Intrinsix vs. Heartbleed
As has been widely reported in the news media, a significant security flaw was recently discovered in the cryptographic software library software known as OpenSSL. OpenSSL is used by most websites and web-based services on the Internet, including many systems built and/or managed by Intrinsix.
Because of the seriousness of this flaw, Intrinsix engineers have hand-audited each and every extant system we have built in the last four years, including each system we manage today.
Our results have confirmed that none of our systems are exposed to this flaw today, and none of our systems were ever vulnerable to the Heartbleed bug at any time in the past four years.
No user data has been at-risk or exposed. None. Zero.
If you are a user of a modern Intrinsix-run service such as Intrinsix Nautilus, Prometheus, Touchstone or Minerva, your use of these services has never been at risk of Heartbleed-related data theft. These applications have always used more secure encryption that does not rely upon TLS keep-alive functionality for session management or any other purpose, thereby providing Heartbleed with no open attack vector. User logins and passwords have never been exposed and remain private. Any related Intrinsix-hosted data, including ERP and corporate data, were never exposed by Heartbleed, and remain secure today.
Users of legacy software such as Intrinsix Pilot or RetroTraffic also remain secure. The version of OpenSSL used in building these tools did not include the Heartbleed bug, and we have confirmed that no subsequent security updates introduced the bug to the applications in question.
If your organization relies upon custom-built Intrinsix applications built from 2008-present, these applications were built following these same standards. They are not, therefore, susceptible to Heartbleed-related attacks. You may verify this yourself using any number of available tools for server or application analysis.
Note that if you are running a self-managed and maintained Intrinsix application on your own web servers, however, your own software may be vulnerable, and may introduce a vulnerability into the overall stack. If you are unable to verify this yourself, we may be able to assist by conducting an external audit or providing recommendations relevant to your systems. Contact your Intrinsix representative to arrange such an undertaking.
At Intrinsix, we have always made security a very high priority, often to the short-term frustration of our clients and partners. We continue to believe that security is worth short-term inconvenience, however. Our research and internal audits over the last two weeks have reinforced our belief that we have always been on the right track in this regard: our engineering philosophy has played a large role in how we have avoided this and other security problems over the last two decades.
Our clients can remain assured that we will continue to treat their security and privacy very seriously in the future.
Sincerely,
Brian Barth,
Senior Systems Engineer, Intrinsix
April 10, 2014
Section: News
Page: Security News
Include: