[Updated] "Heartbleed" — What do I need to know? Should I change my password?
- By Sam Hooker and Dean Williams
A security vulnerability named "Heartbleed" has affected a large portion of websites on the Internet, and system administrators and network engineers worldwide have worked quickly to apply patches. Enterprise Technology Services suggests the following precautions, adapted from the Chronicle of Higher Education and the SANS Internet Storm Center.
- Avoid online banking and shopping for a few days, if you possibly can. Some sites are posting messages saying they were not affected by the vulnerability, or that they have fixed it.
- Don’t change your online banking password until your bank tells you that it’s okay; otherwise you may just be giving attackers your new password.
- Be very suspicious of any emails asking you to change passwords. Helpful emails with links in them are in many cases not helpful. Don't click that link! Hover your cursor to see where the link would go, or better yet, browse to the affected site by using an existing bookmark, or by typing the web address. Once you're there, click on the lock symbol to confirm you're in the right place, and then change your password.
- Remember that legitimate UVM emails will never ask you to respond with sensitive information such as password, Social Security number, or bank-account number, nor to go to a non-uvm.edu web site to manage your Net-ID or password.
- Apply the latest security updates to your home and work computers, as well as to your mobile devices.
It is safe to change your UVM password. To do so, go to the UVM home page and enter "change password" in the search field. You're encouraged to change your password if you have access to highly confidential information, if you've used your Net-ID in a risky setting such as public Wi-Fi or an Internet café, if you've used the same password anywhere else, or if it's been a while since you last changed it.
Feel free to contact the Information Security Office, firstname.lastname@example.org, with questions.
Original posting from April 9, 2014:
A security vulnerability named Heartbleed was disclosed Monday night. The vulnerability affects a large portion of websites on the Internet that use OpenSSL to encrypt webpages (pages that start with https) and other communications. SSL, or secure socket layer, is a cryptographic protocol which is designed to provide communication security over the Internet.
While our estimation is that the likelihood of a concerted effort targeting UVM and leveraging this technique is fairly low, this vulnerability also affects the rest of your online life (other websites with which you conduct sensitive transactions, other networks you use to access the Internet). Since you're probably already changing your passwords in those other places, it certainly wouldn’t hurt to change your UVM password as well.
Recent newsworthy, worldwide events have been accompanied by substantial increases in fraud related to that news: Watch for fraudulent email claiming to be from UVM or from companies with which you do business, as criminals will undoubtedly take this opportunity to create targeted phishing email messages to trick people into divulging their passwords. Be on the lookout for sites that purport to tell you whether your site or your information has been compromised, especially if they demand personal details, login credentials, or payment. And feel free to contact the Information Security Office, email@example.com, with questions.