Recent news articles have focused attention on the “Heartbleed” Bug, which is a vulnerability in secure web systems that could put personal information at risk. OMEGA Processing wanted to take this opportunity to explain more about the Heartbleed Bug, how to remedy the vulnerability and assure our merchants that our web servers are secure and not affected. At the time of this release, we have had no merchants report that they have been affected by the bug.
The Heartbleed Bug has revealed that it is possible for a malicious user to retrieve sensitive information — including usernames, passwords and other personal or financial data — from secure web servers. The programming flaw is contained in certain versions of OpenSSL (Secure Sockets Layer), which is the standard security technology for establishing an encrypted link between a web server and a browser. Most websites with an address beginning with “https:\” are vulnerable, as well as webmail, instant messaging, firewalls, routers, database servers and other services that run SSL. Microsoft’s IIS web server does not utilize the OpenSSL library, so it is not impacted, but other network devices could be.
Vulnerability and Mitigation
OMEGA Processing’s scanning vendor has scanned the servers of our merchants who are enrolled in our Data Protection Program. Those merchants who were possibly affected by the Heartbleed bug are being individually notified by, our data protection partner.
The following versions of OpenSSL are vulnerable to the Heartbleed bug:
1.0.1 through 1.0.1f
To rectify the vulnerability, these OpenSSL versions should be upgraded to 1.01g and 1.02-beta2. More information on upgrading OpenSSL versions can be found at https://www.openssl.org/.
Any secret (private) keys that were generated with a vulnerable version of OpenSSL should be considered compromised and regenerated using the upgraded SSL version. Also, any passwords that were used in any vulnerable system should be updated, as the old ones might have been compromised.
OMEGA Processing Security
OMEGA Processing’s web servers have been scanned by our independent vendor and deemed unaffected by the Heartbleed Bug.
If you have any questions about your payments process and its vulnerability to the Heartbleed Bug, please contact OMEGA Processing’s customer service department at 866.888.9724 Ext. 7.