Wednesday, May 21, 2014 - 13:54

Earlier today, eBay announced that they had suffered a security breach that exposed user accounts and encrypted passwords.  From the eBay announcement:

 

"eBay Inc. (Nasdaq: EBAY) said beginning later today it will be asking eBay users to change their passwords because of a cyberattack that compromised a database containing encrypted passwords and other non-financial data. After conducting extensive tests on its networks, the company said it has no evidence of the compromise resulting in unauthorized activity for eBay users, and no evidence of any unauthorized access to financial or credit card information, which is stored separately in encrypted formats. However, changing passwords is a best practice and will help enhance security for eBay users."

 

While eBay has indicated that PayPal accounts are not affected, it would not hurt to change these as well.

 

The University IT Security Office is advising the Duke community to change their eBay password.  In addition, if they used that password for any other account, it should be changed there as well.  Other steps that can be taken to secure your user accounts include:

 

  1. Download and install the LastPass password tool, which provides you with a secure way to store passwords. Duke users can download LastPass free from the OIT website; visit http://oit.duke.edu/software and browse for LastPass.
  2. Obtain a PayPal Security Key and enable multifactor for eBay and PayPal.
  3. Never use your Duke password on other sites.
     

 

 

 

 

Friday, April 11, 2014 - 11:40

As you may have already read, a major vulnerability named Heartbleed was disclosed on April 7, 2014.  The vulnerabilty affected a large portion of websites on the Internet and here at Duke that use OpenSSL to encrypt webpages (pages that start with https).  The vulnerability allowed the stealing of information protected by SSL by stealing the private keys that protect the confidentiality of the information.  Sites affected by the security vulnerability could have login credentials stolen as well as other data that would normally be protected by an SSL connection.

 

The web service that handle Duke authentication requests (Shibboleth) was never at risk, because the vulnerable version of OpenSSL was not in use on the servers.  The main Duke website, and the vast majority of servers on Duke's campus have now been addressed and are protected.

 

We are advising the Duke community to check whether websites you have been using are vulnerable to the Hearbleed attack.  Once a website has patched the Heartbleed vulnerability, you should change your password for that site as swiftly as possible.

 

  • The password security firm LastPass has set up a Heartbleed Checker site, which allows you to enter the URL of any website to check its vulnerability to the bug and whether the site has issued a patch.
  • For those using LastPass to store your passwords, you can also take advantage of the LastPass security check by clicking on the LastPass Icon and go to Tools > Security Check to alert you on which websites you should go change your passwords.
  • CNET is maintaining a list of sites that you should check to see if it's ok to update your passwords.

 

If the site or service hasn't patched the flaw yet, contact the company and ask when it expects to push out a fix to deal with Heartbleed.  If they have not patched the flaw, avoid logging in to their service until they do. Once they confirm they have fixed the problem, then change your password.

 

Please pay attention to any email notification concerning the OpenSSL or Heartbleed issue, and stay alert for email scams. Criminals can and will use this issue as yet another opportunity to send phishing messages to try to trick you into revealing personal information or installing "virus" or "security" tools for this vulnerability. Never send your password or sensitive information in response to an email and do not click on links to get to your vendor’s website. Type a known good URL.

 

Please email security@duke.edu for any questions you may have.

 

MORE INFORMATION:
CERT Vulnerability Note VU#720951: OpenSSL heartbeat extension read overflow discloses sensitive information
Krebs on Security: 'Heartbleed' Bug Exposes Passwords, Web Site Encryption Keys
Heartbleed Bug

 

 

 

 

 

 

Wednesday, April 9, 2014 - 10:13

A major security vulnerability named Heartbleed was disclosed Monday night.  The vulnerability affects a large portion of websites on the Internet and here at Duke that use OpenSSL to encrypt webpages (pages that start with https).  SSL, or secure socket layer, is a cryptographic protocol which is designed to provide communication security over the Internet.  According to a research firm, Netcraft, as many as 500,000 servers may be affected.  The security issue allows the stealing of information protected by SSL by stealing the private keys that protect the confidentiality of the information.  Sites affected by the security vulnerability can have login credentials stolen as well as other data that would normally be protected by an SSL connection.  In addition, once an attacker has the private key for a particular website, they can use the key to decrypt traffic previously sent to the server prior to the bug being disclosed.

 

Since Monday evening, Duke IT departments and staff including OIT, DHTS, the IT Security Office, Medicine Information Security Office, and school IT departments have been hard at work identifying and notifying server owners that are affected by the vulnerability.  Affected servers had to be updated to the latest version of OpenSSL, and obtain new SSL certificates with new private keys to ensure that commuciations to the servers remain confidential.  The web servers that handle Duke authentication requests (shibboleth) were never at risk, because they did not have a vulnerable version of OpenSSL running on the servers, and the main Duke website was addressed as of 3 PM Tuesday afternoon, and the vast majority of Duke servers were patched by late Tuesday afternoon.  The teams are now working with website owners across campus to ensure that SSL certificates have been updated.

 

Although we have no evidence that a Duke site may have been compromised, we do know that this bug has existed for 2 years before there was any knowledge of this specific vulnerability exploit.  We urge all Duke users to subscribe to Duke's multifactor authentication service as a further protection for their personal data and Duke account, and consider using multifactor for popular services like Google, Facebook, and Evernote.

 

In the meantime, we are advising users to be careful about what sites they visit.  If you are curious as to whether or not a page may be affected by the vulnerability, you can visit a heartbleed test site and put in the name of the website you are concerned about to see if it is vulnerable or not.

 

Any questions or concerns may be directed to security@duke.edu.

 

 

 

Pages