Share:
Apr 09, 2014

CAUTION: New Internet bug exposes data

The problem

A major security vulnerability named the Heartbleed Bug was disclosed Monday night. The vulnerability affects many websites that use OpenSSL to encrypt web pages (pages that start with https). SSL, or secure socket layer, is a cryptographic protocol designed to secure information being transmitted over the Internet. 

Heartbleed allows access to information protected by SSL by stealing the private keys that protect that information. Once an attacker has the private key for a particular website, the bug can scrape a server's memory, where sensitive user data is stored including usernames, passwords, and credit card numbers.

The response

Since Monday evening, Miami's IT Security Office has been working with website and service owners across campus to ensure that Miami websites and services are securely configured. According to Joe Bazeley, Miami’s information security officer, “We believe we have identified all vulnerable servers in our data center, and are working to apply the patch to each.  Only 56 of Miami’s data center servers appeared to be vulnerable to this attack. Of those, 50 are accessible only to Miami developers. More importantly, none of them are our critical servers such as Banner, Kronos, or our authentication servers.”

Anyone managing a server outside of the IT Services data center should check to see if that server is vulnerabie. If you are unsure of how to complete that check, contact Bazeley at InfoSec@MiamiOH.edu.

What you should do

You should pay close attention to any online accounts that contain sensitive information, like online banking, bill pay services and shopping sites. Bazeley cautioned, “This vulnerability doesn’t affect all websites using https, but it does affect a large number of them and there is no easy way for you to tell if a site is vulnerable.  If you can avoid using sensitive sites, like banking sites, for several days, that is a good idea.  If you have to use a sensitive site, a week from now you should change your password in case it was stolen by an attacker.”

More information

The following websites offer useful information on the Heartbleed Bug and steps you may want to take to ensure that your personal information is safe online: http://www.cnet.com/news/how-to-protect-yourself-from-the-heartbleed-bug/

http://www.washingtonpost.com/news/morning-mix/wp/2014/04/09/heartbleed-what-you-should-know/

http://www.npr.org/blogs/alltechconsidered/2014/04/08/300602785/the-security-bug-that-affects-most-of-the-internet-explained

If you have questions about the Heartbleed Bug, contact the IT Information Security Office at InfoSec@MiamiOH.edu.