An Important Message Regarding Heartbleed

23 Apr
2014

TokenEx is aware of an encryption flaw called the Heartbleed bug that has exposed a number of very popular websites including Social Media (e.g. Facebook), Email (e.g. gmail), and others.  The vulnerability could allow cybercriminals to steal your account information, login/passwords, and other sensitive information.
 
The issue involves OpenSSL, which is an open-source set of libraries for encrypting online services. Secure websites that use HTTPS make up 56% of websites, and nearly half of those sites have been found to be vulnerable to the bug.
 
A number of our customers have inquired on our use of OpenSSL within the TokenEx environment.  I am pleased to inform our clients that TokenEx DOES NOT employ any OpenSSL technologies or services that rely upon OpenSSL libraries.  TokenEx maintains a strict vulnerability management program to ensure the security of TokenEx tokenization services in the event of any vulnerability that could impact TokenEx services.  In addition, TokenEx employs a “deny all” methodology, allowing only access to TokenEx API services through approved IP addresses and API keys.  TokenEx takes extreme measures to minimize any potential attack surface.
 
With that said, security is also dependent upon the security of our customers.  If you are a TokenEx customer that leverages our gateway services and/or without any authorization to detokenize, then rest assure your sensitive data is safe and secure.  However, if you are a customer that has authorized a system to detokenize your sensitive data, then that specific system with that specific API Key must also be protected from unauthorized use and could be vulnerable to the Heartbleed bug.
 
For those individuals that may be impacted, the vulnerability can be mitigated with OpenSSL Version 1.0.1g.  It is highly recommended that administrators contact their software vendor to check to see if a patch is available and if IDS Signatures are available. 
 
TokenEx recommends organizations to perform a proper impact analysis and risk assessment prior to taking defensive measures. Once that analysis is complete, it is recommended that administrators take defensive measures to minimize the risk of exploitation of this vulnerability. Please contact TokenEx should you require any assistance with your account.
 
– Dr. Jerald Dawkins
TokenEx Co-Founder

REFERENCES
http://heartbleed.com/
http://www.kb.cert.org/vuls/id/720951
http://digital-forensics.sans.org/blog/2014/04/10/heartbleed-links-simulcast-etc/