Some Internet servers use Secure Socket Layer (SSL) as a means to protect data sent, in some cases through a website, and Internet criminals have exploited a vulnerability in some versions of the data server security software. The impact of this issue across the Internet could be significant, as many popular sites on the Internet are known to be or have been vulnerable. The most serious impact will be to Internet users that visit one of these vulnerable sites and provide usernames and passwords and/or credit cards.
As recent as this afternoon, most of the major national services such as Yahoo, Google, and Facebook, have announced that they have repaired the vulnerability on their sites. Once a major service provider has announced that they have fixed the vulnerability, you should change your password for that service. If a service that you use has not announced that they are either secure or have fixed the vulnerability, changing your password may not be very effective at this time. As a general safe computing practice, we should periodically:
- update our passwords,
- not use the same passwords for different services,
- be judicious about setting password recovery questions (e.g., do not use information that may be published in social networking sites,) and,
- use a 2-factor authentication where feasible (e.g., in banking, in addition to your password, a confirmation code may be sent to your cell phone or your email account.)
Note that this vulnerability has not affected Texas Tech’s eRaider Web Sign-In. TTU IT Security Policies require all University applications that need authentication to use eRaider Web Sign-In. The design of eRaider Web Sign-In shields the application from the password exchange so no eRaider usernames or passwords were exposed due to this vulnerability because they are not stored in server memory.
For general safe computing information, check at www.safecomputing.ttu.edu. For technical information on the Heartbleed vulnerability, go to www.kb.cert.org/vuls/id/720951. For information or questions, please contact IT Help Central, firstname.lastname@example.org, (806) 742-4357 (HELP).