You've likely heard of the "Heartbleed bug," recently making national headlines. The "Heartbleed bug" is a vulnerability found in OpenSSL, a widely used encryption mechanism for connectivity to Internet applications such as web sites, email, and virtual private networks (VPNs).
This encryption fault, dubbed "Heartbleed," is a flaw discovered in the encryption software "OpenSSL." By default, standard "HTTP" traffic is transmitted in plain text. When secure data is required to be transferred over the Internet, Secure Socket Layer or "SSL" is a common protocol used to encrypt sensitive data. "OpenSSL" is an open source implementation of the SSL protocol and widely used. Due to the "Heartbleed" exploitation, many web sites may be at risk of exposing private information. It can allow attackers to read the memory of the systems using vulnerable versions of OpenSSL Library.
At EVS, your privacy is always our first priority. We wanted to let you know that EVS has reviewed all Internet facing systems and determined that our systems have been and continues to be secure. When EVS established its services, we elected not to use OpenSSL in external systems.
All customer data is protected by EVS using proprietary encryption, written to industry standards, provided by our software partners, notably, Asigra's FIPS 140-2 certified encryption. FIPS 140-2 is the most current security requirement for cryptographic modules or encryption. The Asigra software is the only agentless Cloud Backup and Recovery software to have received validation that its encryption meets these strict standards. There are administrative functions that may transverse the Internet via HTTP but do not include sensitive data.
We conferred with our software partners, and also used third party scan tools to verify our findings. We will be upgrading our systems and applying the latest patches May 14, 2014, regardless of usage so that any possible future use of OpenSSI does not inadvertently create an exposure.