'Catastrophic' Heartbleed bug: Illawarra banking security

• Steps to take against Heartbleed risk

An encryption flaw called Heartbleed has exposed large swathes of the internet, prompting IT security experts to warn internet users against using the web for the next few days.

While the big four banks confirmed their security had not been compromised, the same couldn't be said for smaller credit unions active in the Illawarra.

A Greater Building Society spokesman advised customers to change their passwords.

"The Greater has already updated services to ensure customer information will not be exposed to this vulnerability," he said.

"We do recommend customers change their passwords when they next log in as a precautionary measure, and have placed that message on our internet banking site."

Meanwhile, an Illawarra Credit Union spokeswoman said no service vulnerabilities had been found in the company's system.

"I can confirm that Illawarra Credit Union has not been affected by the Heartbleed vulnerability," she said.

A spokewoman for Horizon Credit Union said Heartbleed had no impact on them.

''Horizon Credit Union has not been exposed to the Heartbleed vulnerability,'' it said in a statement.

''Horizon’s our online banking facility or website is not affected by this vulnerability.''

A spokeswoman for building society IMB, which has branches throughout the Illawarra and South Coast, said the company did not use the at-risk software for online banking and was not susceptible to the Heartbleed flaw.

"Accordingly, IMB customers do not need to change their internet banking passwords," she said.

Bruce Schneier, a renowned security expert, said in a blog post on Wednesday: "Heartbleed is a catastrophic bug ... on a scale of one to 10, it is an 11."

The Heartbleed flaw is a bug that was found in some of the latest versions of an open source cryptography library used by millions of websites globally, called OpenSSL.

Many websites use OpenSSL when implementing that golden "lock" and "https" in the URL of a web browser.

The flaw was discovered by Google security engineer Neel Mehta and by staff at a security firm called Codenomicon.

They found a flaw in the code that allowed a malicious person to extract a random 64 kilobyte-chunk of a website server's internal memory at a rate of once every "heartbeat" - a periodic signal generated to indicate normal operation or to synchronize a system.

An attacker would have been able to eventually steal usernames, passwords and financial information - basically any piece of information being pushed through a server's memory.

They also found that a server's private key, which it uses to encrypt communications, was able to be extracted. With this key, an attacker can impersonate a "secured" website to access a user's encrypted data and decrypt it.

This is why security experts are prompting website owners to replace their private keys, just like they would replace their house keys if the key was stolen.

Anyone who has used an affected website could potentially have had their information accessed.

Australia's banks have moved to reassure customers. Most have said they are unaffected, since most do not appear to be using OpenSSL for their online banking websites.

So far Fairfax Media has been able to confirm the Federal Court's Commonwealth Courts Portal, JB Hi-Fi, Priceline and Australia's Community Emergency Response Team websites were vulnerable and have been patched or are in the process of being patched.

Several other Australian business websites are also known to have been exposed and have not been patched against Heartbleed.

Smartphone
Tablet - Narrow
Tablet - Wide
Desktop