Update - April 11, 2014, 11:45 a.m.
SOS continues to scan the Penn State network to find vulnerable OpenSSL instances and active exploit attempts. Distributed IT staff are working to fully mitigate the problem, and systems have been patched to prevent exploitation of the Heartbleed Bug. Certificate and private encryption key replacement are required of all systems found to be vulnerable. We previously stated that this would only be required of systems that showed evidence of being exploited, but the severity of this issue caused us to re-evaluate that position and opt for a more comprehensive approach.
Comprehensive coverage of this vulnerability in traditional and social media brought much-needed awareness of the problem to many people. Unfortunately, there has been some misinformation spread, as well. Here are few things to be aware of:
- The Heartbleed Bug is not a virus or malware, and does not "spread" or "infect" new machines. It is faulty code that was part of a software release.
- The Heartbleed Bug did not affect every Internet service and/or website. Many services were completely unaffected by this vulnerability because they did not use the OpenSSL software.
- Changing your password on affected services is recommended, but should not be done until you are certain the service is fully patched. If you were notified after changing a password that the service was patched and requires a password change, you need to change it again.
- Be on the lookout for bogus "change your password" email messages. Unfortunately, attackers may use this event to try and steal passwords through social engineering. Never send a password or other sensitive information through email. And when you do receive email messages notifying you that a service has been patched and requires a password change, don't follow a link in the message to visit the site — use an address that you know to be good and type it into your browser.
The Heartbleed Bug, which is being actively exploited in the wild, affects OpenSSL by allowing attackers to read information that is expected to be encrypted. Critical information such as passwords or secret keys could be leaked if the problem is exploited. If secret keys are retrieved and utilized by an attacker, all traffic over the wire can be decrypted. Detailed information about the issue can be found at http://www.kb.cert.org/vuls/id/720951 and http://heartbleed.com.
SOS is scanning the Penn State network to find vulnerable OpenSSL instances and active exploit attempts. As we find issues on the network, we will contact network admins to provide information about patching the vulnerability and strongly encourage the replacement of private keys and certificates. Certificate and private key replacement are required if there is evidence that the exploit was used, and strongly recommended in all other situations. (This information has changed. Please see the update above.)
What you can do:
Be on the lookout for notifications from password-protected Web services you use. If a provider suspects that their service was exploited, they may ask or even require users to change their password once patches have been applied.
If your local IT staff tell you that you should change your password for a particular service, please follow that advice immediately. They are notifying you of an urgent problem that needs to be addressed.
What IT staff can do:
- Apply appropriate patches and restart services that rely on OpenSSL.
- SOS offers free access to Nessus Security Center, which is able to detect this issue. More info on Security Center may be found here: https://wikispaces.psu.edu/pages/viewpage.action?spaceKey=vulnscan&title=Home
- SOS can answer questions and consult with unit system administrators to work through this issue. Please contact us at firstname.lastname@example.org.
As the extent of possible damage from the Heartbleed Bug becomes more clear, SOS will provide updates and recommendations for Penn State users and IT staff. Please check our site for updates in the coming days.