Heartbleed OpenSSL Vulnerability Information
(This information is being updated frequently - please check back often for any updates.)
A major security vulnerability named Heartbleed was disclosed on April 7, 2014. This vulnerability affects many websites on the Internet that use OpenSSL to encrypt webpages (pages that start with https). SSL, or secure socket layer, is an Internet protocol which is designed to encrypt traffic over the Internet to hide sensitive information from prying eyes. SSL is often used to encrypt passwords that are used to securely access services offered through a website.
This OpenSSL security issue allows the stealing of information protected by SSL by revealing the private keys that protect the confidentiality of the information. Sites affected by the security vulnerability can have login credentials stolen as well as other data that would normally be protected by an encrypted SSL connection. In addition, once an attacker has the private key for a particular website, they can use the key to decrypt traffic previously sent to the server prior to the bug being disclosed.
It is important to note that only specific versions of OpenSSL are vulnerable. More detailed information about Heartbleed can be found at: http://heartbleed.com
The Washington Post offered a reasonable summary of this vulnerability and impact across the Internet.
So what does this mean to you?
Do I need to change my UH username password?
NEW! as of 4/14/2014, 2:30pm
ITS has assessed the impact of the vulnerability for the primary UH services. The list of services and the impact of the Heartbleed bug is available at: https://www.hawaii.edu/infosec/heartbleed/index.php
You will need to login with your UH username and password to view the page.
Please note that individual campus or departmental applications are not listed here. Check with your IT support staff for local service/application information.
A few UH services were affected by the Heartbleed vulnerability. Users of those services will be contacted directly to change their passwords.
You may also be notified by your campus or department to change your UH password if it may have been exposed through their server or service.
What about my personal accounts such as Facebook, Twitter, etc.?
CNET is maintaining a list of the top 100 web sites and their status available at: http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/
If you logged-in to any website listed as vulnerable or if you have been notified by the service, you should change your password AFTER the website has been fixed. If you are not sure if a site was vulnerable, or if it has been fixed, you can check the website using the Heartbleed test site: http://filippo.io/Heartbleed/
IMPORTANT! You should NOT use your UH username and password to login to any non-UH website! If you did use your UH credentials to login to any vulnerable website, you should change your UH password using the UH One-Step Password Change page: https://www.hawaii.edu/username/userprefs/password_only.cgi
You may need to reset your UH password more than once if you used your UH credentials on websites that are vulnerable AND used your new/reset password on a vulnerable website that has not yet been fixed.
Be on the alert for phishing attempts!
Watch for fraudulent email claiming to be from UH or other companies with which you do business. Criminals will use this as an opportunity to create targeted phishing email messages to trick people into divulging their passwords. Information Technology Services (ITS) will NEVER ask for your password in an unsolicited email. Be on the lookout for sites that purport to tell you whether your site or your information has been compromised, especially if they demand personal details, login credentials, or payment.
For System Administrators:
If you are a system administrator with OpenSSL installed, please see: http://www.hawaii.edu/askus/1575 for more information.
Last updated: April 14, 2014 02:30 PM HST
