UMBC Response to Heartbleed Security Incident

Issue potentially affects "https" web sites using Open SSL

A major security vulnerability named Heartbleed was disclosed Monday night.  The vulnerability affects a large portion of websites on the Internet, and here at UMBC, that use the "https:" protocol for secure web traffic. Many servers that support "https:"  utilize a package named OpenSSL to encrypt webpages.  The "https:" protocol, which is referred to as SSL or secure socket layer, is a cryptographic protocol which is designed to provide secure communication over the Internet. The vulnerability could allow usernames and passwords being exchanged over the web to be stolen.

Starting with the announcement on Monday evening, DoIT staff have been working to understand the risks, determine which systems are vulnerable, and take the necessary steps to remediate or lessen the risk. DoIT classifies system risk from 0 - very low to 3 (very high).  Over the last two days we have patched or remediated all of our level 2 and 3 servers. We expect to have all systems patched this week.  In addition, we are working with departmental IT staff to identify and address issues in the departments. We also continue to work closely with commercial partners to patch devices and equipment that may be impacted

Prior to this event occurring, DoIT was planning to move forward with a mandatory password change for all users starting the end of April. As a precaution, we are looking at expediting this process and will be sending out another message on this early next week to expedite that process. 

If you are wondering if a site is vulnerable, there is a web site created that you can use to test: http://filippo.io/Heartbleed/ and type in a web site.. Any questions or concerns may be directed to security@umbc.edu

Tags:

Posted: April 9, 2014, 7:40 PM