The same day that Microsoft ceased supporting Windows XP with security patches was also the day a vicious little monster was discovered – the Heartbleed bug, which renders privacy in the OpenSSL cryptographic library completely obsolete. Basically, anything utilizing the OpenSSL open source library is at risk here. Websites utilizing this form of encryption include Yahoo! Google, and Facebook. To put it in perspective, sites that utilize OpenSSL number more than two-thirds of the entire World Wide Web. Though this bug only applies to versions 1.0.1 and 1.0.2 beta of OpenSSL, hackers are able to obtain private keys which can be used to obtain sensitive information from countless people all around the world. Nothing says “heartbreak” like having your identity stolen and your sensitive data intercepted.
The bug itself isn’t the result of a design flaw in the SSL/TLS specification, but is more of an implementation problem. It is a programming mistake that allows for leaks in sensitive information from any applications and services using OpenSSL. Normally, bugs like this are detected and fixed before they get too out of hand. However, this one has left particularly large amounts of data exposed since as early as December 2012. Furthermore, this bug leaves no traces and you probably won’t know if you’ve been exploited until it’s already too late. A fix has been released and all web site service providers are now scrambling to remedy this issue. If you are concerned about the security of your private information and passwords we suggest you contact each of the web site providers you do business with.
Here is a list of affected websites. If you have accessed any infected site over the past two years, you should change your passwords just as soon as the website operator has patched their systems.
If you aren’t sure if a site has been affected by heartbleed, or if the website has applied a patch that fixes the problem, type the website URL into this checker and it will tell you if the website was affected.
The IronEdge support team along with our vendors and partners constantly scour the web for new exploits and security vulnerabilities to ensure our infrastructure along with our client’s is fully patched and secure at all times. Upon learning of this new vulnerability we immediately took action to review and remedy any vulnerable systems and services. While the vast majority of our internal and client systems were not impacted some did require remediation. A list of those services and their status is below:
IronEdge Internal & Back Office Systems – Not susceptible to this exploit
ManagedIRON Support & Remote Control Systems – Not susceptible to this exploit
EmailEdge Anti-Spam & Antivirus Filtering – Not susceptible to this exploit
EmailEdge Archiving & Email Continuity – Not susceptible to this exploit
EmailEdge Encryption (ZixMail) – Fully patched on April 9th
SyncstorEdge Cloud File Sharing – Fully patched on April 8th
BackupIRON Professional – Not susceptible to this exploit
BackupIRON Enterprise – Not susceptible to this exploit
There is no evidence of any attempts against our infrastructure. One thing we can all be certain of is that these attacks and vulnerabilities will continue, and that IronEdge will stay up to date on protecting our customers from the newest and greatest threats. Whether it’s a brand new spam attack or a security hole affecting the majority of the internet, we’ll be here to help keep your data safe and secure.