Attention: Electra Announcement Regarding Meltdown and Spectre Microprocessor Side-Channel Vulnerabilities

January 05, 2018

Recently, two important vulnerabilities were announced: Meltdown and Spectre.

This note describes Electra’s response to these problems.

Meltdown is a hardware vulnerability affecting Intel x86 microprocessors and some ARM based microprocessors. It effectively allows a rogue process to read any physical, kernel or other process' mapped memory, regardless of whether or not it should be able to do so. This is largely a problem for shared systems (cloud-based systems). In order for this to be effective, the rogue process needs to be running on the same physical CPU as the application for which it intends to steal data.

There are two possible mitigations to this attack:

1. Isolation
2. System Patching

With respect to isolation: Electra's primary data center is Rackspace. At Rackspace, Electra has dedicated physical hardware (a private cloud) where all of the hardware is owned by and used entirely by Electra. Electra only runs its own applications on that hardware. As a consequence, the Meltdown vulnerability does not apply to its primary data center.

Electra has a policy of keeping its systems up to date with the latest patches. Microsoft released a patch on January 3rd for Meltdown and Electra will apply these patches on its weekly update schedule.

Spectre is a hardware vulnerability with implementations of branch prediction that affects modern microprocessors with speculative execution by allowing malicious processes access to the contents of other programs' mapped memory. Two Common Vulnerabilities and Exposures IDs related to Spectre, CVE-2017-5753, CVE-2017-5715, have been issued. Active research into the resolution path for Spectre is underway with some browser changes being part of the mitigation.

Nonetheless, Electra's policy of system isolation and system patching is the industry recommendation for resolving these issues. As such, the solution path described for Meltdown is the best path for Spectre resolution as well.

With respect to DR, Electra is using Amazon as its provider. On Amazon systems, the hardware is not fully isolated to only running Electra applications. Amazon is actively working to release updates to its products. Well before the Amazon changes are made available, Electra will have fully patched all of its systems with the latest Microsoft and other patches.

As a practical matter, no known exploitation has been taken of these vulnerabilities. While they exist, the largely exist in the lab.

We take the responsibility of keeping your information protected very seriously at Electra Information Systems.

We would like to assure you that with regards to the aforementioned exploits:

1. Your account is secure
2. Your account details were not exposed in the past and will remain secure.
3. You do not need to take additional action to safeguard your information.
4. There is no need to change your password.

(read more/comment…)

Attention: Electra Announcement Regarding “WannaCry” and Microsoft SMB Server Vulnerabilities

May 19, 2017

Recently, two important Microsoft vulnerabilities were announced. The more recent of these, WannaCry, is described here. The second one of these, the SMB Server vulnerability, is described here.

Collectively, these vulnerabilities represent critical issues in the Microsoft infrastructure. Unpatched systems and/or systems without virus protection are particularly exposed to attack.

This note describes Electra’s response to these problems. For externally facing systems Electra can confirm that none of its systems has been attacked. For internally facing systems, we can also confirm that none of our systems have been affected.

Further, all of our systems have been patched to the latest patch levels available from Microsoft. We have verified that these steps are complete and guarantee your data safety.

We take the responsibility of keeping your information protected very seriously at Electra Information Systems.

We would like to assure you that with regards to the aforementioned exploits:

1. Your account is secure.
2. Your account details were not exposed in the past and will remain secure.
3. You do not need to take additional action to safeguard your information.
4. There is no need to change your password.

(read more/comment…)

Attention: Electra Announcement Regarding in Apache Struts 2

April 05, 2017

Recently, the Apache Software Foundation disclosed a critical vulnerability in Apache Struts 2, this is a software framework for developing Java EE websites. Widespread exploitation began on March 8, 2017.  The vulnerability (CVE-2017-5638) is a Remote Code Execution (RCE) vulnerability that affects the Jakarta Multipart parser in Apache Struts 2.  This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 10 out of 10 due to potential impact; a 10/10 score is exceptionally severe and rare.

You can learn more about this attack at https://struts.apache.org/docs/security-bulletins.html.   This note describes Electra’s response to this problem.

The areas of investigation for remediation for Electra clients are externally facing systems and internal systems.

For externally facing systems Electra can confirm that none of its systems has this particular vulnerability.

