Tuesday, August 12, 2014 - 15:34

Late last year, the direct deposit pay for four Duke employees was rerouted to an unauthorized account after they clicked on an email link and entered personal data. This summer, another nine Duke employees entered NetIDs, passwords and bank account information into a fake website. Duke has implemented security features to protect personal data, but everyone at Duke must take action to protect their data as phishing scams grow more frequent. Read more on Duke Today





Wednesday, May 21, 2014 - 13:54

Earlier today, eBay announced that they had suffered a security breach that exposed user accounts and encrypted passwords.  From the eBay announcement:


"eBay Inc. (Nasdaq: EBAY) said beginning later today it will be asking eBay users to change their passwords because of a cyberattack that compromised a database containing encrypted passwords and other non-financial data. After conducting extensive tests on its networks, the company said it has no evidence of the compromise resulting in unauthorized activity for eBay users, and no evidence of any unauthorized access to financial or credit card information, which is stored separately in encrypted formats. However, changing passwords is a best practice and will help enhance security for eBay users."


While eBay has indicated that PayPal accounts are not affected, it would not hurt to change these as well.


The University IT Security Office is advising the Duke community to change their eBay password.  In addition, if they used that password for any other account, it should be changed there as well.  Other steps that can be taken to secure your user accounts include:


  1. Download and install the LastPass password tool, which provides you with a secure way to store passwords. Duke users can download LastPass free from the OIT website; visit http://oit.duke.edu/software and browse for LastPass.
  2. Obtain a PayPal Security Key and enable multifactor for eBay and PayPal.
  3. Never use your Duke password on other sites.





Friday, April 11, 2014 - 11:40

As you may have already read, a major vulnerability named Heartbleed was disclosed on April 7, 2014.  The vulnerabilty affected a large portion of websites on the Internet and here at Duke that use OpenSSL to encrypt webpages (pages that start with https).  The vulnerability allowed the stealing of information protected by SSL by stealing the private keys that protect the confidentiality of the information.  Sites affected by the security vulnerability could have login credentials stolen as well as other data that would normally be protected by an SSL connection.


The web service that handle Duke authentication requests (Shibboleth) was never at risk, because the vulnerable version of OpenSSL was not in use on the servers.  The main Duke website, and the vast majority of servers on Duke's campus have now been addressed and are protected.


We are advising the Duke community to check whether websites you have been using are vulnerable to the Hearbleed attack.  Once a website has patched the Heartbleed vulnerability, you should change your password for that site as swiftly as possible.


  • The password security firm LastPass has set up a Heartbleed Checker site, which allows you to enter the URL of any website to check its vulnerability to the bug and whether the site has issued a patch.
  • For those using LastPass to store your passwords, you can also take advantage of the LastPass security check by clicking on the LastPass Icon and go to Tools > Security Check to alert you on which websites you should go change your passwords.
  • CNET is maintaining a list of sites that you should check to see if it's ok to update your passwords.


If the site or service hasn't patched the flaw yet, contact the company and ask when it expects to push out a fix to deal with Heartbleed.  If they have not patched the flaw, avoid logging in to their service until they do. Once they confirm they have fixed the problem, then change your password.


Please pay attention to any email notification concerning the OpenSSL or Heartbleed issue, and stay alert for email scams. Criminals can and will use this issue as yet another opportunity to send phishing messages to try to trick you into revealing personal information or installing "virus" or "security" tools for this vulnerability. Never send your password or sensitive information in response to an email and do not click on links to get to your vendor’s website. Type a known good URL.


Please email security@duke.edu for any questions you may have.


CERT Vulnerability Note VU#720951: OpenSSL heartbeat extension read overflow discloses sensitive information
Krebs on Security: 'Heartbleed' Bug Exposes Passwords, Web Site Encryption Keys
Heartbleed Bug