The Information Security Corner With Bob Shaffer
If you have paid attention to local or national news over the past couple of weeks, you’ve probably heard about a computer vulnerability called Heartbleed. Heartbleed is associated with a version of the Secure Socket Layer (SSL) protocol called OpenSSL. Millions of people depend on SSL to secure their communications over the Internet. It also helps ensure that we are connecting to legitimate websites when banking, shopping or accessing other popular Internet sites such as Facebook, Gmail and YouTube.
Contrary to some news reports, this vulnerability does not impact Windows, Mac desktop or laptop computers. It primarily affects websites connected to the Internet. Heartbleed is a design flaw which allows hackers to attach to websites and steal information while it's being transmitted. Login credentials, personally identifiable information and other sensitive data, could possibly be compromised if the website you're visiting hasn't been patched. You can easily validate the status of any website by going to Last Pass Heartbleed Checker; just type in an address and it will tell you if the website was ever vulnerable and what the current status is. You can also go here for a quick status of the most popular sites on the Internet.
If you haven't already done so, you are strongly encouraged to change your passwords on websites that you know were vulnerable and have been fixed, starting with the most important ones first. As with any password, it should be a minimum of 6-8 characters in length and made up of numbers and letters with at least one or two special characters. If you have numerous passwords, or passwords that are difficult for you to remember, you might want to use a password manager. If you decide to use a password manaer I recommend that you go with a name brand. They range in price from free to $50.
There have also been reports of phishing attacks associated with Heartbleed. Some less than reputable people have sent out emails that appear to come from legitimate companies, such as online banks or stores, in an attempt to get you to click a link that takes you to a fake website that asks that you change your password, which results in you giving up your password for the legitimate site. Never trust an unsolicited email that prompts you to change your password and always type the name of the website in the address bar of the web browser.
In closing, UTMB had a small number of vulnerable sites - all have been fixed or are currently being addressed. None were used by the general UTMB population or the public.
I'd also like to thank Myra McCollum, UTMB Marketing and Communications, for taking the initiative to develop a blog and informing the Social Media Workgroup about this significant vulnerability.
Robert V. Shaffer Jr.