Florida State Patching Heartbleed Vulnerability

Friday 04/11/2014

On April 7, a major Internet security vulnerability was discovered, affecting at least 500,000 servers and a large portion of websites, servers and applications worldwide and here at Florida State University. The flaw, named “Heartbleed,” was discovered in OpenSSL, the tool that provides Internet security for many websites. OpenSSL encrypts sensitive information – such as social security numbers, passwords and credit card numbers – that transfers between your computer and another company. OpenSSL sites are often signified by a lock icon and URL that starts with “https.” The Heartbleed bug allows an attacker to access encrypted information from these sites and steal usernames, passwords and pretty much any other private information.

Florida State University is currently in the process of identifying and fixing, or “patching,” all of our potentially vulnerable systems. Information Technology Services (ITS) is also tracking down all servers that are vulnerable and is working with system administrators across the university to patch those very soon. Once the patching is completed, system administrators should obtain new SSL certificates with new private keys to ensure that communications to the servers remain confidential. ITS is contacting system administrators to communicate steps that need to be taken to protect systems and eliminate vulnerabilities. ITS will continue to search for and update vulnerable systems.

Although not discovered until this week, the Heartbleed bug has existed for about two years. Heartbleed is a flaw in the program code, not a virus that can be stopped by security software. Exploitation of the bug leaves no traces of suspicious activity on user accounts, making it impossible to determine whether personal information has been stolen.

The Heartbleed bug is a serious vulnerability, and individuals should take several steps to protect themselves.

  • Monitor the Mashable list of well-known websites and services that have been affected.
  • Use the Heartbleed test tool to investigate whether or not other websites you frequent have been affected.
  • Reset passwords for every online service that has been affected by the Heartbleed bug. Passwords should be changed only after a company has confirmed that they have fixed the Heartbleed vulnerability. Passwords also should be reset for any sites that share the same password, even if an individual site wasn’t vulnerable.
  • Check with your unit’s IT professional to make sure your university-owned computer is secure.
  • Apply the latest security updates to home computers and mobile devices.

Until affected systems are patched, any “secure” site on the Internet is potentially dangerous to visit. Recently accessed data is most easily compromised. Individuals should be mindful of this vulnerability as they conduct personal business online in the coming days, and are advised to avoid logging into any unnecessary services on the Internet until the service announces that their systems have been updated.

Faculty, staff and students should be on the lookout for phishing emails about the Heartbleed bug and should be very suspicious of any emails requesting password changes. In general, if you receive an email from a legitimate company with which you have an account, do not click on the link in the email; manually type the URL into a Web browser and then proceed to change your password. Remember that legitimate Florida State emails will never ask you to respond with sensitive information such as a password, Social Security number or bank-account number.

However, Florida State may from time to time require users to reset their passwords in response to high-level security threats. This is one of those times. To further protect the campus community, officials at Florida State University will be requiring a mandatory FSUID password reset in the coming days for anyone with an FSUID. More information about the password reset will be available next week.

ITS is actively monitoring the situation and will provide updates as more information about Heartbleed becomes available.

For more information, visit the FSU Heartbleed Web page or the  Official Heartbleed Website.