Heartbleed Vulnerability Update and Actions
By CITO Karl Kowalski
This month, the world was alerted to a new Internet vulnerability, called Heartbleed. The vulnerability is in open-source software called OpenSSL that is used to encrypt Web communications.
Heartbleed can allow someone to access the contents of a server’s memory and potentially get access to private data such as usernames and passwords. It also means that someone could get access to a server’s digital keys and then use that to impersonate servers or to decrypt communications past, present and future.
What does Heartbleed mean for me?�
You may need to change your passwords associated with email accounts and websites you visit commonly and value. This applies to both your personal and work environment. CNet has the top 100 websites, their status and site action recommendations at the link below.
http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/
Google services were vulnerable and have been patched. You should change your Google-side password.https://www.alaska.edu/google/password-change
Other common sites affected include: Facebook, YouTube, Instagram, Yahoo!, Bing, Pinterest, Netflix, and the U.S. Postal Service, to name a few.
You should change your passwords, especially if you use the same username and password across multiple services.
What is UA doing to insure services it operates are secure?
OIT Security is in the process of scanning UA networks for services vulnerable to the OpenSSL exploit known as Heartbleed. Scans of major systems used to deliver services (UAOnline, BlackBoard, Google Apps, etc.) to students and employees have been completed. Work to resolve issues is under way or has taken place. When that is complete, the university community can expect communications asking them to reset passwords.
To date we have no evidence this exploit was perpetrated against systems at the UA System. If that changes, a more proactive approach to insuring passwords get changed may be taken. For now the emphasis is on detection and resolution of the vulnerability so we can continue to provide a safe computing environment.
For more information on Heartbleed and what it means for you and service providers James Lyne has a good overview in Forbes.
http://www.forbes.com/sites/jameslyne/2014/04/10/avoiding-heartbleed-hype-what-to-do-to-stay-safe/
To check a site yourself head to (these links pre fill and scan two commonly used UA sites):
http://filippo.io/Heartbleed/#classes.uaf.edu
or
http://filippo.io/Heartbleed/#uaonline.alaska.edu
Thank you for your attention to this issue and as always please report any anomalies or security concerns to the OIT Support Center at 450-8300, outside Fairbanks at 1-800-478-8226, or helpdesk@alaska.edu or your local IT support center.
If you have any questions, please feel free to contact Chief Information Technology Officer Karl�Kowalski at kekowalski@alaska.edu or 907-450-8383.