Friday, April 11, 2014 - 11:40

As you may have already read, a major vulnerability named Heartbleed was disclosed on April 7, 2014.  The vulnerabilty affected a large portion of websites on the Internet and here at Duke that use OpenSSL to encrypt webpages (pages that start with https).  The vulnerability allowed the stealing of information protected by SSL by stealing the private keys that protect the confidentiality of the information.  Sites affected by the security vulnerability could have login credentials stolen as well as other data that would normally be protected by an SSL connection.

 

The web service that handle Duke authentication requests (Shibboleth) was never at risk, because the vulnerable version of OpenSSL was not in use on the servers.  The main Duke website, and the vast majority of servers on Duke's campus have now been addressed and are protected.

 

We are advising the Duke community to check whether websites you have been using are vulnerable to the Hearbleed attack.  Once a website has patched the Heartbleed vulnerability, you should change your password for that site as swiftly as possible.

 

  • The password security firm LastPass has set up a Heartbleed Checker site, which allows you to enter the URL of any website to check its vulnerability to the bug and whether the site has issued a patch.
  • For those using LastPass to store your passwords, you can also take advantage of the LastPass security check by clicking on the LastPass Icon and go to Tools > Security Check to alert you on which websites you should go change your passwords.
  • CNET is maintaining a list of sites that you should check to see if it's ok to update your passwords.

 

If the site or service hasn't patched the flaw yet, contact the company and ask when it expects to push out a fix to deal with Heartbleed.  If they have not patched the flaw, avoid logging in to their service until they do. Once they confirm they have fixed the problem, then change your password.

 

Please pay attention to any email notification concerning the OpenSSL or Heartbleed issue, and stay alert for email scams. Criminals can and will use this issue as yet another opportunity to send phishing messages to try to trick you into revealing personal information or installing "virus" or "security" tools for this vulnerability. Never send your password or sensitive information in response to an email and do not click on links to get to your vendor’s website. Type a known good URL.

 

Please email security@duke.edu for any questions you may have.

 

MORE INFORMATION:
CERT Vulnerability Note VU#720951: OpenSSL heartbeat extension read overflow discloses sensitive information
Krebs on Security: 'Heartbleed' Bug Exposes Passwords, Web Site Encryption Keys
Heartbleed Bug

 

 

 

 

 

 

Wednesday, April 9, 2014 - 10:13

A major security vulnerability named Heartbleed was disclosed Monday night.  The vulnerability affects a large portion of websites on the Internet and here at Duke that use OpenSSL to encrypt webpages (pages that start with https).  SSL, or secure socket layer, is a cryptographic protocol which is designed to provide communication security over the Internet.  According to a research firm, Netcraft, as many as 500,000 servers may be affected.  The security issue allows the stealing of information protected by SSL by stealing the private keys that protect the confidentiality of the information.  Sites affected by the security vulnerability can have login credentials stolen as well as other data that would normally be protected by an SSL connection.  In addition, once an attacker has the private key for a particular website, they can use the key to decrypt traffic previously sent to the server prior to the bug being disclosed.

 

Since Monday evening, Duke IT departments and staff including OIT, DHTS, the IT Security Office, Medicine Information Security Office, and school IT departments have been hard at work identifying and notifying server owners that are affected by the vulnerability.  Affected servers had to be updated to the latest version of OpenSSL, and obtain new SSL certificates with new private keys to ensure that commuciations to the servers remain confidential.  The web servers that handle Duke authentication requests (shibboleth) were never at risk, because they did not have a vulnerable version of OpenSSL running on the servers, and the main Duke website was addressed as of 3 PM Tuesday afternoon, and the vast majority of Duke servers were patched by late Tuesday afternoon.  The teams are now working with website owners across campus to ensure that SSL certificates have been updated.

 

Although we have no evidence that a Duke site may have been compromised, we do know that this bug has existed for 2 years before there was any knowledge of this specific vulnerability exploit.  We urge all Duke users to subscribe to Duke's multifactor authentication service as a further protection for their personal data and Duke account, and consider using multifactor for popular services like Google, Facebook, and Evernote.

 

In the meantime, we are advising users to be careful about what sites they visit.  If you are curious as to whether or not a page may be affected by the vulnerability, you can visit a heartbleed test site and put in the name of the website you are concerned about to see if it is vulnerable or not.

 

Any questions or concerns may be directed to security@duke.edu.

 

 

 

Tuesday, March 11, 2014 - 14:39

For those who missed it, CBS's "60 Minutes" ran an interesting story on data brokers and the collection and selling of your personal information. This is a multi-billion-dollar industry, with the sole intent of gathering data generated from what sites you visit, and combining that information with other data to build a more complete picture of you. That data is in turn either used for more direct marketing to you while online, or sold to other companies for various purposes (marketing, research, etc.). And with today's mobile devices, applications that you install could be collecting geolocation data. The scary thing is that most individuals do not know what is being collected or that in some cases they agreed to the collection of the data.

 

Would you like to know what is being tracked? Several programs are available to identify how you are being tracked, and in some cases, stop the tracking. One such program is Disconnect, created by a former Google engineer. The application reveals which companies are tracking your browsing habits and also will block those tracking sites from collecting data. 

 

We highly recommend that you check out the "60 Minutes" story and the Disconnect program to help you protect your personal data.

 

 

 

 

 

 

Pages