Skip to main content

Secondary navigation:

Information Technology Services

"Heartbleed" Bug a Threat to Web Encryption

04/09/14

 

UPDATE April 11, 4pm
You may have seen news coverage about a current Internet security concern called the Heartbleed Bug. Here is what you should know:

What is the Heartbleed Bug?

A flaw in one of the tools used to secure Internet traffic. That tool, called OpenSSL, is responsible for providing security on the Internet. The bug allows an attacker to capture usernames, passwords, and pretty much any other information. so it can steal info from my phone and my laptop and my XBox and…?  original author wrote this such that it can be misconstrued, which is why I added in server wording...By the way, the EagleVPN bug is iOS only, not Android, not relevant for this, just FYI

Why does this matter?

Much of the Internet relies on OpenSSL to protect secure traffic. At least 500,000 servers world-wide appear to be affected by the bug, as well as some personal computers and mobile devices. Until the bulk of affected computers are fixed, or “patched,” any secure site (https: at the start of the web address) on the Internet is potentially dangerous to visit.

What is BC doing?

BC fixed all servers accessible from the Internet that appear to be affected by the bug. BC also installed a filter between the Internet and BC that is supposed to block any attempt to exploit the bug on computers on the BC Network.

What should I do?

Don’t panic. While this is a serious vulnerability, security staff at BC and around the world are working diligently to reduce the risk. There are some things to be aware of in the meantime:

  • Some media outlets and security experts are advising people to avoid all online banking and shopping for a few days, or to change all their passwords. At BC, we believe this is not necessary at this time, and users should simply carry on in terms of Internet usage, and wait another week before making a decision about changing passwords.

  • Be very suspicious of any emails asking you to change passwords, as there will be phishing attempts leveraging this bug as an enticement. If you do decide to change your password for a given website, go directly to the site by typing out its name or using a bookmark on your computer. Do not click on email links telling you to change your password.

  • Remember legitimate emails will never ask you to respond with sensitive information such as password, SSN, or bank account number.

  • Always apply the latest security updates to your home and work computers, and mobile devices. While in this particular case, applying a security update to your devices will not address the problem, applying updates does address an array of other security issues.

Feel free to contact the Help Center (x2-HELP) or help.center@bc.edu with questions or concerns.


 

UPDATE April 10, 7pm - A major security vulnerability named Heartbleed was disclosed Monday night (4/7). It affects a large portion of websites on the Internet that use OpenSSL to encrypt webpages (pages that start with https). Through this flaw,  an attacker can connect to a server and extract a copy of the private key. This could allow data theft and system compromise opportunities for attackers.

  • BC ITS has been aware of the issue since Monday evening and continues to monitor it.
  • Heartbleed is expected to be blocked at BC some time today (4/10).
  • Cloud service providers including Amazon and Google have already patched their systems. Many major sites are not even affected by the bug.
  • At the moment, no action is necessary on your part. ITS recommends you do not change your BC password.
  • ITS will continue to identify and remediate systems that might be at risk.

As always, be careful about what sites you visit and be especially mindful of phishing schemes.  

Learn more: