AT&T Developer Program on the Heartbleed Bug
Here is the official AT&T Corporate statement regarding the OpenSSL vulnerability. Most of you are probably aware of this bug already. This is a vulnerability in the OpenSSL cryptographic software library ( CVE-2014-0346 / CVE-2014-0160). This bug enables someone to read the memory of systems protected by vulnerable versions of OpenSSL software. More details can be found here: http://heartbleed.com.
We have done a review of the AT&T Developer Program systems and found no evidence that the Heartbleed vulnerability has been exploited in our infrastructure or service components. Our Developer Portal was running a version of OpenSSL which was not vulnerable, and our content development network (CDN) in front of the portal had been updated prior to the Heartbleed announcement. For that reason, we do not believe our community needs to change their passwords at this time, but always recommend password changes on a regular basis.
We patched our most critical API environments (like our API Matrix) and have been working on less critical ones over the last few days. Currently, we have found no evidence that any user information was compromised, but we will continue to monitor this carefully and will provide updates.
In general, the items at greatest risk from this vulnerability across all industries and potentially affected parties are those that are constantly in the memory of the OpenSSL process (e.g. server’s private SSL keys). An attacker may have been able to obtain information if they implemented attack at the same time user information was sent or just after (that is, while it still in the process’s memory). Developers who authenticated on vulnerable AT&T Developer Program servers last week should think of changing their keys.
Be advised that you may face risks elsewhere. Depending on how you store your keys and other information in the cloud, you may want to update your credentials.
Here is a suggested framework to consider:
1) Discover if you’re vulnerable.
2) If vulnerable: Upgrading vs Recompiling without Heartbeat support.
3) If vulnerable: Requesting a new certificate from your CA.
4) If vulnerable: Should you be notifying your customers & recommending password resets?