The Heartbleed vulnerability within the open source library OpenSSL (CVE-2014-0160) has received a significant amount of attention this week. When this vulnerability is exploited the server might reveal critical data such as user name, passwords, or SSL private key information to an attacker. Many of our customers have asked us whether this vulnerability affects ITC's offerings, specifically Insurance Website Builder and AgencyBuzz. We are happy to confirm that Heartbleed does not affect our website and marketing products and services.
The Long Version
For those who like more than the short and sweet, I will explain further. For all of our servers and products, ITC uses Microsoft technologies for development and hosting. All Windows operating systems and IIS (the web server within Windows) versions do not use OpenSSL but instead use a proprietary encryption component Secure Channel. Load balancers, secure web gateways and firewalls employed within the platform use Microsoft technologies and are not vulnerable to Heartbleed.
Specific to Insurance Website Builder customers, we use third-party vendors for email hosting. These vendors are IceWarp and Rackspace. While IceWarp does utilize OpenSSL, the 10.4.5 version that ITC uses for email hosting employs a branch of the OpenSSL library that is not vulnerable. As for Rackspace, they have confirmed that Heartbleed has not affected any of their public facing servers related to their email hosting services. Rackspace does have systems that are vulnerable that reside outside the realm of their email hosting products. While these do not affect ITC customers, they are actively patching these servers.
Proactively, attack vector signatures were added to ITC's intrusion detection devices hours after Heartbleed was discovered. This action allowed us to verify that even if a server was vulnerable to attack, the incident would have been logged and blocked before any data was compromised.
As always, ITC is committed to the security of you and your customer's data. We only use technologies that are supported and accounted for by their respective manufacturers and refrain from using open source technologies that might create a vulnerability that is not actively supported by an interested party.
Finally, many websites and services around the Internet were affected by this critical vulnerability. Please review this site for a comprehensive list of sites that were affected by Heartbleed. If you share a common password with one of the affected websites and ITC's services, we highly recommend you change both passwords immediately. If you have any questions, feel free to leave them in the comments below or contact us at (800) 383-3482 or firstname.lastname@example.org.
NIST Vulnerability Summary for CVE-2014-0160
Information about HeartBleed and IIS
IceWarp Forum Post Relating to OpenSSL 1.0.1g HeartBeat Bug
Rackspace Protect Your Systems From 'Heartbleed' OpenSSL Vulnerability
The Heartbleed Hit List: The Passwords You Need to Change Right Now
About the AuthorFollow on Twitter Follow on Linkedin More Content by Laird Rixford