BU Today

Science & Tech

Heartburn from Heartbleed

BU cyber-watchdog: protect yourself against Internet bug and oncoming scams

3

If you use your BU Kerberos password to secure information on sites other than BU’s—and you shouldn’t—it’s time to pick a new password, says the University’s top cyber-watchdog. That’s because many sites, unlike BU’s, are vulnerable to the computer bug called Heartbleed.

In an email sent to the BU community Friday, Quinn Shamblin, executive director of information security, warned readers to be careful in making that password change to avoid falling prey to online scam artists.

“You will likely begin receiving emails from a variety of organizations, prompting you to change your password,” wrote Shamblin. “Please be aware that you should never follow a link provided in an email message to change your password. Instead, you should open your web browser and go directly to that organization’s website and, once there, go through the change password process.

BU has taken steps to secure its own servers, and there is no sign of a breach of any University systems or accounts, but Shamblin still recommends changing any Kerberos password that is used elsewhere. To do that, go to www.bu.edu and type “change password” in the search field. A reminder: changing your Kerberos password will require changing it in any device or application that has it saved.

Heartbleed makes it possible for a hacker to scrutinize online transactions for passwords, credit card numbers, and other personal information. The bug is especially insidious because it resulted from a programming flaw two years ago in the commonly used encryption technology OpenSSL, which was designed to protect data, a technology expert told the New York Times. Because of the massive amount of computer code being written, the flaw went unnoticed until last week, the expert said. Google and a software security company finally discovered Heartbleed.

Heartbleed has affected popular websites such as Gmail and Facebook; you can find a list of those sites and their responses here.

3 Comments
Rich Barlow

Rich Barlow can be reached at barlowr@bu.edu.

3 Comments on Heartburn from Heartbleed

  • Jimmy Chau on 04.14.2014 at 11:12 am

    Does Google Apps for Education count as an external site? Keep in mind that since BU switched to Google for email, most students have given Google their passwords (especially if they use their smartphone or something other than the webmail interface to check their email).

  • Rich Barlow, BU Today on 04.14.2014 at 2:59 pm

    Response from Quinn Shamblin, executive director of information security at Boston University:

    “Google apps for education is an external site. Google fixed the issue very quickly and a spokesperson stated that password changes are probably not required, see the second link below. That said, I personally am working to change my passwords everywhere on the philosophy that “it is better to be safe than sorry”.

    http://www.eweek.com/enterprise-apps/google-patches-apps-services-in-response-to-heartbleed-flaw.html/

    http://abcnews.go.com/Business/heartbleed-online-bug/story?id=23256168

    • Jimmy Chau on 04.14.2014 at 6:03 pm

      The vulnerability has been around for a couple years though. Even if Google patched it “immediately”, users should assume that their passwords have been compromised.

      Unfortunately, both the email from BU IT and this article are worded to suggest that our BU passwords are safe unless we did something wrong: sharing our BU password with another site. Given that the student email system was designed to share our passwords with Google in a way that was vulnerable to Heartbleed for two years, I believe that BU’s apparent assurance (that our password is safe) is reckless.

Post Your Comment

(never shown)