Why am I receiving this message?
As you may have heard in the news, a major worldwide vulnerability has been discovered that may affect 2/3 of the websites on the internet.
Heartbleed bug—there is a flaw in versions of OpenSSL that allows access to information that would normally be protected through secure connections. The Heartbleed bug allows anyone on the Internet access to see what's in the memory of systems protected by Open SSL, leaving no evidence that they’ve done so. Approximately 2/3 of all websites are affected. Researchers reported the bug on April 7, but the vulnerability has existed since 2011. Note that this is not a breach of a password databases. Website owners and vendors worldwide are in the process of updating/patching the servers hosting these websites.
What RIT is Doing
- RIT has successfully secured the vast majority of our computing infrastructure with patches and other mitigations. Some lower profile services have been taken offline until patches are released and mitigations applied. This is a necessary step to protect RIT.
- RIT continues to work with vendors to implement patches and other mitigations.
- The RIT Information Security Office continues to conduct vulnerability scanning of the RIT network until all vulnerabilities have been addressed.
What You Need To Do
- For RIT passwords, please change your passwords. Given the scale of this vulnerability, there is concern that passwords may be at risk.
- For personal passwords, we recommend that you change your passwords. Priority should be given to sites accessing private information, financial accounts and email. Note that if the website is still vulnerable, you may need to change your password again after the site is patched.
- Stop using the same password for multiple sites! Create a new unique password for each site. Yes, this is painful.
- Be alert for phishing attempts leveraging the publicity around the OpenSSL bug.
- Many thanks to the RIT information technology community that has been working around the clock to patch and protect RIT!
For More Information
- The Heartbleed Bug <http://heartbleed.com/>
- Heartbleed: What You Should Know <http://www.washingtonpost.
com/news/morning-mix/wp/2014/ 04/09/heartbleed-what-you- should-know/>
- Half a million widely trusted websites are vulnerable to Heartbleed bug <http://news.netcraft.com/
archives/2014/04/08/half-a- million-widely-trusted- websites-vulnerable-to- heartbleed-bug.html>
- How to Protect Yourself From the "Heartbleed" Bug<http://www.cnet.com/news/how-to-protect-yourself-from-the-heartbleed-bug// >
- Heartbleed Website lists <https://github.com/musalbas/
heartbleed-masstest/blob/ master/top1000.txt>. NOTE that this list is a snapshot in time. Many of the sites listed as vulnerable may have been fixed.
- LastPass Heartbleed checker <https://lastpass.com/
heartbleed/>. This allows you to put in a website address to determine if it’s been fixed.