A major security vulnerability named Heartbleed was disclosed on April 7, 2014. UH Information Technology Services (ITS) has assessed the impact of the vulnerability for primary UH services and is offering guidance to users.
The latest information is posted online at hawaii.edu/infosec and a summary is below.
Do I need to change my UH username password?
A few UH services were affected by the Heartbleed vulnerability. Users of those services will be contacted directly to change their passwords.
No core UH system services are vulnerable at this time so no password change is required for most UH users. Unaffected services include: Banner, Kuali Financial Services, Peoplesoft, Laulima, Google@UH and the systems used to login to these services.
The list of services and the impact of the Heartbleed bug is available at hawaii.edu/infosec/heartbleed. You will need to login with your UH username and password to view the page.
You may also be notified by your campus or department to change your UH password if it may have been exposed through their server or service.
Reminder: Protect your UH password!
Do NOT use your UH username and password to login to any non-UH website, and do not use the same login and password for any other services.
If you did use your UH credentials to login to any vulnerable website, you should change your UH password using the UH One-Step Password Change page.
Be on the alert for phishing attempts
Watch for fraudulent email claiming to be from UH or other companies with which you do business. Criminals will use this as an opportunity to create targeted phishing email messages to trick people into divulging their passwords.
ITS will NEVER ask for your password in an unsolicited email. Be on the lookout for sites that purport to tell you whether your site or your information has been compromised, especially if they demand personal details, login credentials, or payment.
If you are in doubt at all about a request, contact the ITS Help Desk.
What about my personal accounts such as Facebook, Twitter, etc.?
CNET is maintaining a list of the top 100 web sites and their status.
If you logged-in to any website listed as vulnerable or if you have been notified by the service, you should change your password AFTER the website has been fixed. If you are not sure if a site was vulnerable or if it has been fixed, you can check the website using the Heartbleed test site.