The HeartBleed vulnerability was recently announced and affects OpenSSL (the open source software that encrypts the traffic to and from the majority of websites around the world) exposes a wide range of critical data to potential attackers. To quote from heartbleed.com:
“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”
Are you at risk from the HeartBleed Vulnerability?
The vast majority of Xecunet servers were not at risk, as they are using a version of OpenSSL that is not vulnerable to this attack. The servers handling our customer websites were all patched on the evening of Monday April 7th (the day this vulnerability was announced, and thus the first day patches were available). We have no reason to suspect that in the interim any customer SSL keys were compromised, as the attack is somewhat sophisticated, and with an estimated half-million sites vulnerable around the world, many of which are very high profile, the hackers will the skill sets required to execute this attack are more likely interested in going after high value targets such as financial institutions.
If you’re responsible for maintaining a server and aren’t sure if you’re vulnerable, contact us at firstname.lastname@example.org, we’d be happy to work with you to assess your situation with regards to the Heartbleed bug.