Assurance for Kiwi brokers over Heartbleed

Assurance for Kiwi brokers over Heartbleed | Insurance Business

Assurance for Kiwi brokers over Heartbleed
Kiwi brokers are being urged to review their security following global reports of a major new vulnerability called Heartbleed.
The software flaw, which could let attackers gain access to users’ passwords and fool people into using bogus versions of websites, could leave millions of servers on the internet open to an attack which allows sensitive data, such as user passwords, to be stolen.
So far, those affected that have come to light include Yahoo, the FBI and now parenting website Mumsnet.
Anu Nayer, Deloitte Head of Security, Privacy and Resilience, stated the issue – which has been around for over two years but was only recently discovered – should not be ignored.

“This is a major issue and it appears a significant portion of the Internet has been affected. Because this exploit leaves no trace in almost any system it is very difficult to determine the extent to which anyone has been compromised through this,” he said.
IBANZ CEO Gary Young agreed, telling Insurance Business: “This certainly appears to be a significant issue and we would encourage all our members to review their security. 
“For any business holding client information it is essential to protect their personal details. 
He added: “We have not heard from any of our members on this issue however no doubt their first port of call will be their IT support.”
The heart of the problem lies in open-source software called OpenSSL that's widely used to encrypt web communications.
A flaw in the programming on some versions (OpenSSL 1.0.1-1.0.1f) means attackers can view small portions of what is being stored in the server’s memory which includes data such as usernames, passwords, credit card numbers and any other sensitive information.

Grayson Milbourne, director of security intelligence at Webroot added it is software vulnerability not an infection.
“A vulnerability is a flaw in the code of an application which allows it to be exploited. In the case of the OpenSSL Heartbleed vulnerability, researchers found a flaw in how the data was being encrypted and transmitted,” he said.
Meanwhile, some Kiwi software providers have offered reassurance to their users that their systems are safe.
A spokesman for SSP, Dan Stewart told Insurance Business: “In line with other IT service providers, SSP have been working to understand our exposure to this vulnerability and mitigating the exposure with urgency.
“SSP have now fully addressed the situation and have rectified all vulnerable servers and no action needs to be taken concerning SSP’s delivered services.
“SSP takes information security very seriously and is committed to the data security of all of our customers.
“To that end, SSP’s Information Security Management System (ISMS) is externally assessed and accredited with compliance to ISO27001 standards - to further reassure our customers that our data security procedures follow especially stringent guidelines.”
Sales and marketing manager of Ferret Software, Nicholas Stuart, said: “Ferret does not use OpenSSL, therefore, the Heartbleed flaw does not affect Ferret in any way”. 
Other systems such as Ebix and EGlobal were also believed to be unaffected.

However, Nayer said it is vital that the company’s technical team knows all the websites and web services the organisation has so they can check all the necessary sites. He recommends asking the IT department the following questions in addressing the issue:
  • How have you determined whether each of our websites and web services have OpenSSL service enabled?
  • What type of sensitive information do we have that is accessible from the internet? What type of information would have been at risk?
  • Have we looked at our logs to determine if there have been any successful or unsuccessful attempts to exploit this issue? What did we find? Are we monitoring our network to look for indications of attacks?
  • What steps have we taken to mitigate the issue?
  • How have you confirmed that the fixes have been applied successfully?
  • Have you gotten assurances from our vendors, external hosting providers and application cloud services that they have fixed any vulnerable systems?
Nayer said if the company’s website is internally hosted the organisation can run the command ‘openssl version’ on the server to find which if an affected version is being used. However, if it is hosted externally it is necessary to contact the hosting provider for more information.

If your system uses a vulnerable version of OpenSSL (1.0.1-1.0.1f) you should immediately upgrade to OpenSSL 1.0.1g. If you are unable to immediately upgrade you can recompile the version of OpenSSL you have with ‘-DOPENSSL_NO_HEARTBEATS’ set,” he advised.

It would also pay to consider if it is appropriate to revoke any Certificates which were used while the organisation ran exposed versions of OpenSSL.

“Even after a fix is applied, the private cryptographic keys your systems are relying on to protect their communications could already have been compromised and this fix won’t address that compromise,” he said.

Nayer recommends increasing monitoring for unexpected activity in your systems, and train call centre and client facing staff on how to respond to inquiries on the topic.

Additionally, Milbourne recommends changing passwords although this isn't a full-proof solution as it'll only help if the website in question has put in place required security patches.

“To be on the safe side, I recommend changing passwords at least every three months and to make sure your personal email password is different from every other password,” he said.

For more information on how the Heartbleed software flaw works read this. 
A teenager from Ontario, Canada is facing mischief charges in relation to the alleged theft of confidential information using the Heartbleed bug at the Canada Revenue Agency.