Security Advisory: OpenSSL "Heartbleed Bug" may disclose sensitive information

WHOM DOES THIS AFFECT:
Individuals accessing websites or other services running vulnerable versions of OpenSSL. We often associate these encrypted connections with a secure “https” URL or a closed padlock indicating a secure connection.

SUMMARY:
Announced on April 7, 2014, a security vulnerability called Heartbleed allows attackers to collect information that is expected to be encrypted including encryption keys, session cookies, credit card numbers, passwords, and social security numbers.

Computing Services’ Information Security Office (ISO) is actively scanning CMU’s network for vulnerable hosts, monitoring for evidence of attack and compromise, and responding to impacted individuals accordingly. University vendors are also being assessed.

YOUR ANDREW PASSWORD:
Computing Services has already patched the vast majority of its vulnerable servers. login.cmu.edu was not vulnerable which means Andrew passwords do not need to be changed at this time. If that changes, you will be notified.

WHAT YOU NEED TO DO:

• Check whether a website you are using was vulnerable to a Heartbleed attack by contacting the vendor. If the website was vulnerable or it’s unclear, change your password for that site immediately.   
• Pay attention to any notification sent by your bank, email provider, social networking provider, or other vendor about OpenSSL or Heartbleed and stay alert for email scams. Criminals can use this issue as yet another opportunity to try to trick you into revealing personal information. Never send your password or sensitive information in response to an email and do not click on links to get to your vendor’s website. Type a known good URL.
• If you use any external services not provided through CMU for university business, please report this service to it-help@cmu.edu so that we can assess the risk.

MORE INFORMATION:

• CERT Vulnerability Note VU#720951: OpenSSL heartbeat extension read overflow discloses sensitive information
  
• Krebs on Security: 'Heartbleed' Bug Exposes Passwords, Web Site Encryption Keys
• Forbes: Heartbeat Heartbleed Bug Breaks Worldwide Internet Security Again (and Yahoo)

CONTACT:

Please direct any questions or comments to the Computing Services Help Center (412-268-HELP or it-help@cmu.edu) or to your departmental IT staff or DSP consultant.