Background on OpenSSL and Heartbleed
Late on Monday, April 7, researchers discovered a flaw in the security tool, OpenSSL, which provides the encryption that protects Internet traffic and communications between one device and another. Most users would know this as the small, closed padlock and "https:" on web browsers to signify that your Internet traffic is secure. The flaw, nicknamed "Heartbleed", allows an attacker to capture usernames, passwords, and pretty much any other information.
Why this matters
OpenSSL is used everywhere: when you shop at Amazon, access your personal email, use your personal banking, or visit your social network, blogging and sharing sites. It can also be used to secure communications on personal mobile devices, such as smart phones and tablets, through the securing of web browsers, or installations of web apps you may have installed. The "Heartbleed" vulnerability in OpenSSL could allow a remote attacker to access sensitive data that is passed through it, such as login information like usernames and passwords.
What Brown is doing
Brown technical staff has been engaged and responding to this issue as soon as the bug became public. The Information Security and Network Technology groups in CIS, in conjunction with the technical staff members across campus, have assessed the areas at Brown that are impacted by this vulnerability. Most fixes are already in place, while others are in progress.
What you should do
Most of the work that needs to be done is by technical staff who must patch the affected servers and systems, whether for Amazon, Yahoo, your bank, social network, etc., or here at Brown for those few servers and systems that must be updated.
There are, however, there are a few tips and actions you may want to consider for your personal computing. The following have been gathered from multiple open sources, and are based upon guidance and advice from experts across many areas:
- At this time, Brown University is not asking users to change their Brown network passwords.
- Regarding your other passwords, we recommend that you update them but only after it has been confirmed that the websites have taken the proper measures and are secure. Many sites and services are already sending emails to their customers that they have taken the proper actions.
- If the sites and services that you use include alternate ways of confirming your identity, such as a cell phone number for confirmation text messages, consider using them. This will mitigate an attacker if your password has been compromised.
- You should exercise caution when visiting websites, as "Heartbleed" can affect web browsers. Expect all major browsers to address this issue very soon with an update, if they have not already.
- You can test sites using the Heartbleed Test Site (https://lastpass.com/heartbleed).
- In the short term, when finished with a website, completely log out if you were logged in (such as with Facebook, Yahoo, etc), and when finished surfing the web, close your browser.
- We anticipate a new wave of phishing messages using this vulnerability as an excuse to steal login credentials and compromise accounts. Beware of spam messages about "Heartbleed."
- Monitor financial statements closely. Check bank and credit card statements for unusual activity.
- Unless you have heard from your bank directly that they are not vulnerable, we recommend refraining from doing any online banking for a few days.
- Background Information: The Heartbleed Bug
- Heartbleed Bug Health Report
- The Heartbleed Hit List: The Passwords You Need to Change Right Now
- NPR Marketplace story: The Heartache of Heartbleed
- Brian Krebs: What Can You Do?
- How to talk to your kids (or manager) about "Heartbleed"
CIS is excited to announce an important addition to our software portfolio, LabVIEW! LabVIEW is a development environment for problem solving and measurement or control systems. The software is supported by National Instruments, but the IT Service Center can assist with installation.
Brown instructors, have a project in mind to make your class more engaging involving technology? Want to spend a few days this summer learning what technology support Brown has to offer and getting hands-on help developing a project plan? Academic Technology is now accepting proposals for faculty instructional projects and our Annual Brown Summer Institute for more information contact firstname.lastname@example.org. The deadline for Summer Institute Applications is April 27th.
Yesterday, Microsoft issued the last update for Windows XP. As a result, Computing and Information Services will not be able continue supporting XP. For security reasons, CIS recommends upgrade or replacement of your computer as soon as possible. Faculty and staff, please consult your department's IT support professional prior to upgrading your operating system.
We've heard from a lot of students who don't realize it's possible to print to PAWPrints from their own computers. We've recorded Mac and PC videos of the setup. Remember that you need to be connected to Brown-Secure wireless or with an ethernet cable on campus in order to print. Follow along with the text instructions here.
ISG has added the new section How Do I ...? to their web pages. From the main "Information Security" link, click on the "How Do I ...?" link for a collection of commonly asked questions with quick answers, plus links to more details.
Brown's Google Apps service allows each of us to have 30 GB shared storage for email and Google Drive. If you're getting close to your limit or just feel like keeping things clean, you can find big files in your mail and drive using the following instructions.
There's now an easier way to search your emails by size. Open the Advanced Search by clicking the triangle on the inner right of the search box at the top of your email.
You'll see an option to enter a size in the Advanced Search. You might want to start with 15 MB - if you don't find enough results, decrease the number and try again.
Once you delete emails, they will be automatically removed from your trash after 30 days. You can also empty your trash manually.
You can also sort your Google Drive by size to find the biggest files. Find a column heading (such as 'Owner' or 'Last Modified') and click the small triangle next to it. Choose to sort by Quota Used. In Drive, the trash does not automatically empty - if you move a file to the trash and want to lower your used quota, you will have to click the Trash link on the left menu and then the Empty Trash button.
As promised, students can now download Office for free by following these instructions. Student copies of Office can be installed on up to five computers and will remain functional until 30 days after graduation.
Help us crowdsource Brown’s WiFi coverage issues! Report areas with no or low coverage by tweeting the location with the hash tag #brownwifi.
- Be as specific as possible about the location. Include the building, floor number, and room number or landmark to help us find the spot.
- We can only see public tweets – and for privacy reasons, don’t tweet the location of your dorm room. You can always email coverage issues to email@example.com.
- We won’t be able to assist you at the location - the hash tag is just for reporting areas with low or no wireless access. Immediate or unrelated issues should be reported as usual to the IT Service Center (firstname.lastname@example.org, 3-4357).
- If you’re on Twitter, follow us at @ITatBrown for tech updates.
The latest issue of Secure IT! has been released, now located on the new Information Technology site. While this brings a slightly different look to the newsletter, it continues to offer timely tips to keep you safe online.
We invite you to peruse this issue, view back issues (to 2010) and send us ideas for future ones. Enjoy!
- CISO Memo: Spam, Spam, Spam, Spam :: A nuisance that can also be malicious.
- October means National Cyber Security Awareness Month :: And lots of chances to "Don't Get Caught, Get Cautious" and enter a contest to win an iPad mini or Samsung Galaxy Tab 3.
- Identity Finder Reminder :: Not running Identity Finder regularly? Find out how and why.
- Android Malware :: Being popular makes you a desirable target.
- ISG Moves to Main Campus :: Now conveniently located at the intersection of Angell & Thayer.
- Two-Step Verification :: When passwords aren't enough.
- Protecting Brown's Information :: Never taken the class? Like a refresher?