A major security vulnerability named Heartbleed was disclosed Monday night. The vulnerability affects a large portion of websites on the Internet and here at Davenport University that use OpenSSL to encrypt webpages (pages that start with https). SSL, or secure socket layer, is a cryptographic protocol which is designed to provide communication security over the Internet.
The security issue allows the stealing of information protected by SSL by stealing the private keys that protect the confidentiality of the information. Sites affected by the security vulnerability can have login credentials stolen as well as other data that would normally be protected by an SSL connection. In addition, once an attacker has the private key for a particular website, they can use the key to decrypt traffic previously sent to the server prior to the bug being disclosed.
Since Monday evening, the Information Security Team has been working with website and service owners throughout Davenport to ensure that their services are securely configured to mitigate risks associated with this issue.
The web servers that maintain our authentication portal, the primary web-based authentication method used by Davenport services, were updated on April 8th and are not vulnerable to this issue. Other campus services that utilize OpenSSL have been updated to mitigate the risk associated with the vulnerability.
Concerned individuals may wish to change their Davenport password. That can be done by following the ‘password reset’ link in the portal or by pressing ctrl+alt+del on your Davenport-owned workstation.
Due to the widespread nature of this problem, it is advisable to watch for notifications from online service providers suggesting you change your password. Alternatively, you can try to determine on your own (suggested source) if your service provider was impacted. Remember to avoid clicking on any email links that say “Change your password here” or “Click here to verify your account” – go directly to the service provider website.
Also, watch for fraudulent email claiming to be from companies with which you do business, as criminals will undoubtedly use this issue to create targeted phishing email messages to trick people into divulging their passwords. Remember: ITS will NEVER ask for your password!
Some addition information on this issue can be found here: http://www.washingtonpost.com/news/morning-mix/wp/2014/04/09/heartbleed-what-you-should-know/
Finally, a little humor showing how heartbleed works.
If you have any questions or concerns about this issue, please feel free to contact the Customer Support Center at extension 1212.