Written April 11, 2014
Earlier this week researchers publicly announced a major security vulnerability (known as 'Heartbleed') in some versions of OpenSSL, a popular software library used to encrypt communication between web servers and clients. If successfully compromised, vulnerable versions of OpenSSL could reveal sensitive information that would usually be protected by encryption.
OpenSSL is utilized in several parts of IT Freedom's network infrastructure. This email describes the actions that IT Freedom has taken in response to the disclosure of this vulnerability and discusses actions you can take to protect the security of your information.
How has IT Freedom addressed this threat?
IT Freedom engineers patched the impacted components of our network infrastructure within hours of the announcement of the vulnerability. We are actively monitoring ongoing developments concerning the impact of the vulnerability and will take any additional actions needed to mitigate the risks posed by this vulnerability to our systems and those of our customers.
What do I need to do in order to protect my information?
While the vulnerable OpenSSL libraries were--and in some cases still are--in wide use throughout the Internet, not all web services were impacted. Notably, Microsoft's web server is not vulnerable to Heartbleed exploits and users of Outlook Web Access have not been at risk to compromise through their use of that product.
Though we have no indication that any IT Freedom customer information has been compromised as a result of Heartbleed, out of an abundance of caution we are recommending two actions. First, we recommend that all users reset their password on our web support portal by visiting https://helpdesk.itfreedom.com/access/help
. Second, we advise all Google Apps customers--particularly those not using 2-Step Verification--to reset their passwords.
Beyond these services we advise you to check with each of your particular web service providers to determine if a) they were/are vulnerable to Heartbleed and b) they have patched their systems to address the vulnerability. Changing your password for a web service that has yet to patch for the vulnerability will do nothing to secure your information.
If you have any questions about the impact of the vulnerability please email the Helpdesk at firstname.lastname@example.org