Security Threat - Heartbleed Bug

What is it?

Earlier this week a serious computing vulnerability called the The Heartbleed Bug was discovered. This weakness affects a large number of websites allowing an attacker to steal login information and other data that would normally be protected by SSL protocol for communication (ie. pages that start with https). According to a research firm, Netcraft,as many as 500,000 servers may be affected globally. Further information about this can be found at:

http://cacr.iu.edu/news/631

How does it affect York University?

UIT has been working to identify and notify system owners that may be vulnerable to this issue. Affected servers need to be updated to the latest version of OpenSSL. Fortunately, many important York systems, such as Passport York, were never at risk for this vulnerability, and many systems have already been updated. Network-based defenses are in place to help prevent threats from outside York’s campus network.

At this time, there is no indication the vulnerability has been used to compromise data from any York site, however there is code available in public to potentially do so, and there are indications that the bug has existed for 2 years before being publicly known.

What can you do?

Clients are advised to take the following actions:

  • Change passwords for all accounts that you have (York and external) using direct password changing methods such as Passport York etc.
  • Be vigilant with fraudulent phishing messages that ask you to change your password by clicking on a link in an email. There are already indications that criminals are using the opportunity to create targeted “phishing” email messages to trick people into divulging passwords via email or directing people to a malicious/fraudulent web site.

Questions or concerns can be directed to UIT Client Services.