Wednesday, April 9th, 2014
About Heartbleed and the BU response
On Monday night, a major security vulnerability called Heartbleed was announced. That vulnerability impacts a large number of web sites throughout the world, as well as servers here at BU that use OpenSSL to provide encrypted web pages. If a server is vulnerable, an attacker can steal sensitive information from that server, including usernames and passwords or decryption keys.
Key members of IS&T and IT groups throughout BU have already been alerted and are working to resolve the problem. System administrators at IS&T have responded quickly and report that this issue has been fixed on IS&T servers. Work continues to evaluate the rest of the BU infrastructure, in order to test other servers here at BU and confirm that the issue has been remediated. At this time, we have no indication that this vulnerability has resulted in unauthorized access to any systems or accounts here at BU, but we will continue to work with the community to understand any possible impacts.
Should you change your password?
Many security experts are recommending that people change their passwords in order to protect their accounts against the possible effects of Heartbleed. However, you should be cautious in how you reset your passwords so that you do not become a victim of phishing.
You will likely begin receiving emails from a variety of organizations, prompting you to change your password. Please be aware that you should never follow a link provided in an email message to change your password. Instead, you should open your web browser and go directly to that organization’s website and, once there, go through the change password process. Using the official password change process will allow you to be sure you are in a trusted location and not on a password-stealing look-alike.
BU’s Information Security team currently has no indication that any BU accounts or passwords have been compromised. However, if you use your BU Kerberos password on other sites (which is not recommended), you will want to change it here as well. Password reset instructions are provided at www.bu.edu/tech/accounts/kerberos/reset/. Please remember that if you do change your BU Kerberos password, you will also need to reset it in any device or applications in which it has been saved.
Also be aware that, you don’t want to change your passwords on a site until that site has fixed Heartbleed. See http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/.
Begin using two-factor authentication with public web sites
BU IS&T is continuing to work to improve security and help protect each of us when security issues like this occur. Duo two-factor authentication is one initiative we are looking at that will protect your account in such cases. With Duo, even if your password is stolen, attackers cannot access your personal information, because they do not have your phone or other second form of authorization.
We recommend that you consider two-factor authentication solutions with any public web sites that make it available. You can get the Duo security app on iTunes or Google Play right now to give you two factor protection for public sites Facebook, Google, Microsoft, Evernote, Dropbox, and many others.
Please submit a Help request or contact firstname.lastname@example.org if you have any questions about the Heartbleed vulnerability.