Page 13 - GS140501
P. 13
News
Heartbleed offers at Heartland, told The Green Sheet that the processor
"responded to the OpenSSL vulnerability with a detailed
chance to hit 'Reset' analysis of all of its servers and infrastructure devices to
determine which were exposed to the vulnerability. We
had a team dedicated to the analysis and remediation
efforts. Though no devices in the direct payment stream
n what may become a watershed event in the his- were subject to the vulnerability, we did ensure that all
tory of Internet security, the so-called Heartbleed devices were at the proper patch levels."
bug detected in the popular OpenSSL security
I protocol has garnered major media attention, and Meanwhile, Trustwave disclosed in an April 10 blog post
the interest of the general public. But in the payments that its first priority was to determine the exposure of its
industry, where security issues are already forefront in own products and services to the bug and issue patches if
most peoples' minds, disclosure of a weakness in secure necessary. "For the most part, our solutions have avoided
sockets layer (SSL) encryption software can be viewed exposure to this vulnerability," Miller wrote.
as an opportunity to reassess security procedures that
include a simple reset of passwords. Miller went on to say that Trustwave issued "hotfixes"
for its gateway and firewall application and updated its
On April 7, 2014, the Heartbleed vulnerability was vulnerability scanner to detect the Heartbleed bug on the
discovered in OpenSSL, which is described as a potentially vulnerable servers of its clients. Miller told
cryptographic library used in securing such pervasive The Green Sheet that all payment companies up and down
online infrastructure as e-commerce sites, email services the value chain should be conducting similar activities
and file transfer protocol programs. The bug is a weakness with their systems.
in the code that can be exploited by hackers to circumvent
encryption and gain access to sensitive cardholder and "This is the responsibility of everybody who is maintaining
enterprise data. any kind of encrypted communications, whether that is
an email system, or a website, or a file transfer system or
Until its discovery, security researchers said Heartbleed a database," he said. "Any system that is using encryption,
had gone undetected for over two years, ample time for
hackers to have exploited the weakness and pilfered SSL
certificates, which establish encrypted communications
for when consumers make online purchases with credit
cards, for example, or when system administrators log
onto networks.
The scope of the vulnerability is hard to quantify. It has
been reported that roughly 60 percent of all web servers
employ OpenSSL. But, according to John Miller, Security
Research Manager at security firm Trustwave, that figure
doesn't do justice to the popularity of the encryption
library, since it is a "building block" of secure online
communications used in all types of systems, including
ATMs and virtual private networks.
"Most likely, almost all users of the Internet use some
service that was affected by this in some way," Miller said.
"It really does touch everybody."
Patch, revoke, issue
Since the bug was disclosed, businesses have issued
security patches to fix vulnerabilities in their systems. On
April 24, Silicon Valley-based mobile security provider
Trustlook Inc. said its analysis of the top 1 million websites
and over 120,000 apps available on Google Play found
that 4.4 percent of SSL-enabled websites and 8.7 percent
of apps had not been patched.
Princeton, N.J.-based processor Heartland Payment
Systems Inc. said it was proactive in its response to the
Heartbleed bug. John South, Chief Security Officer
13
Heartbleed offers at Heartland, told The Green Sheet that the processor
"responded to the OpenSSL vulnerability with a detailed
chance to hit 'Reset' analysis of all of its servers and infrastructure devices to
determine which were exposed to the vulnerability. We
had a team dedicated to the analysis and remediation
efforts. Though no devices in the direct payment stream
n what may become a watershed event in the his- were subject to the vulnerability, we did ensure that all
tory of Internet security, the so-called Heartbleed devices were at the proper patch levels."
bug detected in the popular OpenSSL security
I protocol has garnered major media attention, and Meanwhile, Trustwave disclosed in an April 10 blog post
the interest of the general public. But in the payments that its first priority was to determine the exposure of its
industry, where security issues are already forefront in own products and services to the bug and issue patches if
most peoples' minds, disclosure of a weakness in secure necessary. "For the most part, our solutions have avoided
sockets layer (SSL) encryption software can be viewed exposure to this vulnerability," Miller wrote.
as an opportunity to reassess security procedures that
include a simple reset of passwords. Miller went on to say that Trustwave issued "hotfixes"
for its gateway and firewall application and updated its
On April 7, 2014, the Heartbleed vulnerability was vulnerability scanner to detect the Heartbleed bug on the
discovered in OpenSSL, which is described as a potentially vulnerable servers of its clients. Miller told
cryptographic library used in securing such pervasive The Green Sheet that all payment companies up and down
online infrastructure as e-commerce sites, email services the value chain should be conducting similar activities
and file transfer protocol programs. The bug is a weakness with their systems.
in the code that can be exploited by hackers to circumvent
encryption and gain access to sensitive cardholder and "This is the responsibility of everybody who is maintaining
enterprise data. any kind of encrypted communications, whether that is
an email system, or a website, or a file transfer system or
Until its discovery, security researchers said Heartbleed a database," he said. "Any system that is using encryption,
had gone undetected for over two years, ample time for
hackers to have exploited the weakness and pilfered SSL
certificates, which establish encrypted communications
for when consumers make online purchases with credit
cards, for example, or when system administrators log
onto networks.
The scope of the vulnerability is hard to quantify. It has
been reported that roughly 60 percent of all web servers
employ OpenSSL. But, according to John Miller, Security
Research Manager at security firm Trustwave, that figure
doesn't do justice to the popularity of the encryption
library, since it is a "building block" of secure online
communications used in all types of systems, including
ATMs and virtual private networks.
"Most likely, almost all users of the Internet use some
service that was affected by this in some way," Miller said.
"It really does touch everybody."
Patch, revoke, issue
Since the bug was disclosed, businesses have issued
security patches to fix vulnerabilities in their systems. On
April 24, Silicon Valley-based mobile security provider
Trustlook Inc. said its analysis of the top 1 million websites
and over 120,000 apps available on Google Play found
that 4.4 percent of SSL-enabled websites and 8.7 percent
of apps had not been patched.
Princeton, N.J.-based processor Heartland Payment
Systems Inc. said it was proactive in its response to the
Heartbleed bug. John South, Chief Security Officer
13
