Protect Yourself from the Heartbleed Vulnerability

News

April 10, 2014

As many of you may have heard, a flaw has been discovered in a common Internet security method. Although no specific security breaches have been identified, the flaw could allow malicious users to steal personal information. The flaw is associated with specific versions of OpenSSL, which is software that is widely used to secure web server traffic.  The flaw is known as the "Heartbleed" vulnerability.

The most important thing for members of the Columbia community to know is that our UNI login services (WIND and CAS) are not vulnerable to this exposure. CUIT-managed systems, including Exchange, LionMail and CubMail; ARC; RASCAL; People @ Columbia (PAC); and Student Services Online (SSOL) are also not vulnerable to this flaw, so you do not need to change your UNI password at this time.

However, many common websites using OpenSSL have been identified as vulnerable, including Yahoo!, Flickr, NASA and Facebook, among others. A fix for this flaw, which was announced this week, is available, and Internet service providers and website managers around the world are working to implement the patch.

CUIT has communicated with the IT Leadership Council to ensure that this information has been disseminated among local IT departments across the University.

What You Need to Do

For non-Columbia web services that contain sensitive data refrain from logging in for a few days while those are servers are patched or until you are certain they are not at risk. For best security, you should not use the same password for your UNI and for non-Columbia logins. However, if you have done so, please change your UNI password.

  • Confirm that non-Columbia websites you use have checked their systems and fixed them if needed. Once a website has patched the Heartbleed vulnerability, you should change your password for that site as swiftly as possible.
    • The password security firm LastPass has set up a Heartbleed Checker, which allows you to enter the URL of any website to check its vulnerability to the bug and whether the site has issued a patch.
  • If the site or service hasn't patched the flaw yet, contact the company and ask when it expects to push out a fix to deal with Heartbleed.
  • If they have not patched the flaw, avoid logging in to their service until they do. Once they confirm they have fixed the problem, then change your password.

To get detailed information on this bug, you can visit the http://heartbleed.com/ website.

The safety and security of the Columbia community is paramount – please use the above resources to ensure your personal information is protected.