ALERT: Extensive Security Flaw Found in Widely-Used Internet Data Encryption Technology

Update – 4/10/2014 at 2:30 p.m.

Heartbleed Bug: What You Need To Know

As you may be aware from an ITS email (see post above) and technology news coverage, there has been an extensive security bug found in the OpenSSL cryptographic software library; this news was made public on Tuesday, April 8, 2014. The flaw allows private information, which is normally protected by encryption, to be exposed to attackers. This includes login and password information for affected systems amongst other things.

What does it mean for you?
Information Technology departments here at Northeastern University and across the world have been working to repair vulnerable systems since the flaw was announced. There is a general recommendation that passwords on systems which were affected should be changed. Mashable has compiled a good overview of systems that were vulnerable to this flaw.

It is important to note that you should not instantly change every password to every online resource you use. Take a measured approach and use the following criteria to determine if you need to change your passwords:

  • You have high value accounts that have been identified as vulnerable. This includes financial websites and others which contain Personally Identifiable Information (PII). Examples would be online tax sites, banking sites etc.
  • You have a habit of using the same Login and Password pair across multiple websites. Reuse of credential/password pairs is never a recommended practice as it increases the possibility that one compromised system could ultimately have wider reaching effects.
  • You have accounts on web resources that have been confirmed to be vulnerable. The list from the Mashable link above only contains the top 1,000 sites. You should visit each resource and look for system announcements indicating their status.
  • Any other account where you may have concern.

Other Issues to Address 
In the coming weeks, it is vitally important that you have a heightened awareness regarding your different online accounts. Hackers and Internet criminals never pass up a good crisis. Expect to see spam and phishing emails in the future which claim your accounts have possibly been compromised due to Heartbleed and you need to reset your passwords immediately. Always reset your password by visiting the website directly, rather than clicking through in an email. If you have any doubts about the validity of emails, contact the service provider through a known phone number.

Other Resources
The following are resources to check if a website is still vulnerable to the Heartbleed bug. Note that this only determines the current status, not if it was previously vulnerable:
Heartbleed test
Symantec SSL Toolbox
Qualys SSL Labs Server test

Questions or concerns? Please contact the ITS Service Desk at 617.373.4357 (xHELP) or help@neu.edu.

———————————————————————————————-

Originally posted – 4/9/2014 at 12:30 p.m.

The text below was sent to all Northeastern students, faculty and staff.

This week, security researchers announced the discovery of an extensive security flaw in OpenSSL, called the Heartbleed Bug. OpenSSL is used by a majority of online services to encrypt data over the internet. Sites like Facebook, Yahoo, and Gmail all leverage OpenSSL to encrypt your data.

What is the Heartbleed Bug?
In a nutshell, the Heartbleed Bug provides an opening for hackers to access your data that has traveled across the internet using OpenSSL. This includes things like user names and passwords, personal information, and credit card information that you would use on sites like Gmail, Yahoo, Facebook, or ecommerce and banking sites.

What can we do to protect ourselves?
Although it was recently discovered, this bug has been in place for a few years. Security experts are still determining the scope of the impact. ITS recommends that you immediately change your passwords for high value accounts like financial accounts or accounts that allow access to personal data like tax information. Sites like Gmail, Yahoo, ecommerce, and online banking sites are all working to correct any vulnerability to minimize the risk to users going forward. ITS also advises that you continue to monitor your accounts in the coming months, especially those that contain more sensitive data like banking or credit card information.

ITS has no indication that myNEU passwords would need to be changed at this time. If you have a non ITS-managed machine, particularly one running UNIX/Linux, ITS advises that you immediately check for operating system patches and apply any critical or recommended security patches.

What is ITS doing to protect Northeastern?
To reduce our risk internally, ITS has already been working through the week to patch all of Northeastern’s technology that relies on OpenSSL. This includes patching of applications, servers, and our networks. We are continuing to work with our partner providers and vendors to address this serious security concern.

How can I get more information on the Heartbleed Bug?
Mashable - The Heartbleed Hit List: The Passwords You Need to Change Right Now
CNET – Heartbleed Bug Undoes Web Encryption, Reveals Yahoo Passwords
ComputerWorld – Heartbleed Bug in OpenSSL Leaves Encrypted Communications at Risk
Heartbleed Main Information Page

 

Posted in ITS email.