Customer Advisory: Heartbleed Bug
- Apr 14, 2014
- By Fusion Security Team
As you may already be aware, security researchers recently announced a security flaw in OpenSSL, the open-source encryption standard used by the majority of websites to transmit data that users want to keep secure. The bug, known as Heartbleed, allows attackers to intercept secure communications and steal sensitive information such as login credentials, personal data, or even decryption keys such as those utilized in SSL website certificates.
At Fusion, we take your privacy and security very seriously. We continually perform security audits and diligently and persistently monitor our network to ensure that there are no vulnerabilities that could affect the services provided to you, our customers. In addition, we perform stringent testing including detailed validation and certification of any new piece of equipment being introduced in our network prior to putting it in production.
Like many service providers such as Google, Microsoft, and Amazon, once Fusion became aware of the Heartbleed vulnerability, we moved quickly to address it. Since this security issue was announced, we have performed extensive security audits within our network and services platforms to check for this specific vulnerability. Fusion has no evidence that the Heartbleed bug was used to access any Fusion data or services.
We have confirmed that our website and online portals are not impacted. In addition, Fusion has verified that equipment and configurations utilized in Fusion services, including customer premise equipment (CPE) and other components, either do not enable SSL access to the devices and/or have been found to not have the vulnerability in any of the production versions of the software code.
Fusion has evaluated the following services for any impact relating to the Heartbleed bug with the following results:
- MPLS – Not impacted
- Managed Security Services (MSS) – Not Impacted
- Voice over IP (VoIP) – Customer equipment not impacted
- SSL VPN – Potential vulnerability identified and patch implemented and resolved
- Email and Web Hosting – Potential vulnerability identified and patch implemented and resolved
- Cloud Hosting – Not Impacted
Fusion recommends that customers follow industry standard security best practices, including the use of strong passwords, regular password rotation, and utilizing different passwords for different services. Customers should verify any third-party software applications are not impacted and avoid sites and services impacted, but not remediated. We recommend customers not attempt to make password changes on services until they have been remediated, as the password change request could expose sensitive account information.
For more information on the Heartbleed bug, here are some helpful links:
- General Information:
- How to Protect Yourself:
- Heartbleed testing tool:
- Source for public website services status for recommended password changes: