IT Security Advisory – Campus Response to OpenSSL “Heartbleed Bug”

Background –

heartbleedLast week, a major security vulnerability related to secure websites was disclosed.  It is estimated that up to 60% of all websites on the Internet are or were impacted by this vulnerability.  I want you to rest assured that the staff of the Office of Information Technology have been monitoring this very closely and have taken proactive steps to ensure University information remains secure.  Clarkson University PeopleSoft, MyMail (Outlook Web Access), Moodle, CAS and other core services are not and were not affected by this vulnerability.  And, there is no indication that any Clarkson University information or account credentials were in jeopardy or were actually compromised as a result of this vulnerability.

Secure Passwords – 

While no University information was at risk as a result of this compromise, a number of other popular websites were impacted.  Several of these websites are advising users that their passwords may have been compromised and that they should now be reset.

This is a good opportunity to remind you of the following best-practices for passwords:

  • You should not use the same password for your Clarkson accounts that you use on other websites
  • Consider using a passphrase rather than a password
  • Include a mixture of uppercase, lowercase, numbers and symbols in your password
  • It is recommended that you change your password at least once per year

What should you do?

  • Check whether a website you are using was vulnerable by contacting the vendor or checking the CNET HeartBleed Status List.  If the website was vulnerable or it’s unclear, change your password for that site.
  • Pay close attention to notifications sent to you by your bank, personal email provider, social networking, or other vendor about OpenSSL or Heartbleed.  (However, remain mindful of these best practices to avoid phishing attempts.  Criminals may use this as an opportunity to trick you into revealing personal information.  Never send your password or sensitive information in response to an email and do not click on links included in an email to get to a vendors site.  Type a known good URL directly into your web browser.)
  • If you use any external services not provided by Clarkson OIT for conducting University business, please report that service to the Service Center so that we may assess the risk.