On April 7, researchers found a flaw in a popular tool used to secure Internet traffic. That tool, called OpenSSL, is responsible for providing security on the Internet. The bug, named Heartbleed, allows an attacker to capture usernames, passwords, and pretty much any other information.
Since Tuesday morning, T&I has been evaluating university systems and have confirmed no core critical systems including myCI have been affected.
Although there has been no evidence that any CI resources have been compromised, since this vulnerability has existed since March 2011, we are urging all members of the CI community using myCI to change your myCI password. Please note, if you use wireless devices at CI, you will need to update your WiFi password after you change your myCI password.
Why does this matter?
Much of the Internet relies on OpenSSL to protect secure traffic. At least 500,000 servers world-wide appear to be affected by the bug, and some personal computers and mobile devices are also affected. Until the bulk of affected computers are fixed, or “patched”, any secure site (e.g., https://) on the Internet is potentially dangerous to visit. Many companies are sending out communications to their customers giving them a status update “all clear” or “not vulnerable”.
What should I do?
First off, don’t panic. While this is a serious vulnerability, security folks around the world are working around the clock to reduce the risk. Nevertheless, there are some things you can do while the world catches up:
- Avoid online banking and shopping for a few days, if you possibly can.
- Don’t change any of your online passwords until those sites tell you that it’s OK; otherwise you may be giving attackers your new password.
- Be suspicious of any e-mails asking you to change passwords, as there may be an increase in phishing attempts.
- Remember that legitimate e-mails will never ask you to respond with sensitive information such as password, SSN, or bank account number.
- Apply the latest security updates to your home and work computers, as well as to your mobile devices.
- If in doubt, ask! Contact the Customer Service department at the company or site in question.
How do I know if a site I use is affected and requires a password update?
See if sites you commonly use that require an immediate password update by checking here. Most of the large social media sites have issued statements regarding the current status of their sites.
- Mashable.com: http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
- CNET.com: http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/
- Background Info: The Heartbleed Bug
- Heartbleed Bug Health Report: https://zmap.io/heartbleed/
- NPR Marketplace story: The Heartache of Heartbleed
- Brian Krebs: What Can You Do?
- Qualys SSL Labs: https://www.ssllabs.com/ssltest/ to test a site for vulnerability
Please direct any questions or concerns to the Information Security Office at firstname.lastname@example.org.