This past Tuesday, the Internet groaned under the weight of a serious new security vulnerability called HeartBleed. If you’re in IT, you’ve likely already heard about this. Like me, you probably spent the better part of the day learning about and dealing with it. You may be dealing with it for days to come either as an IT professional or just as an average user of the Internet.
TrackAbout was fortunate – our service offerings were NOT affected by the vulnerability.
HeartBleed is a Big Deal™ and many popular services are affected. To learn more:
- Read this great write-up from Ars Technica.
- Read the Vulnerability Note published by CERT
- Read this take on it by one of my favorite security researchers, Brian Krebs
- HeartBleed has its own dedicated information site at http://heartbleed.com
- Googling HeartBleed may lead to heartburn.
At TrackAbout, our web and application servers run on Microsoft Windows Server. They therefore do not use the OpenSSL library in question. While we do have load balancers that run Linux, they were proven to not be vulnerable to the bug.
We did have one Linux server that runs some internal tools used by our employees that had a vulnerable version of the OpenSSL library. We patched it within an hour of learning about the vulnerability. We revoked our existing SSL certificate and generated a new certificate using a new private key. It was installed on the affected server. Finally, we had all employees change their passwords.
We must remain ever-vigilant and respond quickly to threats. TrackAbout has a culture of good security practice stretching back a dozen years. Here are just a few of the measures we take with respect to security (and this is by no means a comprehensive list):
- We review all server and software updates on a regular basis and patch our servers on a schedule.
- We fast-track the testing and installation of updates when security is at risk.
- We use best-of-breed security network appliances such as load balancers, firewalls, VPN devices and Intrusion Detection Systems (IDS).
- We run monthly internal and external automated penetration tests and address any findings as quickly as possible.
- We use strong, always-on encryption (HTTPS) for the application services our customers depend on and we order the cipher priority to use the strongest ciphers first.
- We enforce strong password policies for our employees and encourage use of two-factor authentication whenever possible.
- In our service offerings, we use best practices for storing hashed passwords with random, unique salts and a high work factor.
- We subscribe to email notifications from US-CERT
- We follow the blogs and Twitter feeds of several leading security researchers such as the aforementioned Brian Krebs and the estimable Bruce Schneier
- We read security-related sub-reddits like /r/netsec
- We listen to the excellent Security Now! podcast from Steve Gibson and Leo Laporte of the TWIT network every week as part of our continuing education regarding security matters.
- Because people are always the weakest link in the security chain, we circulate regular reminders and stories regarding security pitfalls and practices among our employees to keep security top of mind.
The fallout from the HeartBleed vulnerability will undoubtedly be significant in terms of compromised user accounts and systems. We feel for our IT compatriots.
We encourage everyone out there to learn how to protect yourself from this particular vulnerability. Even if you don’t run systems yourself, systems that you use may have put you at risk.
Chief Technology Officer