Heartburn from Heartbleed

BU cyber-watchdog: protect yourself against Internet bug and oncoming scams

Boston University Kerberos Web Login, information security and technology, IS&T, Heartbleed OpenSSL bug

BU advises people who use Kerberos passwords for other sites to get a new password, for here and elsewhere. Photo by Jackie Ricciardi

April 14, 2014
3
Twitter Facebook

If you use your BU Kerberos password to secure information on sites other than BU’s—and you shouldn’t—it’s time to pick a new password, says the University’s top cyber-watchdog. That’s because many sites, unlike BU’s, are vulnerable to the computer bug called Heartbleed.

In an email sent to the BU community Friday, Quinn Shamblin, executive director of information security, warned readers to be careful in making that password change to avoid falling prey to online scam artists.

“You will likely begin receiving emails from a variety of organizations, prompting you to change your password,” wrote Shamblin. “Please be aware that you should never follow a link provided in an email message to change your password. Instead, you should open your web browser and go directly to that organization’s website and, once there, go through the change password process.

BU has taken steps to secure its own servers, and there is no sign of a breach of any University systems or accounts, but Shamblin still recommends changing any Kerberos password that is used elsewhere. To do that, go to www.bu.edu and type “change password” in the search field. A reminder: changing your Kerberos password will require changing it in any device or application that has it saved.

Heartbleed makes it possible for a hacker to scrutinize online transactions for passwords, credit card numbers, and other personal information. The bug is especially insidious because it resulted from a programming flaw two years ago in the commonly used encryption technology OpenSSL, which was designed to protect data, a technology expert told the New York Times. Because of the massive amount of computer code being written, the flaw went unnoticed until last week, the expert said. Google and a software security company finally discovered Heartbleed.

Heartbleed has affected popular websites such as Gmail and Facebook; you can find a list of those sites and their responses here.

Explore Related Topics:

  • Share this story
  • 3 Comments Add

Share

Heartburn from Heartbleed

Share

Comments & Discussion

Boston University moderates comments to facilitate an informed, substantive, civil conversation. Abusive, profane, self-promotional, misleading, incoherent or off-topic comments will be rejected. Moderators are staffed during regular business hours (EST) and can only accept comments written in English. Statistics or facts must include a citation or a link to the citation.

There are 3 comments on Heartburn from Heartbleed

  1. Does Google Apps for Education count as an external site? Keep in mind that since BU switched to Google for email, most students have given Google their passwords (especially if they use their smartphone or something other than the webmail interface to check their email).

    Reply
    Link

  2. Response from Quinn Shamblin, executive director of information security at Boston University:

    “Google apps for education is an external site. Google fixed the issue very quickly and a spokesperson stated that password changes are probably not required, see the second link below. That said, I personally am working to change my passwords everywhere on the philosophy that “it is better to be safe than sorry”.

    http://www.eweek.com/enterprise-apps/google-patches-apps-services-in-response-to-heartbleed-flaw.html/

    http://abcnews.go.com/Business/heartbleed-online-bug/story?id=23256168

    Reply
    Link

    1. The vulnerability has been around for a couple years though. Even if Google patched it “immediately”, users should assume that their passwords have been compromised.

      Unfortunately, both the email from BU IT and this article are worded to suggest that our BU passwords are safe unless we did something wrong: sharing our BU password with another site. Given that the student email system was designed to share our passwords with Google in a way that was vulnerable to Heartbleed for two years, I believe that BU’s apparent assurance (that our password is safe) is reckless.

      Reply
      Link

Post a comment.

Your email address will not be published. Required fields are marked *

Latest from BU Today