Office of Information Technology

Vulnerability | Heartbleed | 11 April 2014

ATTENTION: Heartbleed Vulnerability Update and Actions

On Monday, 7 April, the world was alerted to a new Internet vulnerability, called Heartbleed. The vulnerability is in open-source software called OpenSSL that is used to encrypt Web communications.

Heartbleed can allow someone to access the contents of a server’s memory and potentially get access to private data such as usernames and passwords. It also means that someone could get access to a server’s digital keys and then use that to impersonate servers or to decrypt communications past, present and future.

What does Heartbleed mean for me?

You may need to change your passwords associated with email accounts and websites you visit commonly and value. This applies to both your personal and work environment. CNet has the top 100 websites, their status and site action recommendations at the link below.
http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/

Google services were vulnerable and have been patched. You should change your Google-side password.
https://www.alaska.edu/google/password-change

If your Google-side password is the same as your ELMO password, then you should change your ELMO password too.
https://elmo.alaska.edu

Other common sites affected include: Facebook, YouTube, Instagram, Yahoo!, Bing, Pinterest, Netflix, and the USPS to name a few.

You should change your passwords, especially if you use the same username and password across multiple services.

What is UA doing to insure services it operates are secure?

OIT Security is in the process of scanning UA networks for services vulnerable to the OpenSSL exploit known as Heartbleed. Scans of major systems used to deliver services (UAOnline, BlackBoard, Google Apps, etc.) to students and employees have been completed. Work to resolve issues is or has taken place and when that is complete the University community can expect communications asking them to reset passwords. To date we have no evidence this exploit was perpetrated against systems at the University. If that changes a more proactive approach to insuring passwords get changed may be taken. For now the emphasis is on detection and resolution of the vulnerability so we can continue to provide a safe computing environment.

For more information on Heartbleed and what it means for you and service providers James Lyne has a good overview in Forbes.
http://www.forbes.com/sites/jameslyne/2014/04/10/avoiding-heartbleed-hype-what-to-do-to-stay-safe/

To check a site yourself head to https://filippo.io/Heartbleed/ and enter the URL for the site.
The following links pre fill and scan two commonly used UA sites:

Thank you for your attention to this issue and as always please report any anomalies or security concerns to the OIT Support Center or your local IT Helpdesks.
 

Back to Top