The Heartbleed vulnerability within the open source library OpenSSL (CVE-2014-0160) has received a significant amount of attention this week. When this vulnerability is exploited the server might reveal critical data such as user name, passwords, or SSL private key information to an attacker. Many of our customers have asked us whether this vulnerability affects ITC's offerings, specifically TurboRater and TurboStorm. We are happy to confirm that Heartbleed does not affect our rating products and services.
The Long Version
For those who like more than the short and sweet, I will explain further. For all of our servers and products, ITC uses Microsoft technologies for development and hosting. All Windows operating systems and IIS (the web server within Windows) versions do not use OpenSSL but instead use a proprietary encryption component Secure Channel. Load balancers, secure web gateways and firewalls employed within the platform use unaffected technologies and are not vulnerable to Heartbleed.
Proactively, attack vector signatures were added to ITC's intrusion detection devices hours after Heartbleed was discovered. This action allowed us to verify that even if a server was vulnerable to attack, the incident would have been logged and blocked before any data was compromised.
As always, ITC is committed to the security of you and your customer's data. We only use technologies that are supported and accounted for by their respective manufacturers and refrain from using open source technologies that might create a vulnerability that is not actively supported by an interested party.
Finally, many websites and services around the Internet were affected by this critical vulnerability. Please review this site for a comprehensive list of sites that were affected by Heartbleed. If you share a common password with one of the affected websites and ITC's services, we highly recommend you change both passwords immediately.
If you have any questions, feel free to leave them in the comments below or contact us at (800) 383-3482 or support@getitc.com.
Referenced Sources
NIST Vulnerability Summary for CVE-2014-0160
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160
Information about HeartBleed and IIS
http://blogs.technet.com/b/erezs_iis_blog/archive/2014/04/09/information-about-heartbleed-and-iis.aspx
The Heartbleed Hit List: The Passwords You Need to Change Right Now
http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
About the Author
Follow on Twitter Follow on Linkedin More Content by Laird Rixford