Posted on April 14, 2014 by Fusion Connect Security Team
As you may already be aware, security researchers recently announced a security flaw in OpenSSL, the open-source encryption standard used by the majority of websites to transmit data that users want to keep secure. The bug, known as Heartbleed, allows attackers to intercept secure communications and steal sensitive information such as login credentials, personal data, or even decryption keys such as those utilized in SSL website certificates.
At Fusion Connect, we take your privacy and security very seriously. We continually perform security audits and diligently and persistently monitor our network to ensure that there are no vulnerabilities that could affect the services provided to you, our customers. In addition, we perform stringent testing including detailed validation and certification of any new piece of equipment being introduced in our network prior to putting it in production.
Like many service providers such as Google, Microsoft, and Amazon, once Fusion Connect became aware of the Heartbleed vulnerability, we moved quickly to address it. Since this security issue was announced, we have performed extensive security audits within our network and services platforms to check for this specific vulnerability. Fusion Connect has no evidence that the Heartbleed bug was used to access any Fusion Connect data or services.
We have confirmed that our website and online portals are not impacted. In addition, Fusion has verified that equipment and configurations utilized in Fusion services, including customer premise equipment (CPE) and other components, either do not enable SSL access to the devices and/or have been found to not have the vulnerability in any of the production versions of the software code.
Fusion Connect has evaluated the following services for any impact relating to the Heartbleed bug with the following results:
- MPLS – Not impacted
- Managed Security Services (MSS) – Not Impacted
- Voice over IP (VoIP) – Customer equipment not impacted
- SSL VPN – Potential vulnerability identified and patch implemented and resolved
- Email and Web Hosting – Potential vulnerability identified and patch implemented and resolved
- Cloud Hosting – Not Impacted
Fusion Connect recommends that customers follow industry standard security best practices, including the use of strong passwords, regular password rotation, and utilizing different passwords for different services. Customers should verify any third-party software applications are not impacted and avoid sites and services impacted, but not remediated. We recommend customers not attempt to make password changes on services until they have been remediated, as the password change request could expose sensitive account information.
For more information on the Heartbleed bug, here are some helpful links: