April 24, 2014
Information Security Alert: Change RIT passwords
Editor’s Note: As a member of the RIT community, you are being asked to change your RIT password. Due to the severity of the Heartbleed vulnerability, this is an urgent request. Please read the background of the vulnerability and follow instructions below.
Why am I Receiving Another Update?
We wanted to provide another update on the Heartbleed situation and remind you to change your RIT passwords. The Heartbleed bug has been widely reported and will require action on your part.
- Heartbleed bug background: There is a flaw in versions of OpenSSL that allows access to information that would normally be protected through secure connections. The Heartbleed bug allows anyone on the Internet access to see what's in the memory of systems protected by OpenSSL, leaving no evidence that they’ve done so. Approximately two-thirds of all websites are affected. Researchers reported the bug on April 7, but the vulnerability has existed since 2011. Note that this is not a breach of a password database. Website owners and vendors worldwide are in the process of updating/patching the servers hosting these websites.
- Current Heartbleed status: There are a lot of varying recommendations on what computer users should do in response to the Heartbleed bug and which websites were affected, and you may find it confusing. You have been affected. Many of you have been contacted by the owners of various websites and services and have been asked to update your passwords. Popular websites such as Dropbox, Yahoo, Twitter and others were affected and many of them are requesting password changes.
- Android: There are reports circulating that older Android devices (4.1.1) may be vulnerable to the Heartbleed bug. Google has stated that less than 10 percent of devices run on vulnerable versions.
What You Need To Do:
- For RIT passwords, please change your passwords. Given the scale of this vulnerability, there is concern that passwords may be at risk.
- For personal passwords, we recommend that you change your passwords, but you may want to check with the site first to see if they were vulnerable and if they’ve fixed the exposure. Priority should be given to sites accessing private information, financial accounts and email. Note that if the website is still vulnerable, you may need to change your password again after the site is patched.
- Stop using the same password for multiple sites! Create a new unique password for each site. Yes, this is painful.
- Be alert for phishing attempts leveraging the publicity around the OpenSSL bug. These attempts may include false notifications for you to click on links and change your passwords. Don’t click on the link! Instead, visit the website directly and then change your password.
- Be patient. It may take several weeks (at least) for companies to fix the Heartbleed bug and there may be disruption to Internet services.
What RIT is Doing:
- RIT has successfully secured the vast majority of our computing infrastructure with patches and other mitigations. Some lower profile services have been taken offline until patches are released and mitigations applied. This is a necessary step to protect RIT.
- RIT continues to work with vendors to implement patches and other mitigations.
- The RIT Information Security Office continues to conduct vulnerability scanning of the RIT network until all vulnerabilities have been addressed.
- RIT is quarantining the small number of systems currently affected until they are remediated.
- Many thanks to the RIT information technology community that has been working around the clock to patch and protect RIT!
For More Information:
- The Heartbleed Bug website.
- Heartbleed is about to get worse, and it will slow the Internet to a crawl article
- Heartbleed Bug Puts Millions Of Android Devices At Risk article.
- Lookout Android Heartbleed Detector article.
- LastPass Heartbleed checker website. This allows you to put in a website address to determine if it’s been fixed.
Follow us at the RIT Information Security Office Twitter page.