As you may be aware from an ITS email and technology news coverage, there has been an extensive security bug found in the OpenSSL cryptographic software library; this news was made public on Tuesday, April 8, 2014. The flaw allows private information, which is normally protected by encryption, to be exposed to attackers. This includes login and password information for affected systems amongst other things.
What does it mean for you?
Information Technology departments here at Northeastern University and across the world have been working to repair vulnerable systems since the flaw was announced. There is a general recommendation that passwords on systems which were affected should be changed. Mashable has compiled a good overview of systems that were vulnerable to this flaw.
It is important to note that you should not instantly change every password to every online resource you use. Take a measured approach and use the following criteria to determine if you need to change your passwords:
- You have high value accounts that have been identified as vulnerable. This includes financial websites and others which contain Personally Identifiable Information (PII). Examples would be online tax sites, banking sites etc.
- You have a habit of using the same Login and Password pair across multiple websites. Reuse of credential/password pairs is never a recommended practice as it increases the possibility that one compromised system could ultimately have wider reaching effects.
- You have accounts on web resources that have been confirmed to be vulnerable. The list from the Mashable link above only contains the top 1,000 sites. You should visit each resource and look for system announcements indicating their status.
- Any other account where you may have concern.
Other Issues to Address
In the coming weeks, it is vitally important that you have a heightened awareness regarding your different online accounts. Hackers and Internet criminals never pass up a good crisis. Expect to see spam and phishing emails in the future which claim your accounts have possibly been compromised due to Heartbleed and you need to reset your passwords immediately. Always reset your password by visiting the website directly, rather than clicking through in an email. If you have any doubts about the validity of emails, contact the service provider through a known phone number.
The following are resources to check if a website is still vulnerable to the Heartbleed bug. Note that this only determines the current status, not if it was previously vulnerable:
Symantec SSL Toolbox
Qualys SSL Labs Server test
Questions or concerns? Please contact the ITS Service Desk at 617.373.4357 (xHELP) or firstname.lastname@example.org.