Was TantumTech Affected? Along with around 70% of the internet, and an even greater percentage of servers which are used for hosting, our servers utilize openssl to handle SSL and TLS (encrypted) communication on our Web and Email servers, however unlike most others our response was immediate and rigorous. Within a matter of minutes from the public disclosure of CVE-2014-0160 aka the 'Heartbleed,' we manually patched all servers and services which were vulnerable, then early today (Tuesday) we upgraded OpenSSL on the affected servers with the standard patch (as soon as was available since initially we simply recompiled OpenSSL without heartbeat to close the hole). We then evaluated all traffic between the time of public disclosure and the patches being in place and can say with confidence no user accounts were intercepted after disclosure. However, the scarier part of this bug is that it has been vulnerable to exploit for two years, hence one (of many) of the major pieces of information putting the internet into a panic. BUT it is very conceivable and we would even say likely that this bug went unnoticed until the public disclosure on Monday because generally something this powerful and major would have typically been sold in the far reaches of the darknet and then abused, possibly resold, and so on which would be extremely unlikely or at least difficult to keep from being noticed in some sort, looked into, and eventually discovered or at least discovery that something was going on somewhere/with something - HOWEVER unfortunately it is completely impossible to determine, as it is of course possible.
We have re-keyed all of our certificates, revoking the old, to be on the side of caution and will continue to monitor, add to, build upon, and enhance our network & system security as is and has always been our top priority.
So what do you do? First, get educated. The Heartbleed bug affected the vast majority of the interent.
By far the most probable time of credentials being intercepted was on and after Monday April 7th, before that is a tossup and honestly no one at this point knows, and we may never know for sure, which is why everyone is recommending being on the safe side and changing your passwords no matter. First and foremost what you should be focused on is your activities as of Monday - what services/websites you logged into (via app, web, or desktop software), what email accounts you accessed (via app, web, or desktop software), and any other services which could be vulnerable (use SSL-https/ftps/imaps/pop3s/smtps) that you accessed. Contact the provider of each of those services to determine if you were vulnerable, if and when they were patched, and what they recommend. Do not change your credentials with any povider until you have confirmed that their services have been patched and are no longer vulnerable.
How about with us? As mentioned above, even though this exploit is literally undetectable (another major point) we are certain no credentials were intercepted from the time of public disclosure to the time we patched because the window of time between the two was extremely small and we had no vulnerable exchanges during that time which could have been intercepted. So in that case, your accounts with us are safe however especially because of the fact that we do not know the possibility of people exploiting this bug prior to Monday we will always recommend erring on the side of caution. Furthermore, the possibility of your credentials being identical across other websites or services which were vulnerable could additionally cause a breach of your account with services that weren't. These two facts are the primary reasons you have been hearing across the world to change your passwords, even though that very well may be overly cautious it is better safe than sorry. In addition, or at the least, we recommend utilizing two-factor authentication which is available on all of our services if you are not already utilizing them.
Two-factor authentication is always highly recommended as is a great way to secure your account because even if an attacker retrieves your username and password they can not access your account - even if they intercepted you entering the two-factor code it is worthless as it is a one-time use code. Two-factor authentication can be set up in different ways such as sending you a text-message code to enter after you login, or using a (T)OTP app on your phone (ie Google Authenticator), or even using a hardware key (ie YubiKey). You can configure two-factor authentication within the Client Center under "Account Security," and just last week we activated new Security Policies within WHM and cPanel - we encourage you log into your Hosting cPanel as soon as you can, you will be asked to set Security Questions which will be needed to be answered in the case of a login from an unrecognized network. For your accounts at other providers or websites, we recommend looking into if they offer two-factor authentication protection for your account.
What about your own website? If you have a website which provides products or services, aka utilizes an SSL Certificate (https), then you should look to your provider - again, your website was only potentially vulnerable if you utilize an SSL Certificate and your website runs on OpenSSL. If your website is on our hosting or your server is under our management, see the above and you need to make a decision - post-disclosure your users information was most likely safe dependent upon the traffic in the mid morning on Monday, however the question of if it was known and exploited by the underground prior to Monday is an important one which unfortunately can not be answered at least at this time, if ever. If you are not sure, just contact us and we would be happy to help and provide individual recommendations in regards to your account/website with us. What we do recommend no matter the case is to revoke and re-key your SSL Certificate as it is extremely important and if your private key was intercepted, malicious users can come back and unencrypt all secure communication even after the OpenSSL software has been patched - if you have your SSL Certificate with us, we will povide free assistance in revoking, regenerating, and reinstalling a new certificate.
If you have any questions in regards to the Heartbleed bug/exploit, your risk, what you can do, or two factor authentication do not hesitate to contact us and we would be happy to help.
Everyone who has a presence on the web needs to be aware, and become educated on, this heartbleed bug as you need to take steps to protect yourselves.
You can find more information via the following links:
- http://www.heartbleed.com Website setup to update the public on the Heartblead bug
- http://www.washingtonpost.com/national/what-you-need-to-know-about-the-heartbleed-bug/2014/04/09/231fd7e0-c05a-11e3-9ee7-02c1e10a03f0_story.html?tid=pm_pop "What you need to know about the heartblead bug" via The Washington Post
- http://www.montrealgazette.com/technology/What+Heartbleed+should+worried/9720665/story.html "What is heartbleed and should I be worried?" via The Montreal Gazette
- http://www.tomsguide.com/us/heartbleed-bug-to-do-list,news-18588.html "Heardbleed: Who was affected, what to do now" via Tom's Guide
- Alternatively, open a ticket or email us at firstname.lastname@example.org !
Tuesday, April 8, 2014