The Heartbleed bug may be old news by now, but companies with OpenSSL websites were still working over the weekend to determine their exposure.
Mention of the word 'heartbleed' early last week got an most a quizzical look, but by the end of the week people were cued in and some were a bit scared.
Security Service Federal Credit Union spokesman John Worthington said his organization was not affected by Heartbleed. He said several in-the-know customers telephoned SSFCU before the mainstream media had the story.
"We answered those calls individually," Worthington said. "As soon as the thing popped, our people were on it. They checked it made sure that we were not impacted."
A post on Broadway Bank’s website said scans of their networks showed no vulnerabilities. USAA said in a statement and on its website that a security patch was implemented for its website earlier last week.
Dan Cornell, the chief technology officer of The Denim Group, a San Antonio-based software security company, said he hopes the exposure of OpenSSL’s vulnerability will push companies to move forward with two-factor authentication that he believes provides a deeper level of security.
"I think moving beyond simply using passwords is an important step worldwide to improve the security of this cyber-critical infrastructure," Cornell said.
Cornell said two-factor authentication is not a password plus a pin number or a security question, but involves information from multiple sources.
"In the industry they say, 'Something you know and something you have or something you are.' So something you know like a password or a pin code," Cornell said. "Something you have such as having your mobile phone and being able to receive an SMS message on it. Or something you are, a biometric, like if you have a fingerprint reader or an eye reader or something like that."
Cornell said it’s almost a chance occurrence whether companies would be affected because not all web server software had the vulnerability.
"A lot of sites using popular web server software were affected," Cornell said. "Other sites that didn't use software that had these vulnerable components can pretty definitively say, 'We're not affected because this vulnerability does not exist in the software that we're running.' "
NPR’s All-Tech Considered offers a full explainer of the bug and links to pages that are keeping track of the Heartbleed vulnerability of most major companies. The advice is consistent: If a website you use was affected, wait until a patch has been applied and then change your password.
Broadway Bank Web Post:
"You have probably read or heard about the newly discovered Heartbleed bug. Broadway Bank has taken proactive scans of our networks for vulnerabilities and there is no indication of any risks being present. Broadway Bank is also working with key vendor partners to make sure their systems are not vulnerable. Our first priority at Broadway Bank is customer security and privacy. For more information on ensuring your online account data is secure, please visit Online Security."
USAA Media Statement:
"While there’s no indication of compromise, it’s a good security practice to periodically change passwords and use a unique password for each site. USAA is committed to protecting our members' personal and financial information, and we continually monitor for information security threats. A security patch was implemented for usaa.com earlier this week, and USAA continues to take steps to mitigate the risks associated with this bug. There is no indication that our systems are at risk. We have communicated with our members about how they can better protect themselves."
