<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Monotype Corsiva";
panose-1:3 1 1 1 1 2 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle23
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">GIS Managers,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">If you are running Esri software before the 10.3 release this information is for you.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Before the 10.3 release Esri is using SSL for security.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">SSL is going to be blocked on the state network (and at many other organizations) because of a high risk security flaw.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">This might stop traffic to your Esri software.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">This information is being sent to the agencies IT and Security departments.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><strong><span style="font-family:"Calibri",sans-serif">From Esri:<o:p></o:p></span></strong></p>
<p class="MsoNormal"><strong><span style="font-family:"Calibri",sans-serif">“SSL / TLS:</span></strong> I’m sure some people are scratching their heads about our discussion here of TLS (as opposed to SSL), and you will continue to see the terms used interchangeably
in documentation and presentations; however to be clear SSL v3 was pronounced dead last year, with the announcement of the IT industry-wide
<a href="http://blogs.esri.com/esri/arcgis/2014/10/16/avoid-ssl-poodle-bite/">POODLE SSL vulnerability</a>. Starting with the ArcGIS 10.3 release, Esri disabled SSL v3 for their web services and moved to utilizing only TLS to support the secure operations
of our customers.”<o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">Full article at: </span><span style="color:#1F497D"><a href="https://blogs.esri.com/esri/arcgis/2015/03/11/sharing-web-gis-services-always-enable-tls/">https://blogs.esri.com/esri/arcgis/2015/03/11/sharing-web-gis-services-always-enable-tls/</a></span><span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">And here is a VERY timely guidance paper:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><a href="http://downloads.esri.com/resources/enterprisegis/TLS_Guidance.pdf">http://downloads.esri.com/resources/enterprisegis/TLS_Guidance.pdf</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">If you need more information, please let me know.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">I have included some of the emails that are going out to the IT and Security departments.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif;color:#1F497D">Cheers,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:18.0pt;font-family:"Monotype Corsiva";color:#1F497D">Bill<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif;color:#1F497D"><a href="mailto:bill.farnsworth@cio.idaho.gov"><span style="color:blue">bill.farnsworth@cio.idaho.gov</span></a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif;color:#1F497D">208 332-1878 (w)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif;color:#1F497D">208 863-9039 (c)<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Lance Wyatt <br>
<b>Sent:</b> Friday, March 18, 2016 11:53 AM<br>
<b>Subject:</b> RE: Notice to CIOs -- OCIO to Block SSLV2 Connectivity Due to "Drown" Attack<br>
<b>Importance:</b> High<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">CIOs, <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">This is a follow up to OCIO effort to block SSLV2 at the end of this month. We are notifying you that your ESRI GIS services could be blocked once OCIO blocks SSLV2 due to older ESRI servers may still use SSLV2
even though ESRI no longer supports SSLV2 in its newer server versions. You should work with your GIS teams and confirm if their ESRI servers are communicating on SSLV2 and let OCIO know so we can discuss options. <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Likewise if you have any other systems that may depend on SSLV2 connectivity please let me know so we can discuss options.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">As a reminder, OCIO plans to block SSLV2 traffic
</span>starting March 30, 2016.<span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">If you have any questions or concerns please contact me. Bill Farnsworth will send a copy of this email to his GIS point of contacts as well.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Respectfully,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span style="color:#1F497D">Lance Wyatt<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Deputy Chief Information Security Officer
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Office of the CIO, State of Idaho<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><a href="mailto:lance.wyatt@cio.idaho.gov">lance.wyatt@cio.idaho.gov</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><a href="http://www.cybersecurity.idaho.gov">www.cybersecurity.idaho.gov</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">O:(208) 332-1880 <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
</div>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Lance Wyatt <br>
<b>Sent:</b> Wednesday, March 09, 2016 7:23 AM<br>
<b>Cc:</b> Thomas Olmstead <<a href="mailto:Thomas.Olmstead@cio.idaho.gov">Thomas.Olmstead@cio.idaho.gov</a>><br>
<b>Subject:</b> Notice to CIOs -- OCIO to Block SSLV2 Connectivity Due to "Drown" Attack<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">CIOs,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">This is a notice to all State of Idaho CIOs that the OCIO is planning to block all SSLV2 traffic in and out of the state firewall due to risks associated with the “Drown” attack vulnerability. The “Drown” attack <span lang="EN">exploits
a serious vulnerability that affects HTTPS and other services that still rely on the SSL service. The Department of Administration
</span>OCIO is planning to block SSLV2 traffic starting on March 30, 2016. If your server cannot support TLS and your business model requires SSLV2 connectivity then please contact me so we can coordinate a risk assessment and the identification of associated
mitigation remedies. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Please see the below links for the “Drown” attack vulnerability details:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0800">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0800</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><a href="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0800">https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0800</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Please provide prompt feedback so we can tailor our actions to customers while we secure https communication links.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Respectfully. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">Lance Wyatt<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Deputy Chief Information Security Officer
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Office of the CIO, State of Idaho<o:p></o:p></span></p>
<p class="MsoNormal"><a href="mailto:lance.wyatt@cio.idaho.gov">lance.wyatt@cio.idaho.gov</a><span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><a href="http://www.cybersecurity.idaho.gov">www.cybersecurity.idaho.gov</a><span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">O:(208) 332-1880 <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>