Critical Internet Risk – Everyone is Impacted – PLEASE READ

by ·Comments Off on Critical Internet Risk – Everyone is Impacted – PLEASE READ

A serious security defect was found in the software that is the foundation of security for a large percentage of Internet web sites. Organizations around the world have been frantically updating the affected software.

What is the Heartbleed bug?

The software that logs you in securely to a web site (the https: that you usually see) had a bug that could expose userids and passwords to an attacker. In addition to passwords, other highly sensitive information can be leaked. The ramifications of the problem are broad and potentially grave. Vendors are rushing updates, but not all web sites and services are patched at this point in time.

Why do I care?

Your password(s) to various websites may be compromised. Think about all the sensitive web sites you use!

What is Denison doing?

Denison ITS staff have updated affected software on all of our exposed web sites and services. We are still awaiting some vendor updates. We are examining all our 3rd party services to be sure they are patched as well. At this time, the risk of having your BigRedID and password exposed is minimal.

What can I do to protect myself?

Because this affected more than 1/2 million web sites and services, you are undoubtedly affected somewhere. For an idea of the impact on popular sites, check out the Mashable article “The Heartbleed Hit List”.

Changing your password is a good response, but if you use the new password at a site that is still vulnerable, your new password could still be at risk. Because Denison sites have been patched, we advise you to change your BigRedID password. (Go to MyDenison and select My Apps -> Change My BigRedID Password.)

The best steps you can take now are the same ones you should follow as a general practice:

(1) Use different passwords for all sites, especially highly sensitive sites such as banking. You should NEVER use your BigRedID password on any other site;

(2) Monitor your accounts for unusual activity. If the site/account has a “Last Time You Logged In” message, check to be sure it seems reasonable; and,

(3) Beware of phishing emails to update your password. NEVER click on password change links embedded in an email. The only safe way is to go to the web site directly and locate their password change link on the site itself. If you are still unsure, contact your bank or other institution for more information. The bad guys will almost certainly take advantage of this event to harm unsuspecting victims.

Additional questions may be directed to Kent King, Information Security Officer (kingk@denison.edu).