For internal systems, one system did have this vulnerability and has been shut down.

We take the responsibility of keeping your information protected very seriously at Electra Information Systems.

We would like to assure you that with regards to the Apache Struts 2 exploit:

1. Your account is secure.
2. Your account details were not exposed in the past and will remain secure.
3. You do not need to take any additional action to safeguard your information.
4. There is no need to change your password.

(read more/comment…)

Attention: Electra Announcement Regarding DROWN

March 03, 2016

Recently, a vulnerability was disclosed regarding the SSL cryptographic protocols designed to provide communications security over a computer network. This new vulnerability is called DROWN. The effect of this vulnerability is that an attacker could crack the TLS security of a targeted system. You can learn more about this attack here. This note describes Electra’s response to this problem.

The areas of investigation for remediation for Electra clients are externally facing systems and internal systems.

For externally facing systems Electra has disabled the one system which had this vulnerability. This resulted in all systems being clear of SSL v2 support and leaves no more externally available exploits.

For internal systems, no changes were needed.

We take the responsibility of keeping your information protected very seriously at Electra Information Systems. We would like to assure you that with regards to the DROWN exploit:

1. Your account is secure
2. Your account details were not exposed in the past and will remain secure
3. You do not need to take any additional action to safeguard your information
4. There is no need to change your password
5. All servers have been patched to avoid other potential exploits of this bug

(read more/comment…)

Attention: Electra Announcement Regarding “glibc”

February 23, 2016

Recently, a vulnerability was disclosed regarding a library component that is a core piece of the internet’s building blocks. See http://arstechnica.com/security/2016/02/extremely-severe-bug-leaves-dizzying-number-of-apps-and-devices-vulnerable/ for more details on this issue. The ultimate effect of this problem is that some messages can result in external systems taking unexpected control of other systems by taking advantage of a hole in the DNS processing logic. This note describes Electra’s response to this problem.

The areas of investigation for remediation for Electra clients are externally facing systems and internal systems.

For externally facing systems Electra has applied a patch to the glibc (libc6) library on all Linux systems. This was an important first step because our external systems depend on external DNS servers.

For internal systems, our own DNS service uses BIND9, which is said to be immune to this vulnerability even on systems with the faulty glibc (and glibc has been updated on the DNS servers too, of course).

We take the responsibility of keeping your information protected very seriously at Electra Information Systems. We would like to assure you that with regards to the glibc bug:

1. Your account is secure
2. Your account details were not exposed in the past and will remain secure
3. You do not need to take any additional action to safeguard your information
4. There is no need to change your password
5. All servers have been patched to avoid other potential exploits of this bug

(read more/comment…)

Attention: Electra Announcement Regarding “Venom”

May 18, 2015

On May 13, 2015, a vulnerability was disclosed in the QEMU Floppy Drive Controller that, when exploited, could allow an attacker to escape a virtual machine on certain open source hypervisors. CVE-2015-3456 (VENOM) has been assigned for this vulnerability.

The areas of investigation for remediation for Electra clients are:

1. Clients’ own computer systems
2. Electra’s hosted systems

a. Rackspace
b. NaviSite
c. Amazon

With respect to client installed Electra Reconciliation software (OpenStaars), there is no vulnerability per se because the vulnerability is in the operating system software and not in the application software. Electra encourages its customers to apply the appropriate patches which are now widely available to mitigate risk for this vulnerability.

For its own systems, the software running at NaviSite is not running any of the affected hypervisors. The systems at Rackspace and Amazon have already been patched.

We take the responsibility of keeping your information protected very seriously at Electra Information Systems. We would like to assure you that with regards to the Venom bug:

1) Your account is secure
2) Your account details were not exposed in the past and will remain secure
3) You do not need to take any additional action to safeguard your information
4) There is no need to change your password
5) All servers have been patched to avoid other potential exploits of this bug

(read more/comment…)

Attention: Electra Announcement Regarding “WinShock”

November 17, 2014

Recently, a Microsoft Schannel encryption security vulnerability, commonly known as “WinShock,” was revealed by IBM engineers and patched by Microsoft.

