As many of you may have heard, a flaw has been discovered
in a common Internet security method. Although no specific security breaches
have been identified, the flaw could allow malicious users to steal personal
information. The flaw is associated with specific versions of OpenSSL, which is
software that is widely used to secure web server traffic. The flaw is known as the
"Heartbleed" vulnerability. A
fix for this flaw, which was announced last week, is available, and Internet
service providers and website managers around the world are working to
implement the patch.
The most important thing for members of the PLU community
to know is that Information & Technology Services has been working
diligently to assess our risk and secure any vulnerable systems. More information about likely recommendations
for changing your PLU ePass password will be forthcoming once our work is
completed.
However, many common websites using OpenSSL have also
been identified as vulnerable, including Yahoo!, Flickr, NASA and Facebook,
among others.
What You Need To Know
For non-PLU web
services that contain sensitive data refrain from logging in for a few days
while those servers are patched or until you are certain they are
not at risk. For best security, you
should not use the same password for your PLU ePass and for non-PLU logins.
However, if you have done so, please change your ePass password.
- Confirm that non-PLU websites you use have checked their systems and fixed them if needed. Once a website has patched the Heartbleed vulnerability, you should change your password for that site as swiftly as possible.
- The password security firm LastPass has set up a Heartbleed Checker, which allows you to enter the URL of any website to check its vulnerability to the bug and whether the site has issued a patch.
- If the site or service hasn't patched the flaw yet, contact the company and ask when it expects to push out a fix to deal with Heartbleed.
- If they have not patched the flaw, avoid logging in to their service until they do. Once they confirm they have fixed the problem, then change your password.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.