As you may have already read, a major vulnerability named Heartbleed was disclosed on April 7, 2014. The vulnerabilty affected a large portion of websites on the Internet and here at Duke that use OpenSSL to encrypt webpages (pages that start with https). The vulnerability allowed the stealing of information protected by SSL by stealing the private keys that protect the confidentiality of the information. Sites affected by the security vulnerability could have login credentials stolen as well as other data that would normally be protected by an SSL connection.
The web service that handle Duke authentication requests (Shibboleth) was never at risk, because the vulnerable version of OpenSSL was not in use on the servers. The main Duke website, and the vast majority of servers on Duke's campus have now been addressed and are protected.
We are advising the Duke community to check whether websites you have been using are vulnerable to the Hearbleed attack. Once a website has patched the Heartbleed vulnerability, you should change your password for that site as swiftly as possible.
- The password security firm LastPass has set up a Heartbleed Checker site, which allows you to enter the URL of any website to check its vulnerability to the bug and whether the site has issued a patch.
- For those using LastPass to store your passwords, you can also take advantage of the LastPass security check by clicking on the LastPass Icon and go to Tools > Security Check to alert you on which websites you should go change your passwords.
- CNET is maintaining a list of sites that you should check to see if it's ok to update your passwords.
If the site or service hasn't patched the flaw yet, contact the company and ask when it expects to push out a fix to deal with Heartbleed. If they have not patched the flaw, avoid logging in to their service until they do. Once they confirm they have fixed the problem, then change your password.
Please pay attention to any email notification concerning the OpenSSL or Heartbleed issue, and stay alert for email scams. Criminals can and will use this issue as yet another opportunity to send phishing messages to try to trick you into revealing personal information or installing "virus" or "security" tools for this vulnerability. Never send your password or sensitive information in response to an email and do not click on links to get to your vendor’s website. Type a known good URL.
Please email firstname.lastname@example.org for any questions you may have.
CERT Vulnerability Note VU#720951: OpenSSL heartbeat extension read overflow discloses sensitive information
Krebs on Security: 'Heartbleed' Bug Exposes Passwords, Web Site Encryption Keys