While no public exploits of this vulnerability are known, it potentially allows complete takeover of unpatched Windows servers with public services which use Schannel. These services include encrypted Web service, Remote Desktop Protocol (RDP) service and encrypted email service. Electra does not use and has not used Windows for encrypted Web service. Our email systems, whose Windows servers are on isolated networks, have been patched. Electra's sole use of RDP is within encrypted VPN tunnels which are not vulnerable. To avoid any chance of RDP's vulnerability being exploited from any compromised system which has access through our VPN, our RDP servers are patched.

We take the responsibility of keeping your information protected very seriously at Electra Information Systems. We would like to assure you that with regards to the WinShock bug:

1) Your account is secure

2) Your account details were not exposed in the past and will remain secure

3) You do not need to take any additional action to safeguard your information

4) There is no need to change your password

5) All servers have been patched to avoid other potential exploits of this bug

(read more/comment…)

Attention: Electra Announcement Regarding "POODLE"

October 23, 2014

Recently, a Web encryption security vulnerability, commonly known as "POODLE," was revealed by Google engineers. A bad actor could place his or her system in the position to do a "man-in-the-middle" (MITM) interception of the protocol negotiations between a Web browser and a server. As they negotiate to find the strongest protocol both support, the MITM can alter the communications, rejecting all stronger protocols, forcing the connection to use the easily-broken SSLv3. The basic problem is in the SSLv3 protocol which has been obsolete for 15 years. When browsers and sites capable of strong protocols revert to it, their subsequent traffic can be decrypted by available means.

We take the responsibility of keeping your information protected very seriously at Electra Information Systems. To achieve the highest level of security, Electra has joined Apple and other large vendors by removing SSLv3 support from our Web servers. This means that browsers will only be presented with TLS as an option. TLS has supplanted SSL as a more secure protocol.

(read more/comment…)

Attention: A Message Regarding Shellshock – bash Bug

September 26, 2014

Recently, a security vulnerability, commonly known as “shellshock,” was uncovered in the “bash” shell installed in many UNIX-based systems, including Linux and OSX. Systems with unpatched version of bash can be vulnerable, particularly if they are configured as webservers using a mechanism called “CGI,” which can run programming that in turn calls the bash shell in the background that this bug exposes to rogue commands. Electra's webservers have never been deployed with this configuration, thus are not vulnerable.
We take the responsibility of keeping your information protected very seriously at Electra Information Systems.

We would like to assure you that with regards to the shellshock bug:

1) Your account is secure
2) Your account details were not exposed in the past and will remain secure
3) You do not need to take any additional action to safeguard your information
4) There is no need to change your password
5) We have scanned our servers and found none of them to be compromised
6) All servers have been patched to avoid other potential exploits of this bug
While we always advise our clients to be cautious and aware of the security of their personal information; in this case we want to reassure you that there is no need to be unduly concerned. Your login user name, password details and account data have not been exposed through the shellshock vulnerability. While Electra does use webservers, we have not been affected by the “shellshock” bug.

(read more/comment…)

Attention: A Message Regarding OpenSSL - Heartbleed Bug

April 14, 2014

There has been a lot of recent discussion regarding a security vulnerability in a version of OpenSSL, commonly known as the “Heartbleed Bug.”  We take the responsibility of keeping your information protected very seriously at Electra Information Systems.

We would like to assure you that with regards to the Heartbleed bug:
1) Your account is secure
2) Your account details were not exposed in the past and remain secure
3) You do not need to take any additional action to safeguard your information
4) There is no need to change your password

While we always advise our customers to be cautious and aware of the security of their personal information, in this case we want to reassure you that there is no need to be unduly concerned.  Your Login User Name and Password details have not been exposed to the OpenSSL vulnerability.  While Electra does use OpenSSL, we are not using the affected versions of the software with the “Heartbleed Bug.

(read more/comment…)
1

Leave a suggestion

Client Testimonials

Tammy L. Johnson, Globeflex Capital L.P.
We’ve now been a client for over 11 years and the relationship remains strong. Electra keeps us well informed, continuously innovating and adding functionality. Electra provides information on the latest versions which allows us to take advantage of the latest enhancements as our business requirements change and evolve.
Tammy L. Johnson, Globeflex Capital L.P.

GET MORE INFO

Get more information or schedule a product demo. Someone from our team will contact you promptly.