HeartBleed Bug Information

What is the Heartbleed Bug?
On Monday April 7, 2014 there was a public release documenting a flaw in certain versions of OpenSSL framework, which is commonly used to secure Internet traffic. This bug might have impacted as many as 2/3 of companies.  The discovered vulnerability, nicknamed the Heartbleed bug, has the potential to compromise computing resources and allow attackers to steal usernames, passwords and other protected information from previously-thought-secure resources.  Heartbleed is a sever security issue that the Internet community is taking seriously.  More information about the bug can be found at http://heartbleed.com

Why does this matter and how might I be affected?
Scope and ease of attack.  Much of the Internet relies on security provided by the OpenSSL framework as a way to communicate securely.  Some estimate that at least 500,000 servers world-wide might be affected.  Until the bulk of affected computing resources are updated with newer software, you should assume that any previously secured site on the Internet is dangerous to visit.  Pay more attention to those sites delivering secure, protected or personal information, as well as any site requiring a login. 

How has Clemson been addressing this issue, are we safe from it?
Clemson University uses the OpenSSL framework, and we have identified those systems suspected to be vulnerable to the Heartbleed bug.  CCIT took an immediate and proactive approach to identifying our exposure and remediating this vulnerability in our centrally managed systems.  Prior to the discovery of this bug and our remediation response to secure our systems from it, we already leveraged other mitigating controls to help provide security. 

Do I need to do anything?
The national exposure that this vulnerability has generated increases uncertainty about the security of our systems.  While this is a serious vulnerability, operations, network and information security teams at Clemson University and around the world have been working around the clock to minimize exposure to this vulnerability.  While we feel that you have been and are safe using computing resources centrally managed by CCIT, here are some helpful tips.

  • Change passwords for sensitive sites periodically.
    • Many sites with sensitive information are issuing statements about this vulnerability. Change your password for these sites after they have fixed their systems, not before. 
  • Always monitor your online accounts and provided statements.  Situational awareness of your accounts is always good practice.
  • Clemson University will never ask you to provide sensitive information or ask for you to provide login credentials over email.
  • Keep your computing resources updated with latest software, patches and security updates, and use antivirus/antimalware software.
  • Always suspect email communications that require action directly linked from the email.  Navigate manually to the sites requiring action unless you are expecting the communications.