Heartbleed Bug Update: Change Passwords
SSL (secure socket layer) is used for encrypting information on the internet. OpenSSL is open-source software for SSL implementation across the Web.
18 April 2014
Since our last post we continued digging into the Heartbleed topic, to find out whether there was even a remote possibility of exposure. We found a potential vulnerability in Akamai, our internet-acceleration service provider, which they have announced publicly.
Out of an abundance of caution, we requested that all of our customers immediately change their passwords.
We made this recommendation despite the fact that our own core platform web servers are isolated from the public internet and thus not affected; nor were our own SSL appliances. Only the internet-acceleration service we use was affected.
Background on the Heartbleed Bug
SSL (secure socket layer) is the most widely used means of encrypting information on the internet, and it mitigates the potential of someone eavesdropping on you as you browse the Internet. OpenSSL is open-source software for SSL implementation across the Web. Akamai previously used the affected version of OpenSSL.
Akamai has stated that they had already patched their servers days before Heartbleed was publicly disclosed by OpenSSL. However, since Akamai (and the rest of the world) had been vulnerable for the time prior to the patch – we have been working with them to address any potential residual risk from their exposure. They have already rotated all of our certificates to ensure that we are not exposed to this issue from any possible exploit prior to the fix.
We believe the best way to completely address the perceived or real risk is to tell users to change their passwords. So, out of an abundance of caution, this is exactly what we are doing.
There is some encouraging data out there suggesting that this bug was really unknown before public disclosure. According to published reports, the first scans with attempts to exploit Heartbleed started on April 9th - days after our internet-acceleration service provider patched their servers. Therefore, we believe that it is highly unlikely that any data transmitted to or from our servers through our internet-acceleration vendor has been compromised.
But, better be safe than sorry. We will keep you updated.
Mushegh Hakhinian represents Intralinks at the Cloud Security Alliance SME Council, is a certified information systems security professional, and is a frequent contributor to industry publications. Prior to joining Intralinks, Mr. Hakhinian lead security functions at a multi-tenant online banking service provider and an international bank.