The ASA IT Department received a few reports from ASA members about a suspicious email they received. We immediately checked our systems to ensure the following:
1. Confirmed that no member data was compromised - There was nothing to indicate from a technical perspective that the ‘senders’ of this email were working off a list of user information that was stolen from ASA or its system(s).
2. Confirmed that the email was not sent to a larger group of ASA members thereby necessitating the need for a larger/broader communication out to the ASA membership and constituency at-large.
3. Updated our ASA Spam Filters to not allow this message through to the asahq.org email domain based on patterns within the message
As always, if you receive suspicious messages from anyone, including people that you know, it is best to just delete the message immediately and never click on any of the links or open any attachments within a suspicious email.
With the recent media and industry awareness of the HeartBleed vulnerability, ASA IT staff immediately assessed our web-based systems to determine any potential impact. The OpenSSL standard which is the technology that is compromised by this vulnerability is only minimally deployed at ASA. There are only two systems that could possibly even use OpenSSL at ASA. ASA is, for the most part, a Microsoft Shop. We performed website vulnerability scans on the systems in question and the reports verified that in fact those web server(s) were not vulnerable to the HeartBleed threat. The ASA IT team does regular vulnerability scans of its key websites and network perimeter to ensure proper security and privacy of all ASA information assets.
Microsoft Internet Explorer security flaw
A fix was released by Microsoft on May 1, 2014 to address this issue. All members and constituents running any version of Windows/IE should run ‘Windows Updates’ to get the latest fix and protect yourself from the vulnerability.