The Heartbleed Bug

April 09, 2014

**UPDATE APRIL 11, 2014**

The Problem: 

image

The Heartbleed Bug is a serious vulnerability that affects OpenSSL (web pages that start with https) by allowing attackers to read and steal protected information on the web, email, instant messaging (IM) and some virtual private networks (VPNs). Private information such as passwords or secret keys could be leaked if the problem is exploited.


What is ITS Doing?

ITS staff and security team have scanned the UCSC network to find vulnerable OpenSSL instances and active exploit attempts. ITS has contacted admins and server owners who manage vulnerable systems affected by the Heartbleed Bug so they can patch and replace private keys and certificates. ITS is now in the process of notifying individual people whose account has been compromised. If you are one of these people, you will receive a notice from ITS asking you to take action. 

ITS has determined that the majority of the UCSC enterprise systems (e.g., Google Apps, MyUCSC, Gold password login, AIS, FIS, eCommons, IT Request ticket system) are not affected by the Heartbleed Bug and require no additional action on your part. ITS is also reviewing the status of systems hosted by off campus vendors, (e.g., CruzPay, RMS).


What YOU Can Do: 

First off, don't panic. While this is a serious vulnerability, ITS staff and other people around the world are working on reducing the risk for everyone. There are some things you can do now: 

  • Be on the lookout for notifications from password-protected Web services you use. If a provider suspects that their service was exploited, they may ask or even require you to change your password once patches have been applied.
  • Be skeptical of any email asking you to change passwords. Scammers will take advantage of this situation. Know the source of where that email is coming from or call the company to find out if it's legit. 
  • If ITS staff tell you that you should change your password for a particular service, please follow that advice immediately.
  • Remember that legitimate UCSC emails from ITS never ask you to respond with sensitive/personal information such as password, SSN, or bank account number. 
  • Don't change your online banking password until your bank tells you that it's OK to do so. 
  • Be careful about what websites you visit and if possible, avoid online banking or online purchasing for a few days. 
  • If you are curious as to whether or not a website may be affected by the vulnerability, you can visit LastPass Heartbleed checker or heartbleed test site and put in the name of the website you are concerned about to see if it is vulnerable or not.

Good Time to Change Passwords

As a precaution, think about changing your UCSC and other personal passwords you use on websites because the Heartbleed Bug vulnerability is widespread.


Get Help

If you have any questions about the Heartbleed Bug or need help changing your password, please contact the ITS Support Center


More Information