2014-04-08
Less than 24 hours ago on Monday April 7th, 2014, an extremely serious vulnerability, dubbed Heartbleed (CVE-2014-0160), in the OpenSSL cryptographic library used by around two-thirds of the internet was made public. Security related bugs and vulnerabilities occur regularly, however this particular bug is so serious in both scale and nature that virtually every internet user will be affected in some way, whether directly, or indirectly via third-party systems utilized by services they rely on.
Ots Labs wishes to advise that all customer data, including but not limited to OtsZone user profiles is safe and has never been subject to this vulnerability. The only systems in our infrastructure affected by this vulnerability were a subset that form part of our CDN network, none of these housing any customer or other sensitive data. These systems have since been patched, but we repeat, no customer data was or ever has been stored on these systems, given they are simply part of our CDN network for distributing public files.
If nothing has been compromised, why are we making this statement? Ots Corporation / Ots Labs, like our customers, also employs and relies on various third-party services and we ourselves are left wondering if/what action should be taken in relation to some of these services. Many organizations operate on the basis of only making a public declaration where something is known to have actually been breached. This may make sense in ad-hoc circumstances (you can't report what you don't know) however we feel that given the scale of this vulnerability and the timing involved, it's only fair for companies and service providers to immediately inform customers of the status and of what, if any, follow-up action is required in relation to this issue for customers to best protect themselves. Therefore we are making this Pro-Active Security Statement of Non-Compromise (PASSNC) to provide peace of mind to you, our valued customer.
In summary, no follow-up action is required with relation to your OtsZone profile or any other services or data provided by and/or maintained by Ots Labs. You should however carefully consider your own infrastructure and all third-party services that you use and seek to find similar statements from the provider of the service or follow the advice given. In many cases, a password change is a sensible course of action even in the absence of any such advice.
Why is the Heartbleed bug so serious? Partly because of the scale—as noted above roughly two-thirds of all websites utilize the OpenSSL library—but also because of what it allows a potential attacker to achieve. Not only can the private keys (used to secure encrypted communications) be discovered, meaning all future and even past (captured) data can be decrypted, but arbitrary chunks of system memory can be read without leaving any trace whatsoever in server logs, opening up the possibility of remote retrieval of all sorts of sensitive data housed on the server—usernames, passwords, credit card details, etc.
Patching a given server doesn't take back the potential leaking or theft of this data which could have previously occurred, given that this vulnerability has been in the wild since early 2012. If the secure certificate private key for a given domain has been stolen, patching the server also doesn't prevent future communications from being intercepted and decrypted. Certainly CA authorities will be inundated with a great many certificates being revoked and re-issued in the coming days and weeks. This is an extremely serious situation which the internet community and all stake-holders must now work together quickly to resolve for the sake of the security, privacy and peace of mind of all of us.
Adam Ots [ @AdamOts | G+ ]
CEO
Ots Corporation
Discuss on Ots Labs Google+ page
Discuss on Ots Labs Facebook page
For further information about the OpenSSL Heartbleed vulnerability, which affects HTTPS/SSL/TLS web servers all around the world, please see:
http://heartbleed.com/