What is "Heartbleed" and why is it a major concern?
"Heartbleed" is a code name for a flaw in a piece of software called OpenSSL that is installed on many computers that provide web and other services (known as "servers"). Typically, OpenSSL enables these servers to exchange confidential information across the network in a non-readable, encrypted form with any user device (e.g., computer, tablet, smartphone) that communicates with it. This encrypted form relies on a secret encryption key that allows the two communicating devices to read the actual unencrypted data values, while preventing unauthorized individuals from doing so.
It was recently discovered that OpenSSL versions released in the past two years have a flaw that enables an attacker to discover the secret encryption key for any server running the software, and to capture and decrypt any data being transmitted to and from the system. This can potentially expose netIDs and passwords used to log into the site, or any other personal, sensitive information that was shared.
What is OIT doing to protect University data against Heartbleed?
- We installed the newest, corrected version of OpenSSL on every affected OIT-managed server on our network.
- We are replacing “certificates” on each affected server, which assigns a new, secret encryption key.
- We are in the process of identifying non-OIT-managed servers affected by Heartbleed and working with appropriate departmental support staff to remediate the issue.
What do you need to do?
Anyone exploiting Heartbleed on a system you use may have discovered your password to the site - University or otherwise. It is important that you change your password for these sites. However, before doing so, be sure that all sites that use the same netID and password have been updated and fitted with new secret encryption keys. Otherwise, an existing vulnerability that hasn’t been closed can expose any new password you set. OIT will let you know when the remediation effort is complete and it is safe to change your Princeton password. Watch for email communications and updates and postings to the IT Security (www.princeton.edu/itsecurity) and OIT (www.princeton.edu/oit) websites.
Watch for phishing. There will be more.
IT security situations that gain national and international attention like Heartbleed often cause an increase in phishing activity. Remember that no organization at Princeton will ever ask you to respond to an email with your netID, password, or other confidential information. Also be wary of links and attachments. For further information about phishing and identity theft, see www.princeton.edu/itsecurity/basics/idtheft.
Who can answer your questions?
For immediate security-related concerns, please contact the OIT Help Desk at (609) 258-HELP or firstname.lastname@example.org . The OIT Help Desk is available 24 hours a day, seven days a week.
For general questions about Heartbleed or any other security issue, contact the Information Security Office:
Ellen Amsel, Chief Information Security Officer
Anthony Scaturro, Senior Advisor for Information Security