[Apr. 10, 2014] As you have probably heard, security researchers this week discovered a serious security flaw in OpenSSL*, a popular data encryption standard that is utilized by an estimated two-thirds of the web servers on the Internet. This vulnerability gives hackers the ability to read confidential data from the services that we use every day and assume are mostly secure. Confidential information such as passwords or secret keys used to secure communications could be exposed if the problem is exploited. You can find more details about the security vulnerability here at: http://www.heartbleed.com
* OpenSSL is an open source implementation of the SSL protocol. SSL, or Secure Sockets Layer, is the industry standard for creating encrypted links between client and server. You are using SSL when you go to any site that has an ‘https’ prefix in it’s url you’ve likely noticed the little lock icon next to website address when you access online banking or shopping sites. SSL is also utilized for email services, instant messaging and other online applications.
Information Technology began scanning our network to identify vulnerable systems on April 8. As vulnerabilities were identified, we undertook immediate action to apply security patches and replace web certificates.
To date, we have confirmed that a number of our core web-based services are not impacted. We are continuing to monitor our systems and work with campus techs and our vendor partners to insure that all vulnerabilities are identified and patched.
Since the impact of Heartbleed is widespread you should be on the lookout for notifications from password-protected web services that you use. As service providers patch their systems they may ask, or even require, users to change their passwords. Never follow a link in an email message to change your password, instead go directly to the web site by typing in the address or by using a favourite or bookmark! Generally speaking, it is a good practice to change your password regularly, use a strong password, and try not to use the same password for multiple services.
Due to the nature of the exploit, recently accessed data is more likely to be exposed. You should be mindful of this as you conduct personal online business over the course of coming days. You should avoid logging into any unnecessary services unless the service provider has announced that their systems aren’t vulnerable or have been patched.
If you have any questions or concerns please contact the IT Service Desk at: firstname.lastname@example.org
As always, any news or updates on the situation will be available on the IT