Web Site Back to Normal
It took a bit longer than I’d expected to get our SSL certificate replaced, but we received the new certificate this morning, the server software’s been rebuilt, keys changed, etc. The SSL server is back online, and users may once again log in to their accounts and use the shopping cart to make purchases.
Once again I would like to apologize for the inconvenienced caused by the downtime.
Michael Kirkham, President & CEO
Security Notice (Updated)
This is an update to the security notice sent out Thursday, February 21, 2008.
After reviewing security logs and comparing file systems and source code to known backups as part of our security audit, we are relieved to report that we have not found any evidence that any systems or customer information were successfully compromised during the period that firewall rules were partially disabled and some internet-facing systems were under attack. Additionally it appears that at least some of what was reported as an attack was the work of worms targeting Windows vulnerabilities, which we do not use for our servers–traffic we do not normally see due to firewalls and other protections.
The main avenue for attack that we were most concerned with was certain systems that were being brought up to migrate services to that might not have been fully patched or locked down yet while they were in transition. Though it doesn’t appear there’s been any compromise, as an added precaution, we will still be reinstalling these systems and services, so you may expect some brief periods of down time over the weekend (much of this we’re doing anyway, to sync up deployed software versions with versions being installed on the new systems to ease transition). We’re also revoking all authentication and encryption keys and have requested a new SSL certificate, and will take additional steps to improve our auditing procedures and response time.
Once we have finished upgrading critical server software and have received the new SSL certificate, we will bring the shopping system back online. You will not be able to log into your Muonics web site account until this time.
Please accept our apology for any inconvenience or worry caused by our previous notice and the downtime involved. Though it appears to have been a false alarm, one can never be too cautious about these things.
Should you have any lingering concerns, we will be more than happy to reimburse anyone who has placed orders with us online, at any time in the past, for up to 12 months of credit activity monitoring from your choice of provider. You can contact me directly by phone or email any time between now and March 31, 2008 to arrange.
Thank you for your patience.
Michael Kirkham, President & CEO
MIB Smithy Passes CA-2002-03 Vulnerability Tests
Muonics added SNMP management-role (request originator) capabilities to its MIB Smithy series of products starting with version 2.0. Notification (trap/inform) processing was added in version 2.1 (the current version as of this report). Neither version supports agent-role (request processor) capabilities at this time. However, all PDU types are fully parsed by both versions, including requests, before unsupported PDU types are discarded by the dispatcher layer.
Both versions of MIB Smithy SDK, from which all of the MIB Smithy series are derived, have been fully tested with all four of the PROTOS c06-SNMPv1 Test Suites. Version 2.0 binds to any available port for sending requests and receiving responses. Since this was not conducive to testing, a special build was required, with the only difference from the official 2.0 release being a hard-coded binding to ports 161 and 162 as appropriate. Version 2.1 allows configuration of a bind port for receiving notifications, so it was not an issue for that version.
After running the full series of tests we found both versions to behave as expected, with no signs of failure. We have thus concluded that Muonics’ past and current product versions are not susceptible to the security vulnerabilities associated with CA-2002-03.
VU#107186 – Not Vulnerable
VU#854306 – Not Vulnerable
Important SNMP Security Notices
CERT recently released security advisory CA-2002-03 regarding multiple SNMP vulnerabilities. If you have SNMP devices running on your network, you may wish to check the following links for more information. You may have devices or computers running SNMP on your network and not be aware.