On Monday April 7th, widespread reports of the Heartbleed bug hit the media. Original reports suggested this could affect more than 60% of the internet from communications to financial institutions. If you haven't already, you should change your email, social network, and banking passwords. Even though major networks like Twitter, LinkedIn, and most U.S. banks reported that they did not use OpenSSL, you may have used the same password on an exposed website and therefore, you should change your passwords on non-exposed sites.
Yahoo was hacked after the bug announcement so you should definitely change any accounts on Yahoo, Tumblr, Flickr, Delicious, or other Yahoo property. If Adviatech is managing your Tumblr account, we have already secured it as of Tuesday April 8th.
Adviatech's servers utilize the OpenSSL libraries for secured connections. The server patch for the vulnerability was released at the same time as the public announcement. We had our security personnel install that patch immediately upon release throughout our fleet of servers. In fact, it was installed on Adviatech's servers 15 hours before the data center sent out the mandatory security advisory.
We have reviewed our servers in great detail and do not believe any data was exposed due to this bug. We secured the vulnerability as the reports were made public and we have seen no unusual behavior to indicate unauthorized access. Of course we could have just installed the patch and went about our day, but that wouldn't be sufficient. Below is a detailed outline of how we responded to this matter and what you need to do next.
Our Security Policy
In 2010, Adviatech produced an updated Digital Security and Disaster Recovery Plan which outlined procedures in the event of an “Internet-wide security meltdown”. The Heartbleed bug is probably not a “meltdown” but we had the procedures in the place and acted accordingly. Our security policy is governed by a very clear directive:
"If there is ever a possibility, even if highly improbable or unlikely, that a security breach has or could have taken place, we are to assume it did.”
With the patch installed, we had a long week ahead of us as we worked to secure everything as if a security breach had taken place... even though it was improbable.
The patch was installed which was step 1. Then, we deleted all service level SSL certificates and reissued new SSL keys. After that, we re-issued client level SSL keys. All cPanel account passwords were changed to random generated passwords. If you need to access your cPanel account, contact your account manager.
YOUR ACTION MAY BE REQUIRED
In an abundance of caution, we changed the password to every super-admin WordPress account. You should change your individual account logins easily by going to YOURWEBSITE.com/wp-admin/ and clicking on “lost password”. Type in your username and your website will email a link to you to reset your password.
If you never requested an admin account to your website, you don't need to do anything.
Third Party Accounts
Having secured the servers, your website, and directly controlled web properties, we moved forward with the daunting task of evaluating third party profiles. When we multiply all of the social profiles we manage from major networks to secondary networks and other profile, we have thousands of client profiles with usernames and passwords.
We use a third party to manage automated social network syncing. After working with them to quickly secure their servers from the vulnerability, we did the following:
- Scanned every social networking site to make sure the site was never vulnerable or had installed the patch and was no longer vulnerable.
- Changed each password to each account for each client.
- Establish a new sub-accounts in our management system and created new connections.
If a social network had not installed the patch by Thursday, April 10th, we dropped them altogether. We can't risk using a network that is so lackadaisical about their security that they let a publicly reported bug exist on their network for 4 days. This doesn't affect any major social network profiles.
No Password Duplication
Adviatech uses different password variations on all profiles for each client. In the future, if one network is hacked, we will only have to change the password on that one network. If we assigned the same password to every profile per client, then one network's security bug would mean another system wide password purging for all clients.
We quickly secured all of our communications, financial, and file storage services to make sure our company data was protected. Any systems running vulnerable versions of the Ubuntu Linux Operating Systems were patched. Microsoft Windows Operating Systems and Mac OS were not affected according to statements released by Microsoft and Apple. Most of Adviatech's systems utilize the Mac OS.
Your Financial Data
Adviatech is PCI Compliant and relies on third parties to store your billing information. Third party merchants like Authorize.net released a statement on April 9th saying, “Authorize.Net is unaffected by the Heartbleed vulnerability and is operating normally.” Most financial institutions and transaction companies were not vulnerable to the bug including PayPal.
Here is what you need to do:
- Change your website's WordPress passwords if you have an administrator account.
- Talk to your IT personnel about changing your email passwords. While probably not necessary, its a good time to review your internal security.
- Review your personal social network accounts and update your passwords.
- Establish a disaster recovery plan for your law firm. IBM has a basic template that can be accessed here, http://adviate.ch/1qW2Cto. At the very least, you should keep an inventory of your online accounts.
Since social networks play a big role in the distribution of your monthly content, we do expect some delays with your content distribution this month.
To tightly control the exposure of information, only a small handful of Adviatech's team members are authorized to access every client's information. We have been working non-stop since Monday April 7th to make sure our systems, your information, and the services we rely on are secure. It has been exhausting and we are all looking forward to getting a little sleep and returning to our normal operations.
We appreciate your patience and thank you for being a part of the Adviatech family.
Here are some helpful resources:
Mashable – The passwords you should change - http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
IBM – Disaster Recovery Plan Template - http://adviate.ch/1qW2Cto