Important Security Information Relating to the Heartbleed OpenSSL flaw:
researchers have recently discovered a vulnerability with OpenSSL, a technology
used to provide encrypted communication to approximately two-thirds of secure
sites on the internet. The "OpenSSL Heartbleed Flaw" could allow
unauthorized users to gain access to sensitive user data.
County Trust Company has contacted all of our technology vendors and have
received statements detailing their level of exposure to the OpenSSL software
defect disclosed last week. At this time, all vendors have reported back that
they are not, and were not, vulnerable to this software defect. In addition to
customer facing applications, we have inventoried internal applications and
have determined that we have no exposure to this vulnerability.
SSL stands for Secure Socket Layer.
This is the security protocol mechanism for securing communications between
client computers (Internet end users) and web servers. OpenSSL is an open
source programming toolkit that enables entities to provide secure
communications without ‘re-inventing the wheel’. They can purchase the software
and include it on their web sites.
In the coming days or months,
security researchers may find other vulnerabilities related to the OpenSSL
software package. We will be vigilant and re-assess our software and vendors to
make sure that any future vulnerabilities are handled in the quickest most
efficient way possible.
1) Q. Does this mean that my
credentials for Internet Banking are safe?
A. This means that the Heartbleed vulnerability was not available for
exploitation on OCTC’s Internet Banking servers. Your credentials would not
have been compromised due to this vulnerability.
2) Q. Is telephone banking affected?
Q. I used the Banks website (www.orangecountytrust.com).
Is that site safe? That is how I get to the Internet Banking site.
Bank’s site is an informational site which does not employ OpenSSL. There is a
link to Internet Banking and those servers are not affected by this
4) Q. Should I change my internet
this vulnerability does not affect OCTC or our Internet Banking vendor, you do
not have to change your password due to this disclosure. OCTC encourages any
user who believes that their credentials have been compromised to report it to
OCTC and to change their password.
5) Q. What about other non-bank
A. OpenSSL is a very common piece of software. Many internet sites are/were
vulnerable. You should look for an
announcement on the your particular site of interest.
6) Q. Why is it called HeartBleed?
A. Computers use a mechanism called a ‘heartbeat’ to remain in communications
with other entities when there is no actual communications needed. For example,
2 people are on the phone but no-one is saying anything. The line still remains
open due to heartbeat messages. Each computer continuously sends ‘Hello’
messages to the partners it is communicating with. The receiving computer
responds with a message. In this case, the sender sends a specifically crafted
heartbeat packet which request the response to be whatever data is located at a
particular memory address. The memory address ranges available include those
that would contain the encryption keys used to secure
communications . In effect, the heartbeat mechanism is leaking
information hence Heartbleed.
7) Q. Why is it important to know if
a site was vulnerable before the defect was disclosed?
A. SSL keys are generally static. This means that traffic encrypted with the
keys in the past would be able to be decrypted if it had been recorded.