Attention: Electra Announcement Regarding “WannaCry” and Microsoft SMB Server Vulnerabilities

May 19, 2017

Recently, two important Microsoft vulnerabilities were announced. The more recent of these, WannaCry, is described here. The second one of these, the SMB Server vulnerability, is described here.

Collectively, these vulnerabilities represent critical issues in the Microsoft infrastructure. Unpatched systems and/or systems without virus protection are particularly exposed to attack.

This note describes Electra’s response to these problems. For externally facing systems Electra can confirm that none of its systems has been attacked. For internally facing systems, we can also confirm that none of our systems have been affected.

Further, all of our systems have been patched to the latest patch levels available from Microsoft. We have verified that these steps are complete and guarantee your data safety.

We take the responsibility of keeping your information protected very seriously at Electra Information Systems.

We would like to assure you that with regards to the aforementioned exploits:

1. Your account is secure.
2. Your account details were not exposed in the past and will remain secure.
3. You do not need to take additional action to safeguard your information.
4. There is no need to change your password.

Attention: Electra Announcement Regarding in Apache Struts 2

April 5, 2017

Recently, the Apache Software Foundation disclosed a critical vulnerability in Apache Struts 2, this is a software framework for developing Java EE websites. Widespread exploitation began on March 8, 2017.  The vulnerability (CVE-2017-5638) is a Remote Code Execution (RCE) vulnerability that affects the Jakarta Multipart parser in Apache Struts 2.  This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 10 out of 10 due to potential impact; a 10/10 score is exceptionally severe and rare.

You can learn more about this attack at https://struts.apache.org/docs/security-bulletins.html.   This note describes Electra’s response to this problem.

The areas of investigation for remediation for Electra clients are externally facing systems and internal systems.

For externally facing systems Electra can confirm that none of its systems has this particular vulnerability.

For internal systems, one system did have this vulnerability and has been shut down.

We take the responsibility of keeping your information protected very seriously at Electra Information Systems.

We would like to assure you that with regards to the Apache Struts 2 exploit:

1. Your account is secure.
2. Your account details were not exposed in the past and will remain secure.
3. You do not need to take any additional action to safeguard your information.
4. There is no need to change your password.

Attention: Electra Announcement Regarding DROWN

March 3, 2016

Recently, a vulnerability was disclosed regarding the SSL cryptographic protocols designed to provide communications security over a computer network. This new vulnerability is called DROWN. The effect of this vulnerability is that an attacker could crack the TLS security of a targeted system. You can learn more about this attack here. This note describes Electra’s response to this problem.

The areas of investigation for remediation for Electra clients are externally facing systems and internal systems.

For externally facing systems Electra has disabled the one system which had this vulnerability. This resulted in all systems being clear of SSL v2 support and leaves no more externally available exploits.

For internal systems, no changes were needed.

We take the responsibility of keeping your information protected very seriously at Electra Information Systems. We would like to assure you that with regards to the DROWN exploit:

1. Your account is secure
2. Your account details were not exposed in the past and will remain secure
3. You do not need to take any additional action to safeguard your information
4. There is no need to change your password
5. All servers have been patched to avoid other potential exploits of this bug

Attention: Electra Announcement Regarding “glibc”

February 23, 2016

Recently, a vulnerability was disclosed regarding a library component that is a core piece of the internet’s building blocks. See http://arstechnica.com/security/2016/02/extremely-severe-bug-leaves-dizzying-number-of-apps-and-devices-vulnerable/ for more details on this issue. The ultimate effect of this problem is that some messages can result in external systems taking unexpected control of other systems by taking advantage of a hole in the DNS processing logic. This note describes Electra’s response to this problem.

The areas of investigation for remediation for Electra clients are externally facing systems and internal systems.

For externally facing systems Electra has applied a patch to the glibc (libc6) library on all Linux systems. This was an important first step because our external systems depend on external DNS servers.

For internal systems, our own DNS service uses BIND9, which is said to be immune to this vulnerability even on systems with the faulty glibc (and glibc has been updated on the DNS servers too, of course).

We take the responsibility of keeping your information protected very seriously at Electra Information Systems. We would like to assure you that with regards to the glibc bug:

1. Your account is secure
2. Your account details were not exposed in the past and will remain secure
3. You do not need to take any additional action to safeguard your information
4. There is no need to change your password
5. All servers have been patched to avoid other potential exploits of this bug

Attention: Electra Announcement Regarding “Venom”

May 18, 2015

On May 13, 2015, a vulnerability was disclosed in the QEMU Floppy Drive Controller that, when exploited, could allow an attacker to escape a virtual machine on certain open source hypervisors. CVE-2015-3456 (VENOM) has been assigned for this vulnerability.

