Heartbleed Vulnerability
April 15, 2014
The following note has been adapted from a Texas Department of Information Resources notice to state agencies:
As you may have heard, there could be a serious weakness in the mechanism that protects your username, passwords, and other confidential information on various Internet sites. This advisory provides IT personnel with steps to ensure agency websites are safe. It also provides all agency staff with guidance for protecting credentials on work-related or personal websites that have the Heartbleed vulnerability.
IT personnel should take the following steps immediately:
- Patch all vulnerable OpenSSL systems – The information Security Office has identified a number of servers and has contacted most server owners directly. Server owners include OIT and those in departments. Servers for whom OIT is unable to identify owners or that are not patched will be disconnected.
- Revoke and reissue certificates that use OpenSSL/TLS – Contact the information security office if you need assistance with this for a University owned server.
- Once items 1 and 2 are completed, force user password changes for all impacted accounts. UT Arlington Office of Information Technology will send a communication when NetID password changes should occur.
Additionally, all staff should take the following steps to protect their personal information:
- Check to see if any non-UT Arlington websites you use (and on which you have accounts) are vulnerable:
- Heartbleed Hit List – a listing of some popular websites and their vulnerability status [http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/]
- Heartbleed Test – a tool for checking status of individual websites [http://filippo.io/Heartbleed/]
- Qualys Heartbleed Test – a more in-depth analysis of encryption on websites [https://www.ssllabs.com/ssltest/]
- CNET has posted a list of the Heartbleed status of the web’s top 100 sites [http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/]
- The password manager, LastPass, also offers a simple Heartbleed checker that not only tells you if a site uses OpenSSL, but when the SSL certificate was regenerated, providing additional insight into what companies are doing to protect users [https://lastpass.com/heartbleed/]
- Immediately change passwords for non-UT Arlington sites that are not vulnerable (whether repaired or never affected), giving first priority to critical accounts and email.
- Create fresh, unique passwords for each account. Hackers will use credentials from one account to break into your other accounts.
- Be alert for phishing scams attempting to lure you to credential-stealing sites. Do not click on links in emails that ask you to reset your passwords. To change your password, type the URL of the organization in a browser.
- Note: Do not change your password before a site has addressed its Heartbleed vulnerability.
Now is a great time for everyone to do some password maintenance. Make sure your usernames and passwords are strong, choose unique passwords for different accounts, and change critical passwords frequently. And always be on the alert for malicious activity on the Internet.