4/11/2014 4:52 PM
Earlier this week information was released about a new vulnerability (CVE-2014-0160) in OpenSSL, the cryptography library that powers the vast majority of private communication across the Internet. This library is key to maintaining privacy between servers and clients, and confirming that Internet servers are who they say they are.
This vulnerability, known as Heartbleed, may allow an attacker to steal the keys that protect communication, user passwords, even the system memory of a vulnerable server. This represents a major risk to large portions of private traffic on the Internet. At this time we have no evidence that the attack has been used against any of our portals, websites or other systems.
However, we take the security of our client's data very seriously and will continue to vigilantly monitor for any unauthorized behavior. We assure you that we are working aggressively to assess and update any of our systems that rely on OpenSSL.
We have also been in touch with our technology partners to ensure they are doing the same. We are committed to the protection of our clients and will provide product-specific updates if and when necessary.
CONTRARY to advice from the BBC and Yahoo, some experts believe that it is still too soon to change internet passwords to protect them from the Heartbleed security breach. Many security advisers agree that changing passwords before major sites have had the chance to rectify the problem could, in fact, expose users' private data yet further. The Heartbleed bug has been described as a "catastrophic" breach of internet security and independent security expert Bruce Schneier claims on his blog that "on the scale of 1 to 10, this is an 11".
Here are some more resources for learning about Heartbleed:
Techcrunch.com video: http://techcrunch.com/2014/04/08/what-is-heartbleed-the-video/ Troy Hunt’s blog post