As you may be aware, there is a dangerous vulnerability that was revealed in Open SSL on April 7, 2014. Deemed the Heartbleed Bug (CVE-2014-0160), this vulnerability affects the popular OpenSSL cryptographic library. Essentially two-thirds of all websites on the Internet use OpenSSL to secure their data.
What is Open SSL?
OpenSSL is an implementation of a set of securities protocols used to encrypt information across the internet
Where is Open SSL used?
Primarily in the open source world. Many hardware and software vendors implement this open source protocol into their applications, services or websites.
Where is Open SSL NOT used?
Open SSL is very seldom used in the Microsoft world. Microsoft uses a proprietary SSL protocol called “SChannel” that is used in IIS, Exchange, SQL, Active Directory, ISA, and various other Microsoft products. SChannel was not affected by the Heartbleed vulnerability.
Java and Apple both typically use a protocol other than OpenSSL that was also not affected by the Heartbleed vulnerably.
Should I stop using Open SSL?
No, not at all. There is nothing inherently wrong with the protocol itself, evident by its is widespread mainstream adoption. This is simply the case of a development oversight that was remedied as soon and it was realized.
Heartbleed creates an opening in SSL/TLS, an encryption technology marked by the small, closed padlock and “https:” on Web browsers to show that traffic is secure. The flaw makes it possible to snoop on Internet traffic even if the padlock is closed. Interlopers can also grab the keys for deciphering encrypted data without the website owners knowing the theft occurred.
There is very sensitive data that sits on a server’s system memory. Included in this data are keys to encrypt and decrypt communication such as usernames, passwords, credit card numbers, etc. The Heartbleed Bug allows an attacker to potentially retrieve those secret keys. This would permit the attacker to read any communication intercepted on the server as if it was not encrypted. If an attacker gets ahold of these keys, not only could the data be read, but the attacker could also impersonate a secure site/server in such a way that would fool a browser’s built-in security checks.
Unfortunately, there is not a universal method of identifying if your information has been compromised. If you have reason to believe that your data may have been compromised, please contact your account manager and we will assist you to the best of our abilities.
To help safeguard your data assets, Compudyne is taking preventative measures by scanning internet-facing services for our Managed Services and Hosted Services (datacenter) customers to search for the Heartbleed vulnerability. We will be contacting clients whom exhibit potential vulnerabilities. We are performing this service on a “best-effort” basis and do not guarantee exhaustive results. If you have further concerns or if you wish to opt out of this service please inform your account manager.
Compudyne has compiled a list of our Products and Services that you may use. Included in this list are products that were affected by Heartbleed and have been patched, but may require additional end user actions. In addition, there are Compudyne products listed that were not affected.
Please take a moment to go through the list. If any action is needed, instructions will be provided.
Compudyne recommends changing password for all sites/service that have been affected, but ONLY after they have been verified as “Patched”. Changing passwords prior to the site/service being patched only exacerbates the issue.
If you have any questions or concerns, we are always here to help. Please contact us at firstname.lastname@example.org or 877-630-6640.