Important Security Information Relating to the Heartbleed Open SSL flaw
Orange County Trust Company has contacted all of our technology vendors and have received statements detailing their level of exposure to the OpenSSL software defect disclosed last week. At this time, all vendors have reported back that they are not, and were not, vulnerable to this software defect. In addition to customer facing applications, we have inventoried internal applications and have determined that we have no exposure to this vulnerability.
SSL stands for Secure Socket Layer. This is the security protocol mechanism for securing communications between client computers (Internet end users) and web servers. OpenSSL is an open source programming toolkit that enables entities to provide secure communications without ‘re-inventing the wheel’. They can purchase the software and include it on their web sites.
In the coming days or months, security researchers may find other vulnerabilities related to the OpenSSL software package. We will be vigilant and re-assess our software and vendors to make sure that any future vulnerabilities are handled in the quickest most efficient way possible.
1) Q. Does this mean that my credentials for Internet Banking are safe?
A. This means that the Heartbleed vulnerability was not available for exploitation on OCTC’s internet banking servers. Your credentials would not have been compromised due to this vulnerability.
2) Q. Is telephone banking affected?
3) Q. I used the Banks website (www.orangecountytrust.com). Is that site safe? That is how I get to the Internet Banking site.
A. The Bank’s site is an informational site which does not employ OpenSSL. There is a link to Internet Banking and those servers are not affected by this vulnerability.
4) Q. Should I change my internet banking passwords?
A. Since this vulnerability does not affect OCTC or our Internet Banking vendor, you do not have to change your password due to this disclosure. OCTC encourages any user who believes that their credentials have been compromised to report it to OCTC and to change their password.
5) Q. What about other non-bank related sites?
A. OpenSSL is a very common piece of software. Many internet sites are/were vulnerable. You should look for an announcement on the your particular site of interest.
6) Q. Why is it called HeartBleed?
A. Computers use a mechanism called a ‘heartbeat’ to remain in communications with other entities when there is no actual communications needed. For example, 2 people are on the phone but no-one is saying anything. The line still remains open due to heartbeat messages. Each computer continuously sends ‘Hello’ messages to the partners it is communicating with. The receiving computer responds with a message. In this case, the sender sends a specifically crafted heartbeat packet which request the response to be whatever data is located at a particular memory address. The memory address ranges available include those that would contain the encryption keys used to secure communications . In effect, the heartbeat mechanism is leaking information hence Heartbleed.
7) Q. Why is it important to know if a site was vulnerable before the defect was disclosed?A. SSL keys are generally static. This means that traffic encrypted with the keys in the past would be able to be decrypted if it had been recorded.