Reading Time: 2 minutes

2 MINUTE READ

The VC3 Heartbleed Timeline

David Dunn

David Dunn is founder, Chairman and CEO of VC3 where he has been responsible for building the company since 1994. Follow him on twitter at @dunndavidw.

I was in a conference in Richmond, Virginia when I first heard about the Heartbleed security vulnerability.  The first notifications that I am aware of came out Wednesday morning, April 9th but this was a travel day for me so I don’t think I saw anything about it until late in the day Wednesday.  Initial reports discussed the vulnerability of websites that use OpenSSL so my first thought was, “OK, I am pretty sure we are not affected”.  Almost all of the websites VC3 hosts are based upon Microsoft technologies and don’t use OpenSSL.  I also remember being skeptical of some of the claims regarding the percentage of websites globally that were potentially impacted.

 

Coincidentally, all of the conference presentations Thursday morning were centered around security.  One of the presenters, Ray Hillen, with Agio, was scheduled to talk about data security in general and clearly had modified his presentation in the last few hours to specifically talk about the Heartbleed threat.  It was during this presentation I learned that the impact extended beyond website hosting and that OpenSSL was used in many name brand networking and security products.  And then I panicked, knowing that we and our customers used many of these vendors’ products.  I sent an email to Brant Hale, VC3’s top security expert,  to see if he was aware of the problem.

 

Brant promptly responded and indicated that he was and had already taken action by informing VC3’s VCIO’s (those individuals at VC3 who act as the CIO/IT Director for our Managed Services customers) about the problem and providing a link towww.ssllabs.com/ssltest which was one of the earliest sites that made available a scanning tool which would check a website to see if it had the problem (but don’t try this at home unless you have explicit permission from the website owner to run the test – you may run afoul of the law…).  Brant indicated that he was also working on a more in depth solution (the ssllabs site had some limitations in the breadth of what could be tested) that used the Nessus vulnerability scanner platform VC3 regularly uses.  At that time Brant was currently verifying the Nessus solution so that we could provide our VCIO’s with a more powerful and complete testing solution.

 

Here’s the timeline I have put together for our activities:

 

  • Wednesday April 9th, around 8:00 AM – official notification through multiple channels of the Heartbleed problem
  • Wednesday April 9th, around 9:00 AM – notification to VC3 VCIOs of a solution for testing websites:http://www.ssllabs.com/ssltest.
  • Thursday April 10th, around noon – testing and verification of the Nessus solution complete, informing of VCIOs so they could work with customers to do a vulnerability scan.

Here’s a shout out and big Thank You to Brant for his quick response and actions to help VC3’s customers during the biggest Internet security threat that any of us have seen.  Within 36 hours we had fully tested all of our internal systems and customer systems that were potentially exposed (and even those that we didn’t think were exposed, but tested anyway…).