Open SSL “Heartbleed” security flaw

Many of you may have already read or heard about the “Heartbleed” web bug. The following information was posted on the West Lafayette Information Technology at Purdue (ITaP) website by the West Lafayette ITaP Interim Chief Information Security Officer. It is being provided for your information. Purdue University Calumet had only one server affected, but this server is not internet or user accessible, which is being fixed.

If you have questions or concerns, please contact Joe Morales, Director of Technological Infrastructure Services, at jmorales@purduecal.edu, or at 219.989.2356, or view  information at http://www.itap.purdue.edu/newsroom/news/140410_heartbleed_bug.html


To limit data exposed by “Heartbleed” Web bug, individuals should change Purdue, Google, Facebook, other passwords

Online security experts at Purdue are encouraging faculty, staff and students to change their Purdue passwords and those on social, email, banking and commerce sites to defend sensitive information against one of the largest, most widespread vulnerabilities in Web history.

This vulnerability, known as “Heartbleed,” affects millions of websites and online services. The flaw lies in the widely used Open SSL encryption software library. It allows hackers to steal sensitive information, such as server encryption keys, passwords and credit card numbers. The bug is almost two years old, yet it was discovered only recently by researchers.

Only a small percentage of Purdue’s servers have been identified as vulnerable, and administrators are updating those systems as quickly as possible. Because the University strives to help individuals keep their information secure, Purdue will continue to monitor network traffic for suspicious activity across the West Lafayette and regional campuses, says Greg Hedrick, ITaP’s interim chief information security officer.

Individuals who have logged into affected sites—including Gmail, Facebook, Yahoo, Dropbox, Intuit and OK Cupid—over the past two years may be affected by the vulnerability and should change all passwords immediately, Hedrick says. Additionally, individuals should be wary of phishing scams associated with the bug that may lead people to believe they’re a victim so they disclose their passwords.

“Changing passwords, being cognizant of phishing scams, and monitoring credit reports and financial statements are the best actions individuals can take at the moment to protect their information,” Hedrick says. “Aside from those steps, it’s the responsibility of Internet companies and organizations to update their servers to deal with Heartbleed, and many already have done so.”

Data on other popular sites, including LinkedIn, Amazon, eBay and PayPal, most likely were not exposed by Heartbleed. Still, as part of ITaP’s security outreach and education initiative, Hedrick reminds individuals that even passwords on non-affected sites should be changed, because many people tend to use the same authentication credentials for various sites.

“Most major vendors and websites affected quickly fixed the problem, but less notable apps and sites might take more time,” Hedrick says. “When you start thinking about how many websites you use that require login credentials—hotel and airline companies, health care offices, and retail sites, for example—you might be shocked by how many organizations have your information, as well as how inadequate some of their security practices can be.”

CNET has a helpful list of which social media sites and companies use Open SSL and which ones don’t.
Additionally, Lynda.com has released a video that explains what the Heartbleed bug is and what you should do to stay safe. It also provides resources for following the latest Heartbleed developments and is available here for Purdue faculty and staff.

What else can I do to protect myself?

Use a password manager. Using the same password frequently increases the risk that it will be compromised, but remembering multiple passwords for various websites can be tricky. Consider using a secure password management service to help keep track of your login credentials.

Create strong passwords. If a password is complex, it’s more likely to withstand attempts to crack it. Choosing a child’s name or mother’s maiden name, for example, is the equivalent of locking the front door and placing the key under the welcome mat — with minimal effort, even an amateur hacker can determine basic personal information and use it to obtain an individual’s or company’s private data. Generally, passwords should be eight to 16 characters and should not be words or names in the dictionary. They should contain at least one letter, at least one number, symbol or punctuation mark, and have more than four unique characters. It is a good idea to change passwords every 30 days even if not required.

Keep your password secure. Never store passwords in batch files, login scripts, macros, terminal function keys or in computers without access control. Never write down passwords and leave them in places where they could be discovered. If a password must be written down to be remembered, it should be stored in a safe, hidden place and shredded once the password is memorized. Never send a password through email, even if a request looks official. Assume email requests for passwords are phishing scams. Change a password immediately if there’s any suspicion it’s been compromised.

Stay vigilant. Continue to monitor your financial statements and credit reports to identify potential fraudulent activity as early as possible. Contact your financial institution and place a fraud alert on your credit report if you discover your information has been compromised.

Writer: Andrea Thomas, ITaP technology writer, 765-496-8204, thomas78@purdue.edu
Sources: Greg Hedrick, ITaP interim chief information security officer, 765-494-1875, hedrick@purdue.edu
Keith Watson, ITaP security architect, 765-496-7470 ext. 67470, kaw@purdue.edu
Last updated: April 10, 2014