to reevaluate their security best practices and procedures.
"It really gives users a chance to start fresh," she said. This involves resetting passwords with complex combinations of numbers, letters and symbols, and taking advantage of two-factor authentication to make communications more secure.
Heartbleed can also be used as a litmus test service providers can employ to determine the level of security of the vendors they utilize. Miller said, "These types of security events – widespread, high-impact security events – give you an idea of how well you can trust other organizations by how well they communicate, how they were affected, what they've done to resolve it and the steps they took to go forward."
Heartbleed can also be used by merchant service providers to look inward. "You can judge your own security posture by how prepared you were to respond to it and tactics you used if you had been compromised," Miller added.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next