Search Google Appliance


News

Security Vulnerability: The Heartbleed Bug
Author: Michelle Malkasian, Office of Information Technology
Posted: April 10, 2014

 An extremely serious, worldwide Internet vulnerability known as Heartbleed was announced by major news outlets recently. This bug affects a vast portion of all encrypted Internet traffic and has direct implications for nearly all Internet users.

What is the Heartbleed bug?

Heartbleed is the name given to a newly-discovered security bug that is affecting nearly two-thirds of the Internet. Unlike other security breaches that you may have heard about recently, where a single website or company was hacked or inadvertently exposed information, this vulnerability is not the result of a targeted attack, but rather a programming flaw that has existed for more than two years and has just now been discovered.

The flaw has been found in the most current version of a technology that was developed to keep websites secure, called OpenSSL. OpenSSL provides encryption for a majority of encrypted network traffic on the internet (estimated at approximately 60%) and is designed to protect sensitive data, such as certificate keys, user names, passwords, email, and other private information.

Because attackers could have used this flaw to gain access to sensitive data without leaving any trace of their intrusion, the amount of damage that could have been done using the Heartbleed bug is vast. What information has actually been compromised is still unknown, but all Internet users should take steps to secure their data now that the flaw has been uncovered.

How does Heartbleed affect me?

There is no easy way for you to know if a website you use was vulnerable to the attack or if any of your credentials were compromised, unless the website makes an announcement. The best course of action is to assume that any site that houses your sensitive information, such as usernames/passwords, financial information, or personal data, has been affected. This includes banking sites, social networking sites, online retailers, etc.

Portland State University's website is among the many sites using OpenSSL for its Internet encryption. However, we have no reports or evidence that any University data or systems were compromised as a result of this bug. Additionally, like many major websites have done today, we have already installed patches that fix the security vulnerability for all services that require Single Sign-On with your Odin username and password.

What should I do to protect myself from Heartbleed?

There are two steps that you should take immediately to protect yourself:

  1. Log in to oam.pdx.edu and change your Odin password. Now that PSU has now installed a security patch to fix the flaw, your new password will not be vulnerable to the bug.
  2. Log in to any other websites that require a username/password from you and change your passwords on those sites.

Although not all websites have fixed this vulnerability yet, many security experts are advising that you change your passwords immediately and be aware that you may need to change some of them again if the website announces later that they have installed patches to fix the bug. It is possible that a new password may be vulnerable to an attacker before the bug is patched, but many sites are on high alert until they are fully protected, making it much harder for attackers to exploit the vulnerability. Creating new passwords now will also help to make your information more secure if any of your previous passwords were exposed during the past two years.

Being forced to create new passwords, despite its inconvenience, is a good opportunity to improve your skill at creating strong passwords. The most important factor in password strength is length; adding an extra character will always make a password harder to guess (rather than changing existing characters to numbers/symbols). For more information on creating strong passwords, visit Password Security.

How do I find out more?

For more information about how Heartbleed makes websites vulnerable, you can visit the official Heartbleed site, read the Mashable article about the bug, or simply run a Google search for "heartbleed" and choose from numerous articles that provide more details.

Portland State is actively following developments related to Heartbleed and taking all steps necessary to patch vulnerable systems and keep the campus informed. If you have any questions or concerns about how the Heartbleed bug affects your data at PSU, contact the Helpdesk. You can also visit pdx.edu/oit/security for a list of security resources available from the Office of Information Technology.