Information and Communication Technologies
Heartbleed and Laurier
Employee Service Desk x4357
Heartbleed and Laurier
Heartbleed and Laurier: servers not affected; preventative fix installed April 9
Ken Boyd and Carl Langford
April 10, 2014
What is Heartbleed?
Heartbleed is an Internet security breach that goes after a vulnerability in the security protocol, OpenSSL. OpenSSL is a set of open-source libraries that companies use to encrypt their websites. Over half of all secure sites (the ones that show as https: ) use OpenSSL. The vulnerability, if exploited, would enable someone to see your password on a given site and thus compromise whatever information you have stored or access on that site.
ITS became aware of this vulnerability late last week and worked with our firewall vendor to ensure Heartbleed was prevented from coming on our campuses. The vendors have provided us with a preventative fix, which was implemented April 9. ITS servers do not use versions of OpenSSL that are affected, but our fix will prevent any pass through traffic as a result of other systems being compromised. There are some servers at Laurier that are not under ITS control. We are testing them right now. If they are vulnerable they will be taken offline until a fix can be implemented.
Heartbleed and You
Although there is no evidence as yet, it is possible that hackers may have infiltrated your accounts. There are some steps you can take to protect yourself. These are good practices you should always be doing to protect you and your information.
1) Check your accounts for any strange activity or transfers. Contact your financial institutions immediately if you see any unusual activity on your accounts
2) Here is a list of 10,000+ websites that have been scanned for the Heartbleed vulnerability. https://github.com/musalbas/heartbleed-masstest/blob/master/top10000.txt
Click Ctrl-F and type in the name of the website you want to check. This list is sorted with the vulnerable sites at the top of the list.
3) Change your passwords frequently. Especially any of your passwords that access your financial information. Change your passwords at least every 6 months, changing every 2 months is preferred. Never reuse a password and don't just add an incremental number at the end of an old password
4) Use strong passwords. Strong passwords include upper and lower case letters, numbers and special characters (!@#$, etc.)
a. Here is an example
i. Weak: password
ii. Stronger: wrdpas$
5) Be aware of any phishing attempts. We have seen a number of phishing attempts over the last few years. Fortunately we are blessed with a well informed community who are savvy to this kind of activity. We are not aware of any successful attempts and, with your continued help, none will be successful in the future.