Internet security experts spent yesterday raising the alarm about Heartbleed — an online security flaw that affects OpenSSL encryption software, potentially exposing user data to the unwelcome eyes of hackers. But where do Australian websites stand?
News emerged yesterday that a number of major websites had been compromised, including Yahoo, with security experts and developers able to "scrape" Yahoo usernames and passwords for services such as Yahoo Mail.
The flaw has been making major waves online as security experts warn about the potential impact of data breaches.
In a post on his personal blog, respected security expert and academic writer Bruce Schneier has labelled the problem as "catastrophic":
"Basically, an attacker can grab 64K of memory from a server," he wrote. "The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory — SSL private keys, user keys, anything — is vulnerable. And you have to assume that it is all compromised. All of it.
"'Catastrophic' is the right word. On the scale of 1 to 10, this is an 11.
"Half a million sites are vulnerable, including my own," he added. "The bug has been patched. After you patch your systems, you have to get a new public/private key pair, update your SSL certificate, and then change every password that could potentially be affected."
Despite warnings from Ars Technica that an estimated "two-thirds of the Internet's Web servers" use OpenSSL encryption, and that net users should change their passwords and "steer clear of Yahoo Mail", the local response has been fairly muted. Regardless of whether or not a website has been affected, the increasing media exposure of the bug has potentially left many internet users worried about their data — and it's concerning that Australian companies have not been vocal about the measures they are taking to address the problem.
CNET contacted several major Australian banks, as well as a number of other companies, to determine their response to the bug and their advice to Australian consumers (some had already been proactive on the matter, issuing security updates via their websites).
Here's what they had to say:
"CBA customers can rest assured that the Bank is patched against the Heart Bleed bug. Customers do not need to change their passwords. They can continue to bank with confidence in NetBank and our other channels.
"The Commonwealth Bank takes security seriously. We are dedicated to ensuring our data and that of our customers is safe and secure. Our security teams constantly monitor and stay abreast of the latest security technologies and updates, and we continually strengthen the protections we have in place.
"Harvey Norman sites have not been compromised by the Heartbleed bug," chief technical officer John Slack-Smith told CNET Australia. "We became aware of the issue on Tuesday afternoon when we received information from our internal security team regarding this OpenSSL vulnerability.
"We then immediately went into a series of steps where we've spoken with Macquarie Telecom, who is our hosting partner, and they confirmed for us that a fix had been released for the bug on Monday 7 April as a patch to close down the vulnerability. We've also talked to all of our respective suppliers to see what they've done to ensure that we're not being exposed in any way. We've checked all of our website portfolios, because we've got websites overseas with subsidiary companies, and there is no evidence or indicator that any of our websites have been compromised as a result of the bug.
"We are completely confident that the right steps have been taken and the right checks are in place, and that Harvey Norman customers shouldn't have any concerns at all."
"NAB does use SSL to protect its transactional data and customer information. This particular exposure does not impact NAB or its customers, due to the Enterprise architecture we have in place to protect our systems.
"NAB has multiple layers of technology and protection and we never allow a single layer of vulnerability to expose our services and customers. Our customers do not need to change their Internet Banking passwords as a result of the Heartbleed vulnerability."
A spokesperson for PayPal Australia told CNET Australia: "We can confirm that PayPal account details were not exposed and remain secure."
The company's global chief technology officer, James Barrese, also posted the following yesterday in a blog post on the PayPal website:
"We would like to assure you that with regards to the Heartbleed bug: Your PayPal account is secure; Your PayPal account details were not exposed in the past and remain secure; You do not need to take any additional action to safeguard your information; There is no need to change your password.
"While we always advise our customers to be cautious and aware of the security of their personal and financial information, in this case we want to reassure you there is no need to be unduly concerned. When you login to PayPal using your user name and password these details were not exposed to the OpenSSL vulnerability.
"Following a comprehensive review of all our services, our security teams did identify a handful of businesses that we recommend upgrade their Payflow Gateway integrations to eliminate the risk of vulnerability. The Payflow Gateway is a payment gateway for online merchants that links your website to your processing network or merchant account.
"We have already been in touch with the merchants who could potentially be affected and are working with them to upgrade their integrations."
"St. George is aware of this issue, and can confirm that our Online Banking services are not susceptible to this vulnerability. St. George takes Online Banking security very seriously, and we continue to provide up to date security advice regarding security threats through to customers through the Security section of our website."
St. George did not provide a response as to whether its customers should change their passwords.
"Westpac is aware of this issue, and can confirm that our Online Banking services are not susceptible to this vulnerability. Westpac takes Online Banking security very seriously, and we continue to provide up to date security advice regarding security threats through to customers through the security section of our website."
When asked whether Westpac customers should change their passwords, a spokesperson for the bank responded: "If we believe we need to advise customers to do anything we would proactively communicate with them".
"A vulnerability, called Heartbleed, was recently identified impacting many platforms that use OpenSSL, including ours. Our team has successfully made the appropriate corrections across our entire platform, which includes Yahoo7. We're focused on providing the most secure experience possible for our users worldwide and are continuously working to protect our users' data."
Yahoo7 did not provide a response as to whether its customers should change their passwords.
ANZ tweeted the following comment from its official ANZ Australia twitter account this afternoon:
Hi, to clarify re:the #HeartBleed security vulnerability impacting OpenSSL, ANZ Internet Banking is not impacted-no need to change p/words— ANZ Australia (@ANZ_AU) April 10, 2014
The bank has since released a statement on the problem:
"Our internet banking and goMoney mobile banking app have not been impacted by the OpenSSL Heartbleed vulnerability (CVE-2014-0160) and customers do not need to take any action as a result. We have robust security processes in place to ensure our customers' information is protected and that they can securely bank with us either online or via their mobile.
"While customers do not need to change their Internet Banking passwords as result of Heartbleed, we do recommend they regularly update passwords and keep them secure."
CNET has also sought comment from JB Hi-Fi and Dick Smith to determine whether their e-commerce sites were compromised or at risk from Heartbleed.