Background on OpenSSL and Heartbleed
Late on Monday, April 7, researchers discovered a flaw in the security tool, OpenSSL, which provides the encryption that protects Internet traffic and communications between one device and another. Most users would know this as the small, closed padlock and "https:" on web browsers to signify that your Internet traffic is secure. The flaw, nicknamed "Heartbleed", allows an attacker to capture usernames, passwords, and pretty much any other information.
Why this matters
OpenSSL is used everywhere: when you shop at Amazon, access your personal email, use your personal banking, or visit your social network, blogging and sharing sites. It can also be used to secure communications on personal mobile devices, such as smart phones and tablets, through the securing of web browsers, or installations of web apps you may have installed. The "Heartbleed" vulnerability in OpenSSL could allow a remote attacker to access sensitive data that is passed through it, such as login information like usernames and passwords.
What Brown is doing
Brown technical staff has been engaged and responding to this issue as soon as the bug became public. The Information Security and Network Technology groups in CIS, in conjunction with the technical staff members across campus, have assessed the areas at Brown that are impacted by this vulnerability. Most fixes are already in place, while others are in progress.
What you should do
Most of the work that needs to be done is by technical staff who must patch the affected servers and systems, whether for Amazon, Yahoo, your bank, social network, etc., or here at Brown for those few servers and systems that must be updated.
There are, however, there are a few tips and actions you may want to consider for your personal computing. The following have been gathered from multiple open sources, and are based upon guidance and advice from experts across many areas:
- At this time, Brown University is not asking users to change their Brown network passwords.
- Regarding your other passwords, we recommend that you update them but only after it has been confirmed that the websites have taken the proper measures and are secure. Many sites and services are already sending emails to their customers that they have taken the proper actions.
- If the sites and services that you use include alternate ways of confirming your identity, such as a cell phone number for confirmation text messages, consider using them. This will mitigate an attacker if your password has been compromised.
- You should exercise caution when visiting websites, as "Heartbleed" can affect web browsers. Expect all major browsers to address this issue very soon with an update, if they have not already.
- You can test sites using the Heartbleed Test Site (https://lastpass.com/heartbleed).
- In the short term, when finished with a website, completely log out if you were logged in (such as with Facebook, Yahoo, etc), and when finished surfing the web, close your browser.
- We anticipate a new wave of phishing messages using this vulnerability as an excuse to steal login credentials and compromise accounts. Beware of spam messages about "Heartbleed."
- Monitor financial statements closely. Check bank and credit card statements for unusual activity.
- Unless you have heard from your bank directly that they are not vulnerable, we recommend refraining from doing any online banking for a few days.
- Heartbleed Bug: Recap + Q&A Brown Bag | Sign-up for Brown Bag at brown.edu/go/heartbleed-brown-bag
- Background Information: The Heartbleed Bug
- Heartbleed Bug Health Report
- The Heartbleed Hit List: The Passwords You Need to Change Right Now
- NPR Marketplace story: The Heartache of Heartbleed
- Brian Krebs: What Can You Do?
- How to talk to your kids (or manager) about "Heartbleed"