On Monday news came out regarding the discovery of a significant and widespread security problem; the HeartbleedOpenSSL Bug. This encryption security hole causes a vulnerability in the OpenSSL cryptographic library, which is used by roughly two-thirds of all websites on the Internet to secure private information as it travels over the web. This email is our effort to explain how this bug may impact you and your customers, and note some of the actions that can be taken to protect yourselves and your customers as this issue is being addressed.
Please Note: Money Tree Software servers do NOT use OpenSSL encryption programs, and are NOT vulnerable to the Heartbleed security exploit.
To help answer questions you may have about this new internet security issue, we’ve collected some basic information and a tool you may find useful.
Any website where you use passwords, transact business, or maintain assets should be checked. Websites may be checked to see if they are potentially vulnerable, and if they have updated their SSL certificate in the last 48 hours. It might be prudent to stay off vulnerable sites containing secure information, or those transmitting credit card data. Once they have updated certificates, login and change your passwords. Some example sites that may be vulnerable are: Facebook, Amazon, Ebay, etc.
The LastPass tool allows you to check websites for potential vulnerability:https://lastpass.com/heartbleed/
Many websites, like Money Tree Software’s, don’t use the OpenSSL software at all, and were never exposed to the security issue. Other major organizations not affected are sites like Schwab, MorningStar, and Microsoft.
Even after websites correct the problem, you will need to change your passwords to reduce your security risk. For example, everyone with a Yahoo account, a WellsFargo account, or an OkCupid account can change their passwords now, because these sites were vulnerable, but have just now updated their certificate, which indicates they have taken steps to address the Heartbleed issue.
Below is a sampling of site vulnerability to Heartbleed using the tool from LastPass this morning (4/8/2014).
Moneytree Test Results From LastPass:
- Detected server software of Microsoft-IIS/7.5
- That server is known to NOT use OpenSSL and is not vulnerable.
Amazon Test Results From LastPass:
- Detected server software of Server
- The server software is unknown, might use OpenSSL and could have been vulnerable.
- The SSL certificate for Amazon valid 1 month ago at Feb 27 00:00:00 2014 GMT.
- This is before the heartbleed bug was published, it may need to be regenerated.
Yahoo Test Results From LastPass:
- WARNING: Yahoo was tested as vulnerable on 4/8/2014
- Detected server software of ATS
- The server software is unknown, might use OpenSSL and could have been vulnerable.
- The SSL certificate for Yahoo was regenerated 17 hours ago at Apr 9 00:00:00 2014 GMT which is likely regenerated after heartbleed bug was published, they’ve updated their SSL certificate which likely means they’ve taken steps to reduce their ongoing risk from heartbleed!
MorningStar Test Results From LastPass:
- Detected server software of Microsoft-IIS/7.5
- That server is known to NOT use OpenSSL and is not vulnerable.
We highly encourage you to use this tool to check the websites you use to see if they are potentially vulnerable to Heartbleed and make sure to change your passwords to reduce your security risk as soon as possible.
