As many of you may have heard, a flaw has been discovered in a common Internet security method. Although no specific security breaches have been identified, the flaw could allow malicious users to steal personal information. The flaw is associated with specific versions of OpenSSL, which is software that is widely used to secure web server traffic. The flaw is known as the "Heartbleed" vulnerability. A fix for this flaw, which was announced last week, is available, and Internet service providers and website managers around the world are working to implement the patch.
The most important thing for members of the PLU community to know is that Information & Technology Services has been working diligently to assess our risk and secure any vulnerable systems. More information about likely recommendations for changing your PLU ePass password will be forthcoming once our work is completed.
However, many common websites using OpenSSL have also been identified as vulnerable, including Yahoo!, Flickr, NASA and Facebook, among others.
For non-PLU web services that contain sensitive data refrain from logging in for a few days while those servers are patched or until you are certain they are not at risk. For best security, you should not use the same password for your PLU ePass and for non-PLU logins. However, if you have done so, please change your ePass password.
- Confirm that non-PLU websites you use have checked their systems and fixed them if needed. Once a website has patched the Heartbleed vulnerability, you should change your password for that site as swiftly as possible.
- The password security firm LastPass has set up a Heartbleed Checker, which allows you to enter the URL of any website to check its vulnerability to the bug and whether the site has issued a patch.
- If the site or service hasn't patched the flaw yet, contact the company and ask when it expects to push out a fix to deal with Heartbleed.
- If they have not patched the flaw, avoid logging in to their service until they do. Once they confirm they have fixed the problem, then change your password.
To get detailed information on this bug, you can visit the http://heartbleed.com/ website.