Heartbleed Vulnerability Response

Date

April 9, 2014 by Brian Ghidinelli

heartbleedYou have likely received a number of emails or seen blog and social media posts regarding security vulnerability CVE-2014-0160 which is being called the Heartbleed Bug. It affects OpenSSL, an underlying library which encrypts information sent across 60% of the Internet. It's what powers the "S" in https:// when you access secure web sites so you see the lock icon in your web browser.

This vulnerability is quite serious because it allows a remote attacker with no special permissions to potentially access encryption keys and other sensitive data stored in the memory of secure servers on the Internet.  It has been used to access passwords from Yahoo mail. That is really about as bad as it can get in security terms.

The good news is not every version of OpenSSL is vulnerable.  We performed an audit of our servers yesterday and found all of our public-facing infrastructure uses a safe version of OpenSSL.  We had two private, internal hosts using a vulnerable version which were patched immediately.  While we did not find any evidence of remote access, this particular exploit is not easy to trace.  Despite the low probability that those hosts may have been compromised, we have rekeyed our SSL certificates across all of our servers and are changing administrative passwords.

At the moment we do not believe it is necessary to force a password reset on all users. However, we would encourage everyone to change their passwords periodically and today would be a good day to start. We also strongly recommend using a password manager to remember unique and complex passwords for you. Our favorite is LastPass.  

 

Subscribe to Blog Updates

Subscribe by RSS

Follow MSR

Like us on Facebook Connect with us on LinkedIn Follow us on Twitter