By now I’m sure you’ve heard of the Heartbleed Vulnerability;  most major media outlets have covered it extensively.  Today I am going to briefly cover some of the high-level aspects of the problem and offer some insight into what the ITS department has done to protect the college and what you can do to protect yourself.

What is Heartbleed?

Have you ever noticed the little closed padlock in your URL window when you go to some sites (usually ones where you have to enter a username/password)? That padlock means that the site is using special encryption software to secure your data. Without an encrypted connection, it is almost trivial for a hacker to spy on your communication and extract meaningful data. Making a LOOOONG story as short as possible, your computer and the remote server share a secret key that is used to decipher your data.  Without access to the key, your data is relatively meaningless and is thus considered reasonably safe.  …But what if the key was somehow stolen?  Enter Heartbleed.

Based on current reports, Heartbleed appears to be a flaw in a piece of encryption software called OpenSSL.  OpenSSL is a widely used encryption package employed by many popular websites.  If a server running the affected version of OpenSSL is attacked in a particular way by a knowledgeable hacker, the hacker could theoretically gain access to the encryption key that I mentioned earlier.  With the key, the attacker could DE-crypt all of your encrypted traffic, thus effectively bypassing all security.  Any sensitive data (usernames, passwords, account numbers, balances, etc.) would be laid bare for the attacker… Scary.

What’s worse is that this could apply to PREVIOUS traffic as well.  If a hacker happened to be logging your fully-encrypted traffic (for possible future use) and subsequently obtained the key, he/she could go back and unlock your encrypted data.  It should be noted that this scenario is not likely, but not implausible enough to be dismissed entirely.

Has it been fixed?

Fortunately the OpenSSL developers patched the software quickly the updated software was deployed by systems administrators across the world (including me!) , so most vulnerable systems are now immune to the Heartbleed bug.  This includes all Georgetown College systems.

If it’s  been fixed, why is everyone still saying that I need to change my password?

Although the exploit was ANNOUNCED a couple of weeks ago, it may have existed (and possibly been exploited) much earlier. To mitigate the possibility that your username/password was compromised before the Heartbleed vulnerability went public, websites are recommending that users change their passwords to be on the safe-side.  This is a universal precaution, and ITS recommends that you change your password frequently anyway.

  1.  To change your password from your on-campus desktop, simply press Ctrl+Alt+Delete, and then select “Change Password”.
  2. To change your password from the portal (my.georgetowncollege.edu), login to the portal and click “My Account” (in the left-hand pane). The “Update Password” option will appear at the top of the screen.

For more password best-practices, check out this previous TigerTech entry.

How do I know that my favorite website is fixed?

For a quick list of most popular websites, you can check out CNET’s article here.  Also at this location are links to other services that you can use to check other sites you may be concerned about.