The areas of investigation for remediation for Electra clients are:

1. Clients’ own computer systems
2. Electra’s hosted systems

a. Rackspace
b. NaviSite
c. Amazon

With respect to client installed Electra Reconciliation software (OpenStaars), there is no vulnerability per se because the vulnerability is in the operating system software and not in the application software. Electra encourages its customers to apply the appropriate patches which are now widely available to mitigate risk for this vulnerability.

For its own systems, the software running at NaviSite is not running any of the affected hypervisors. The systems at Rackspace and Amazon have already been patched.

We take the responsibility of keeping your information protected very seriously at Electra Information Systems. We would like to assure you that with regards to the Venom bug:

1) Your account is secure
2) Your account details were not exposed in the past and will remain secure
3) You do not need to take any additional action to safeguard your information
4) There is no need to change your password
5) All servers have been patched to avoid other potential exploits of this bug

Attention: Electra Announcement Regarding “WinShock”

November 17, 2014

Recently, a Microsoft Schannel encryption security vulnerability, commonly known as “WinShock,” was revealed by IBM engineers and patched by Microsoft.

While no public exploits of this vulnerability are known, it potentially allows complete takeover of unpatched Windows servers with public services which use Schannel. These services include encrypted Web service, Remote Desktop Protocol (RDP) service and encrypted email service. Electra does not use and has not used Windows for encrypted Web service. Our email systems, whose Windows servers are on isolated networks, have been patched. Electra’s sole use of RDP is within encrypted VPN tunnels which are not vulnerable. To avoid any chance of RDP’s vulnerability being exploited from any compromised system which has access through our VPN, our RDP servers are patched.

We take the responsibility of keeping your information protected very seriously at Electra Information Systems. We would like to assure you that with regards to the WinShock bug:

1) Your account is secure

2) Your account details were not exposed in the past and will remain secure

3) You do not need to take any additional action to safeguard your information

4) There is no need to change your password

5) All servers have been patched to avoid other potential exploits of this bug

 

Attention: Electra Announcement Regarding “POODLE”

October 23, 2014

Recently, a Web encryption security vulnerability, commonly known as “POODLE,” was revealed by Google engineers. A bad actor could place his or her system in the position to do a “man-in-the-middle” (MITM) interception of the protocol negotiations between a Web browser and a server. As they negotiate to find the strongest protocol both support, the MITM can alter the communications, rejecting all stronger protocols, forcing the connection to use the easily-broken SSLv3. The basic problem is in the SSLv3 protocol which has been obsolete for 15 years. When browsers and sites capable of strong protocols revert to it, their subsequent traffic can be decrypted by available means.

We take the responsibility of keeping your information protected very seriously at Electra Information Systems. To achieve the highest level of security, Electra has joined Apple and other large vendors by removing SSLv3 support from our Web servers. This means that browsers will only be presented with TLS as an option. TLS has supplanted SSL as a more secure protocol.

Attention: A Message Regarding Shellshock – bash Bug

September 26, 2014

Recently, a security vulnerability, commonly known as “shellshock,” was uncovered in the “bash” shell installed in many UNIX-based systems, including Linux and OSX. Systems with unpatched version of bash can be vulnerable, particularly if they are configured as webservers using a mechanism called “CGI,” which can run programming that in turn calls the bash shell in the background that this bug exposes to rogue commands. Electra’s webservers have never been deployed with this configuration, thus are not vulnerable.
We take the responsibility of keeping your information protected very seriously at Electra Information Systems.

We would like to assure you that with regards to the shellshock bug:

1) Your account is secure
2) Your account details were not exposed in the past and will remain secure
3) You do not need to take any additional action to safeguard your information
4) There is no need to change your password
5) We have scanned our servers and found none of them to be compromised
6) All servers have been patched to avoid other potential exploits of this bug
While we always advise our clients to be cautious and aware of the security of their personal information; in this case we want to reassure you that there is no need to be unduly concerned. Your login user name, password details and account data have not been exposed through the shellshock vulnerability. While Electra does use webservers, we have not been affected by the “shellshock” bug.

 

Attention: A Message Regarding OpenSSL – Heartbleed Bug

April 14, 2014

There has been a lot of recent discussion regarding a security vulnerability in a version of OpenSSL, commonly known as the “Heartbleed Bug.”  We take the responsibility of keeping your information protected very seriously at Electra Information Systems.

We would like to assure you that with regards to the Heartbleed bug:
1) Your account is secure
2) Your account details were not exposed in the past and remain secure
3) You do not need to take any additional action to safeguard your information
4) There is no need to change your password

While we always advise our customers to be cautious and aware of the security of their personal information, in this case we want to reassure you that there is no need to be unduly concerned.  Your Login User Name and Password details have not been exposed to the OpenSSL vulnerability.  While Electra does use OpenSSL, we are not using the affected versions of the software with the “Heartbleed Bug.