Update: Mashable's article about passwords you need to change is a fantastic resource. Visit http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
By now you've likely heard the news about the Heartbleed Bug http://heartbleed.com. The reason this bug is getting so much press is that it exploits a vulnerability in OpenSSL, an encryption method used by more than half of the websites you log into on the internet.
It's important to keep the perspective that this security flaw has been around for 2 years and was just announced. Just because a service was vulnerable doesn't mean the vulnerability was leveraged.
On-campus systems that were vulnerable include RT, CITStatus, Wiki, and a few monitoring servers. These have been patched and we are exploring updating our certificates.
Many of the other web services you use may be vulnerable, and you may be getting emails from those services requesting you change your password. When this occurs, it's important to remember the following:
- Don't click on any links in the email. Phishers may use this opportunity to catch users with their guard down. Change passwords by going directly to the websites.
For example, if Dropbox sends an email saying "we've patched and are asking you change your password now", you should open a browser, go directly to the website you know and trust and change the password there.
- You are looking for the service to have patched and updated their certificate. If they've patched and not updated the certificate yet, you will have to change your password again after the certificate is reissued.
Unfortunately, there's no easy answer or action to take. Be on high alert for suspicious activity and change passwords often. Please contact the CIT HelpDesk if you have any questions.