Heartbleed Alert - ITS Recommendations
You may have been reading or hearing about the “Heartbleed” bug, which has affected a significant portion of all Internet websites. Below is some essential information regarding this bug and recommendations from ITS.
Almost anyone using the Internet is potentially affected. The bug involves many, but not all, websites that communicate securely. This is typically seen as “https” or the lock symbol in your web browser, but also affects some other Internet communications.
An attacker could obtain data including your username, password, session cookie, encryption secret or any other data sent to or from the website.
If you are an affected individual (mostly Faculty and Staff), the ITS Help Desk will be notifying you sometime in the next two weeks to change your password as a precaution. Note that you should only change your UI password at the website “help.uidaho.edu”.
The majority of core ITS services including Office 365, BBLearn and Banner were not affected by the vulnerability. Be suspicious of any requests to change your password that include a direct link or ask you take other action. Report suspicious requests to firstname.lastname@example.org or call the Help Desk to verify at 208-885-4357.
If you used your UI password on any non-UI sites, you should change your NetID password immediately and always use unique passwords on every site.
A high number of websites throughout the Internet were affected by the vulnerability. The websites most at risk are ones you accessed some time after April 7 and before they were patched, but because there is a possibility of your previous traffic being decrypted if it was captured (for example, on an open Wifi network), most affected sites are advising users to change their passwords. CNET has an article that lists many of the major websites affected and the current recommendation.
ITS recommends you change your password on affected sites, but keep the following in mind:
- Be alert and wary of any requests to change your password and don’t click links or open attachments you weren’t expecting.
- Always use unique passwords on every site. This prevents a compromised password on one site from affecting other sites and accounts.
- Bookmark your most important sites and always use your bookmark to return to the site and change your password – don’t trust links in email.
- Change your passwords periodically so you know how to do it on each site.
- Use a third-party password manager like Keepass, 1Password, LastPass or Roboform to help securely store your passwords.
- On sites that support login verification or multi-factor authentication, enabling those features will help prevent simple passwords attacks.
ITS teams have been working diligently to identify and patch affected systems since Monday of last week. Periodic network scans have been performed to identify and notify administrators of vulnerable systems. We are continuing to monitor the situation and alert those affected.
If you are interested in more detailed information about this vulnerability, please see the articles below: