Skip to content

NJIT’s Heartbleed Response

by on April 22, 2014

What is the Heartbleed bug?

On April 7, 2014 researchers found a flaw in OpenSSL, one of the tools used to secure Internet traffic.OpenSSL provides security on the Internet. The bug compromises security keys, allowing attackers to potentially capture usernames, passwords, and other data stored in the server’s memory. If you would like additional information, NPR’s Marketplace is a good place to start.http://www.marketplace.org/topics/tech/heartache-heartbleed

Should I be concerned? 

NJIT’s major systems, including payment and student systems, were protected. However, this is a significant security concern for other sites. OpenSSL creates an encrypted connection between you and secure servers. A recent Netcraft SSL survey found that around half a million servers world-wide appear to be affected by the Hearbleed bug. Until the bulk of these computers are fixed or “patched,” any secure site on the Internet is potentially vulnerable.

What is NJIT doing?

NJIT has patched all our potentially vulnerable servers that are exposed to the Internet. We will continue to monitor the situation; further information will be distributed through follow up email messages, and posted on the NJIT IST web site (http://ist.njit.edu/).

What should I do?

While this is a serious vulnerability, IT professionals at NJIT and around the world are working to patch servers and mitigate the risk. Our recommendations include:

1. University systems were not compromised so you do not have to change your NJIT password.  However, we still recommend changing your NJIT passwords regularly as a matter of best practice.

2. Check the status of non-NJIT sites you visit. This Mashable.com article provides a list of popular web sites and their status in regards to the Heartbleed vulnerability. http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/.

If you are concerned about a site that is not on the list, both Firefox and Chrome now have add-ons that can manually check the status of a site.

3. Change your passwords, but only after a site has been patched. This is the tricky part. On the whole, it’s a good idea to change passwords after any security breach, but only after the breach itself has been closed. To that end, change passwords on affected sites, but only after they have determined Heartbleed is no longer an issue.

Those interested in more technical information visit http://heartbleed.com

Remember that legitimate NJIT email messages will never ask you to respond with sensitive information such as password, SSN, or bank account number. Be suspicious of any email asking you to change passwords.

This email was prepared from contributions from the Higher Education Information Security Council (HEISC) and the Educause IT Comm listserv.
http://www.educause.edu/focus-areas-and-initiatives/policy-and-security/cybersecurity-initiative/

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: