Network security is important to INFINETIX. The OpenSSL HeartBleed bug is actively being exploited and is getting significant press in the news. INFINETIX is using SSH as our primary access from the outside world to our customers’ services and Intellectual Property (e.g. Subversion code repositories, Bugzilla and other internal web services). SSH uses the OpenSSL library for key generation, however, SSH is not exploitable via the HeartBleed bug. Also, the OpenSSL version on the INFINETIX primary SSH server was not exploitable.
Please note that as an INFINETIX customer, you will have to take steps to secure your SSH private key. To learn more about what to do and why read the section below titled INFINETIX SSH/SVN/Bugzilla Users: Action Required!
To read up on some of the security issues associated with this issue, a good forum is:
All internal servers at INFINETIX have now been updated to ensure they incorporate the latest fix for the HearBleed bug issue.
Customer Product Vulnerability:
Any Linux and/or Android-based webserver/mailserver product that supports TLS/SSL connections is potentially vulnerable to this issue. Since INFINETIX has developed products with TLS/SSL services, we are examining those systems for vulnerabilities now. Some systems may have a vulnerable version of OpenSSL, but not be vulnerable, because the web services are not enabled. If you have concerns about your particular product, please contact us at 509-922-5629, or email your normal primary contact.
INFINETIX Website Vulnerability:
Our website http://www.infinetix.com is hosted via an outside service. Currently, no customer information is stored there.
SSL is enabled by default on this server, but we currently only use SSL for internal blog postings login. Also, the version of SSL used is not vulnerable to the HeartBleed bug.
Other Website Vulnerability:
OpenSSL is widely used by many services and companies. Because of this, it’s recommended to update your passwords on all services you currently use, once the heartbleed bug is corrected.
CNET has a great article and the current status of many popular websites if they were vulnerable, and if they have a fix in place:
http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/
Digitaltrends.com has another good article and can let you test particular websites for the heartbleed bug.
http://www.digitaltrends.com/computing/check-favorite-websites-vulnerable-heartbleed-bug/#!DwzYl
INFINETIX SSH/SVN/Bugzilla Users: Action Required!
As stated in the introduction, SSH used on our servers was not directly exploitable by the SSL bug, however, private keys on individual customers systems may have been compromised on systems outside of our control. As such, we will be revoking all old public keys on April 19, and require new 2048 bit SSH2-RSA keys moving forward.
If you currently have access to one of the INFINETIX hosted services, please update your private key using the instructions from the “Accessing INFINETIX Repositories” document and send us your new public key as instructed.