Executive and Technical Blogs
Heartbleed Security Vulnerability Update
To our valued customers,
Part of our strategy at ALI is to inform you of critical and potentially meaningful events as they directly relate to your systems and infrastructure. Below are direct details going through each aspect of the HeartBleed bug and what we’re doing for our clients who are potentially vulnerable.
1. What is it?
A bug has been found in a commonly used security system across many platforms and services that has the potential to destroy security measures, compromise sensitive data and even impersonate the compromised systems. The HeartBleed bug may be the largest security hole exposed to date inside of internet systems.
Simple Explanation with a video at the bottom
2. Who is affected?
If you're running any of these versions of OpenSSL 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1, 1.0.2-beta1, you are affected by this vulnerability essentially meaning your encryption is effectively void.
3. What is ALI doing for our clients?
For customers whose infrastructure we manage and support, we’re proactively assessing and reaching out to prepare and implement any necessary remediation. Additionally, for customers whom we know have implemented these systems we’re proactively reaching out and discussing strategies to address the problem.
4. What should I do?
At a Personal level, Change your passwords, all of them for any internet based site that you frequent regularly. Expect notices from businesses that have to re-certify and protect customers.
For your own organization; if you’re aware that you’re using this Certification system, it must be patched immediately and we can help your team manage that process. Once patched, changes to passwords and other associated information with your certification is critical as the length of time this issue has been in the wild isn’t clear.
5. Is Patching enough?
It is NOT ENOUGH to simply patch the site. If the server ever had this vulnerability, we should consider the private key compromised because there is no way to tell if it was stolen. This means we must re-key any secure certifications and if usernames and passwords were built into the data system, resetting those systems and forcing password changes immediately.
For any direct questions associated with this issue feel free to call our Technical Support line at 1(800)-283-2648 Option 2 and our team will schedule a conversation to review and discuss any necessary remediation.