As you are probably aware, a major vulnerability in Internet infrastructure (referred to as Heartbleed), was recently identified for OpenSSL, the popular encryption software used by a large percentage of the web (most estimates put the figure at 2/3 of all web traffic). If you are unfamiliar with Heartbleed, this article from The Guardian gives a decent, non techie overview.
As security of our client data is of utmost importance to Trumpet, we have performed a detailed security review of the software and services that Trumpet uses. This post describes a review of software supported, created or used by Trumpet along with a status update for each. At the end of this post, we also present a list of recommended best practices that advisory firms should consider taking in the wake of Heartbleed.
Software and Service Vulnerability Analysis
Upload Portal - The server responsible for our secure upload service had a vulnerable version of the OpenSSL library. This server has been patched. To protect against the unlikely event that Trumpet’s encryption certificates have been exposed, our encryption certificates have been revoked and new certificates have been issued.
Worldox Cloud - We have received confirmation from World Software Corporation Cloud Support that no aspect of Worldox’s web infrastructure relies on OpenSSL
Worldox Web/Mobile (Hosted) - We have received confirmation from World Software Corporation Cloud Support that no aspect of Worldox’s web infrastructure relies on OpenSSL. If you use the non-hosted version of Worldox Web/Mobile (i.e. you run your own IIS web server), you should ask your IT support staff to ensure that OpenSSL is not used or has been fully patched.
Worldox Professional, Virtuoso, Attach Plus, Assemblage, Symphony Profiler, Symphony OCR - These applications are locally installed and are not SSL web-based applications. These types of applications are not impacted by Heartbleed.
Trumpet’s back up - Trumpet does not store client account data to long term storage
GotoAssist – The official blog post from Citrix says this does not impact current versions. To follow or read their updates, refer to this blog post.
LogMeIn-Rescue - The official blog post from LogMeIn says the Rescue service is not impacted. To follow or read their updates, refer to this blog post.
Join.me - The official blog post from LogMeIn says the join.me service is not impacted. To follow or read their updates, refer to this blog post.
Gotomeeting - The official blog post from Citrix says this does not impact current versions. To follow or read their updates, refer to this blog post.
Paypal – Trumpet uses PayPal for online payment processing. Paypal indicates Paypal is not impacted, but that they are reaching out to integration partners to see if partners are. We have not been contacted by Paypal, and have not seen any activity that would indicate a problem. To follow or read their updates, refer to this blog post.
What Should You Do?
We know you trust and rely on many web services to manage your business.
Considering the security community’s surprise at this undetected vulnerability, we recommend you perform a review of applications used for both work and personal use and ensure they are up-to-date. We also recommend changing passwords on any web based software or service that may have been affected.
If you change passwords on services that integrate with your Assemblage system (Salesforce, Dynamics, SSL protected mail servers), be sure to update your Assemblage configuration.
Here at Trumpet, our team prepared a list of all web based software and services we use, we then tracked vulnerability status for each. As each service was known to no longer be vulnerable, we then tracked password changes for each user to ensure that everyone changed their passwords.
As a best practice, we also strongly encourage you to use different passwords for each website – that way a breech in one service won’t result in your other services being compromised.
Finally, because many web services will be revoking and re-issuing encryption certificates as a result of Heartbleed, we recommend that you ensure that you are running the latest update of your web browser and ensure that it is configured to check for revoked certificates. This will prevent any man-in-the-middle attacks that take advantage of an old certificate. Speak with your IT provider for instruction for your specific browser.
If you have questions, please do not hesitate to contact our support team at firstname.lastname@example.org