As you may already know, on April 7th, the OpenSSL Project released an update to address a vulnerability nicknamed "Heartbleed Bug
". This vulnerability effects a substantial number of applications and services running on the Internet. The Heartbleed Bug is a serious security vulnerability in the popular OpenSSL cryptographic software library; it allows the stealing of information that is normally protected by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed Bug
vulnerability allows a hacker on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. In addition, it allows attackers to eavesdrop on communications, steal data directly from the services and users and impersonate the services and users.
Here at CollaborateMD, we have performed an internal audit of any exposure to the recently discovered SSL vulnerability exposed within the Heartbleed Bug
. Based on the results of our internal audit, we have properly mitigated any risks within our environment and to our services
. Additional audit findings show the likelihood of a problem occurring to be relatively small for our users.
However, the overall risk is greater than any of us should be willing to challenge. We are taking the following proactive measures to ensure each of our environments remain safe and secure:
- We are requiring each user to change their password to ensure the safety and security of their CollaborateMD (CMD) account(s).
- On Wednesday morning, April 16th, 2014, a forced password reset will be applied to all user accounts during their next login.
- Users who recently changed their password (on or after mid afternoon of April 13th, 2014) and prior to the forced password reset will NOT be required to reset their password.
- We encourage all users to reset their own CollaborateMD (CMD) account passwords (IdeaExchange, Self-Service Portal, Collaboration Compass, CollaborateMD Portal, etc.). We do not have any evidence that these passwords have been compromised, but any time a large scale vulnerability is discovered, the safest thing to do is to rotate all of your login credentials.
- We recommend that you refrain from using the same username and password for multiple sites as an exposure of one site leaves all others with the same (username and password) credentials vulnerable as well
- We also recommend that each customer be especially vigilant with your own personal accounts and update them as well. Sites like Google, Youtube, as well as Facebook were all vulnerable to the Heartbleed bug.
For further information on the Heartbleed vulnerability please refer to http://heartbleed.com