OpenSSL vulnerability 'Heartbleed'

(This is an UPDATE to my recent post in the threads asking about this. This is the latest news.)

As widely reported online, there's a serious bug in an incredibly widely used core component of web security. (See http://www.theregister.co.uk/2014/04/08/aws_heartbleed/ and many other places.)

Logos does not use this vulnerable OpenSSL implementation on www.logos.com or our core commerce sites, where credit card transactions happen.

Logos did use OpenSSL for Amazon Web Load Balancing, which our Proclaim in-app purchasing and statistical use data servers went through.

Everything is patched and updated. We addressed the issue very quickly.

Below is more detail from our development team. Please keep in mind that this bug (in a core, open source tool) is estimated to have affect one third of the Internet. So the chances that the vulnerability was being exploited specifically at Logos' servers is slim. Still, because of how widespread the issue was, you'll want to pay attention to transaction histories and credit card charges for cards you have used for e-commerce anywhere. (Which is always a good practice!)

We apologize for the inconvenience and uncertainty that this introduces.

From our developers:

For 99% of credit cards–those entered via www.logos.com or vyrso.com, I can say with a high degree of confidence that we didn't leak credit card data.

Credit cards entered when creating a new billing profile via Procliam's in app purchasing were vulnerable during transmission to the server. The certificate that was used on Amazon Web Services is also the same certificate used for the commerce web service that Proclaim uses for in-app purchasing.

Further, if someone managed to compromise the keys in use on our services hosted at Amazon, it's possible that they were able to compromise some usernames and passwords. The signin/signout web services also use the same certificate that was used at Amazon.

These are the two most glaring/obvious potential vulnerabilities from Heartbleed for us.

We have no reason to believe that anything has, in fact, been compromised.

Find more posts tagged with

Comments

Lynden O. Williams

Thanks Bob.

fgh

if someone managed to compromise the keys in use on our services hosted at Amazon, it's possible that they were able to compromise some usernames and passwords. The signin/signout web services also use the same certificate that was used at Amazon.

If that should be the case, could it affect any user, or does this part too only affect Proclaim users?

Lee

https://community.logos.com/discussion/comment/584344#Comment_584344

Thanks, Bob, for the timely announcement.

A quick question / recommendation: does Logos suggest any preventative measure by users? If so, who and what?

Jason Carwile

https://community.logos.com/discussion/comment/584383#Comment_584383

Though Logos' has announced its security, it is simple enough to simply change one's password and be assured no hacker can access your account. Now be aware, though they could not find any evidence of a security breach, that doesn't mean there wasn't, because this vulnerability is not traceable. The only assurance is if a version of SSL that is not vulnerable was being used, which is mostly true for Logos. I recommend simply changing your passwords for all the sites you use, making sure they have patched it first, because many people use the same password for varying logins. So if on a different site, a hacker acquired your password, he could try it on other sites since there are quite a few sites that use your email as a username.

Donnie Hale

https://community.logos.com/discussion/comment/584840#Comment_584840

Though Logos' has announced its security, it is simple enough to simply change one's password and be assured no hacker can access your account.

This is incomplete information. If you change your password on a site which has not yet addressed the vulnerability, you are putting your password into the memory of that system. Because the vulnerability allows access to some of that system's memory, your password now being there puts it at risk. If you're already logged in and have a working session, you're better off *not* changing your password if the site hasn't fixed the vulnerability yet.

http://blog.cloudflare.com/answering-the-critical-question-can-you-get-private-ssl-keys-using-heartbleed

Donnie

Jason Carwile

https://community.logos.com/discussion/comment/584856#Comment_584856

Thank you for helping clarify this Donnie, but I did state "making sure they have patched it first" in my post.

Donnie Hale

https://community.logos.com/discussion/comment/584864#Comment_584864

Thank you for helping clarify this Donnie, but I did state "making sure they have patched it first" in my post.

Sorry I missed that...

DMB

https://community.logos.com/discussion/comment/584868#Comment_584868

I know Donnie will want to qualify (but it's coming from MJ's favorite news source), but for more potential issues mainly on business side:

http://money.cnn.com/2014/04/11/technology/security/heartbleed-gear/index.html

If you scroll down to the bottom, it rules out D-Link and Linksys (what we used to use). Not sure what our hotspot's doing; luckily Verizon keeps him safe I hope.

Donnie Hale

https://community.logos.com/discussion/comment/584942#Comment_584942

I know Donnie will want to qualify

I could, but I'll refrain. But it's really tempting!

Donnie

Lee

https://community.logos.com/discussion/comment/584947#Comment_584947

Perhaps Logos will want to issue a revised advisory in due course.

Rosie Perera

Further, if someone managed to compromise the keys in use on our services hosted at Amazon, it's possible that they were able to compromise some usernames and passwords. The signin/signout web services also use the same certificate that was used at Amazon.

Does this mean we should change our Logos.com passwords?

fgh

https://community.logos.com/discussion/comment/585030#Comment_585030

That's essentially what I was wondering further up, but without getting any answer. Perhaps if we add a comment to each other now and then, someone will see this eventually.[:)]

Lee

https://community.logos.com/discussion/comment/585182#Comment_585182

The problem is complicated. I'm sure there'll be talks and exchanges with devs, web partners, even the lawyers.

If Google and Amazon were struggling to come up with a definitive answer in the initial 48 hours, it will take companies like Logos a while to catch up.

Lee

https://community.logos.com/discussion/comment/585190#Comment_585190

A technical but accessible account of hearbleed: http://www.youtube.com/watch?v=1dOCHwf8zVQ

What the lecturer did not mention is that HB attacks did not raise any intrusion-detection alarms.