Press Release

ANX PositivePRO Customers Protected from Recently Discovered SSL Vulnerability

Posted November 23, 2009, 4:15 pm by Glenn Moore

Press Release

ANX

ANX PositivePro Customers Protected from Recently Discovered SSL Vulnerability


 SSL authentication gap allows a man-in-the-middle attack, affecting the majority of SSL-protected servers


SOUTHFIELD, Mich. (Nov. 24, 2009) - ANXeBusiness Corp., a leading provider of networking and security managed services, today announced that customers of the company’s cloud-based remote access product, ANX PositivePRO, are protected from the recent Secure Sockets Layer (SSL) vulnerability discovered by researchers at PhoneFactor, a leading global provider of two-factor security services. ANX PositivePRO is a hosted, managed VPN solution that quickly allows remote access without the need to buy, install, or configure an appliance within an organization.

 

According to PhoneFactor, a serious vulnerability in SSL, an extremely common data security protocol on the Internet, was discovered by Marsh Ray and Steve Dispensa. The SSL authentication gap allows an attacker to mount a man-in-the-middle attack, and affects the majority of SSL-protected servers on the Internet. Specifically, the vulnerability allows the attacker to inject malicious data and commands into the authenticated SSL communications path. This can often be done without either the client or server (e.g. web server and browser) being able to detect the attack.

 

The vulnerability results from a weakness in the SSL protocol standard (formally known as Transport Layer Security, or TLS). As such, most SSL implementations are vulnerable in one way or another. Affected scenarios include web surfers doing online banking, back-office systems using web services-based protocols, and non-HTTP applications such as some mail servers, database servers, and so on.

 

For ANX PositivePro customers the bulk of connections were never affected by this flaw, since the majority doesn’t use SSL. ANX PositivePro utilizes its own enhanced encryption method, WebTop Transfer Protocol (WTP).  Focusing on WTP as a method of encryption, in addition to SSL/TTS exchange enhanced security, ANX PositivePro eliminates the dependencies on the public infrastructure. For the few areas within ANX PositivePro that do rely on SSL, specifically the web interfaces to Policy Manager and WebTop, patches have been distributed thus mitigating the attacks.

 

“This SSL vulnerability discovered by PhoneFactor easily allows a hacker to disrupt any SSL communication and inject whatever type of malicious code they desire,” said Rich Stanbaugh, president and CEO of ANXeBusiness.  “When we initially acquired PositvePro last year, we specifically purchased the product because of its unique method of encryption.  This encryption has proven effective as our customers were highly protected from this SSL flaw. ANXeBusiness continues to enhance the security and infrastructure of this managed VPN solution.”

 

ANX PositivePRO can be used with company-owned laptops, home PCs, and other remote devices that use multiple remote access methods such as client-based access, Web-based access, or remote desktop control. Because PositivePRO adheres to corporate security policies for compliance and auditing compared with consumer remote access technologies often installed without IT permission or support, corporate IT and security personnel have confidence in the product along with its ease of use and flexible policy capabilities.

 

“Since the discovery, many vendors have released patches to fix the SSL flaw and we expect this to continue,” said Steve Dispensa, CTO of PhoneFactor. “I encourage administrators to be proactive in deploying mitigations, including applying vendor-supplied patches, running IDS's and firewalls, and of course, making sure all remote access is secured with a VPN like ANX PositivePro and a two-factor authentication system like PhoneFactor.”

 

PositivePRO is one of several high-demand Managed Network Services, Transaction Delivery Services, and Product Lifecycle Management (PLM) products ANXeBusiness provides for customers in a variety of vertical markets. As one of Michigan's leading technology companies, ANX works with companies in the automotive original equipment and aftermarket industries, healthcare, education, government, financial and aerospace industries as well as other manufacturing sectors.

 

ANX has been headquartered in Michigan for more than 10 years and continues to expand rapidly, completing four business acquisitions during the last two years.  The company was recently recognized as one of the world’s largest software companies in Software Magazine’s Software 500. In addition, the company was also awarded the “Best of the Best Michigan Business” by Corp! Magazine and was named as a “HOT Company” for 2009 by Network Products Guide.

 

About ANXeBusiness Inc.


ANXeBusiness Inc. (http://www.anx.com), headquartered in Southfield, Mich., has offices in Research Triangle Park, N.C., Overland Park, KS, Philadelphia, PA, San Diego, CA and Toronto. The company offers customers a portfolio of products and services that enable secure collaboration within and between enterprises, based around a deep technical expertise, broad experience with mission-critical data connectivity, a passion for customer support and a proven record of supporting business needs across multiple value chains. ANX is owned by One Equity Partners, which manages investments and commitments for JP Morgan Chase & Co. in private equity transactions.

 

Contact:  Dan Chmielewski
              Madison Alexander PR
              1-714-832-8716
               dchm@madisonalexanderpr.com

 

 
Filed under: Security Threats
Listed in Communities:


You must be logged in to post comments.