Important: Widespread Security Breach – ‘HeartBleed’

April 10th, 2014

There has been a widespread security breach identified as heartbleed with potential implications for you and your teams in both your personal and professional lives. This breach, reported in the news earlier this week, creates a vulnerability that allows attackers to steal data either directly from your systems or through the online services you interact with such as financial institutions, Intuit, TurboTax, Social Media and Email. While we don’t want to cause a panic, we do want you to understand the severity of this issue. What makes matters more challenging is that the heartbleed bug has been in play for two years and impacted an estimated two-thirds of all websites on the internet.

Here’s what you need to know:

A “fix” was released on Monday and websites are currently in the process of fixing their bug-infected code. Technology authorities are advising you to wait for an official statement from the internet services you use with specific guidelines for changing passwords and any other protective activities they suggest. Changing passwords before websites have been secured is useless until you’ve got confirmation that the security hole has been fixed. That’s why Administrivia cannot  provide a universal directive at this point.

Online Services  Impacted by HeartBleed:

The following are notable services confirmed to be impacted. Change your passwords on these services ASAP.

  • GoDaddy  ** Important: you could lose your domain name(s)
  • Intuit: Quicken, QuickBooks Online, and Turbo Tax ** Important: your identity could be stolen
  • Internal Revenue Service ** Important
  • DropBox
  • Box.com – at the time of this writing, it it not yet time to change your Box passwords. Monitor this page for updates. Changing your password before they have patched the issue will result in the need to reset your password a second time.
  • FaceBook
  • Instagram
  • Pintrest
  • Tumblr
  • Twitter
  • Yahoo
  • NetFlix
  • Google
  • Wunderlist
  • eBay

The following services have not been impacted. You may continue to use your current password:

  • Apple
  • BackBlaze
  • Amazon
  • Microsoft Online
  • Hotmail / Outlook Online
  • AOL
  • PayPal
  • Nordstrom
  • Target
  • Wal-Mart
  • LinkedIn
  • Evernote

The following banks have reported that they are safe from the exploit. If your bank is not on this list, you need to contact them and ask about HeartBleed:

  • Bank of America
  • Capital One
  • Chase
  • E*Trade
  • Fidelity
  • PNC
  • Schwab
  • Scottrade
  • TD Ameritrade
  • TD Bank
  • U.S. Bank
  • Wells Fargo

Summary of Actions Taken by Administrivia to Protect Our Managed Customers

Email Services Managed by Administrivia:

  • Google: Customers using Google are now protected, but should change their passwords ASAP.
  • RackSpace POP & IMAP Email: Customers using RackSpace Email are now protected, but should change their passwords ASAP.
  • RackSpace Exchange: Customers using RackSpace Exchange are not impacted and may keep their passwords if they like.
  • MS Office 365 Exchange Email: Customers using MS Office 365 Exchange are not impacted and may keep their passwords if they like.

Computers Managed by Administrivia and Other Devices:

  • Apple Desktop and Portable computers: Apple computers running Mac OS 10.9.x and 10.8.x are not impacted by HeartBleed. If you are running Mac OS 10.7.x or older you are vulnerable.
  • Apple iOS Devices: not impacted by HeartBleed.
  • Google Android Devices: not impacted by HeartBleed.
  • Network Printers: Many network printers are vulnerable, but are protected if you have a Meraki security appliance.

Servers Managed by Administrivia:

  • Synology File Servers: All Synology systems are impacted and we have been working with Synology on a patch. As of 12:35pm today, we have that patch and are in the process of remotely updating effected managed customers.
  • Web Sites and Servers: Few of our managed web sites and servers were impacted by HeartBleed. The ones that were effected have already been patched and there is no further action required on your part.
  • Apple Servers: We have verified that Apple file servers for all managed customers are were not impacted by HeartBleed.
  • Microsoft Windows Servers: We have verified that Microsoft file servers for all managed customers are were not impacted by HeartBleed.
  • Rumpus File Servers: We have verified that Rumpus file servers for all managed customers are were not impacted by HeartBleed.

Network Equipment and Security Appliances Managed by Administrivia:

  • Cisco Meraki: We have patched all customers who purchased their Cisco Meraki devices from us at this time. These customers may consider their systems protected and there is no reason to change VPN or Meraki Dashboard passwords at this time.
  • Cisco Switches: We have patched all Cisco switches of customers with active managed service plans. These switches were protected by the Meraki Security Appliances and may therefore be considered safe.
  • pfSense Firewall and Security Appliances: Many versions are effected by HeatBleed and should be updated to v2.1.1 ASAP. Owners of pfSense devices should *not* consider themselves protected or compliant within the scope of PCI and HIPAA regulations. These owners should reach out to us or another qualified firm to make these devices safe ASAP.
  • Other Devices: Although we do not manage security appliances other than Cisco / Meraki, we will respond to requests to review your network security and let you know if you are impacted.

VoIP Phone Services Managed by Administrivia:

  • Vocalocity/Vonage Customers: Our customers using Vonage Business are receiving patches to affected phones through our auto-provisioning service. You may consider your devices protected and there is no action needed on your part.