Heartbleed – Impacts & Mitigation for Fund Managers

At IP Sentinel we set up FCA compliant IT systems, policies and procedures for small and start-up Fund Managers and act as a virtual CTO for them as they grow. Heartbleed is all over the news right now and just in case you or your management want to know more, we’ve written this blog post.

Heartbleed is a bug in OpenSSL (encyption libary) which allows anybody on the internet to steal bits of memory from the server and search for useful keys or data. With this info they are able to sit back and watch encrypted traffic or to logon as whomever credentials they have captured.

This means that most (non IIS) websites use to secure https:// traffic should be considered unsafe. Consequently Online Banking is off limits until confirmation is sought from the Bank that they are unaffected or have fixed the bug. This will also require them to re-certify their domain with their certificate vendor. Same goes for banking apps.

Likewise any prime broker, administrator, supplier or vendor communications that are done over the internet and secured by https:// should be considered insecure unless confirmed otherwise.

More pernicious there is a long list of hardware vendors (Cisco, F5, Aruba, Blue Coat, Fortinet, Juniper, Sophos, WatchGuard) that provide VPN concentrators and SSL type transports/walled gardens for users who have included the buggy version of OpenSSL in their software. VPN or web based authenication using these methods should be considered insecure until you have patched your hardware.

Obviously pretty much all versions of Linux require patching and Keys regenerating (SSH, SFTP etc etc)

If you have Apache or Nginx running on windows those will also need patching.

Finally most public websites have been fixed (amazon, google, paypal etc etc) however if you do e-commerce with suppliers then you will need to check that they are running on a patched stack.

To check if a website has been patched or not you can use this tool Qualis SSL Labs

To check if an appliance requires patching you need to goto the vendors site:

Yesterdays blog post about the issue