Update: The OUCH! team has released an out-of-band special edition that explains in very simple terms what the vulnerability means to individuals and what they can do to protect themselves.
The Issue: There is a new, national technology concern named Heartbleed which involves website encryption and possible disclosure of user account names and passwords.
Researchers have identified a vulnerability in a very popular program that protects the exchange of user names, passwords and other data sent from computers to web servers over the Internet. Examples of such activities include when you are making purchases from Amazon, logging into your banking web site or logging into various VSU web services. The Heartbleed vulnerability provides the ability for hackers to capture your user name and passwords and begin exploiting these credentials for their own personal gain (e.g. making purchases through your account or gleaning other personal information).
VSU IT Actions: You should know that VSU Systems Administrators and the Information Security team have worked diligently to test, update and retest all VSU websites impacted by this discovery and have analyzed 100% of all Internet connected servers. Additionally, ADP and PeopleSoft websites used for VSU business are now up to date and have passed the Heartbleed vulnerability tests.
What Can You Do: Simply changing your account passwords for all of your online accounts will not be an effective solution until the vulnerable websites have properly addressed and protected their software and network infrastructure.
A few websites have been created to allow users to test various sites for the Heartbleed vulnerability. One such site is http://filippo.io/Heartbleed/. Users can simply enter their site of interest (e.g. www.valdosta.edu) into the test field and press the “GO” button. The site will perform it’s test and return the results of “pass”, “fail”, or some “technical details.” The technical detail results are not an indicator that the site has an issue but you should avoid accessing sites that are identified as “Vulnerable.”
After a site has been corrected by the web site company (“Passed”), we encourage you to change your passwords for the desired website in case the site and your credentials have been compromised.
What Else Can You Do: View the Heartbleed Hit List provided by the Mashable website of currently popular sites and services and their exposure to the Heartbleed bug. This is not an exhaustive list nor are the services affiliated with VSU. Change your passwords on the sites that state a password change is required.
VSU Division of Information Technology encourages you to change your passwords on a regular basis for all computer and Internet access.
Information provided by Bill Moore, VSU Chief Information Security Officer
For questions, contact the Helpdesk at 229-245-HELP (4357).