Important Security Update Regarding Heartbleed Bug

Yesterday, a massive security flaw (nicknamed “Heartbleed”) was uncovered which compromises secure computer systems across the Internet: at least 66% of websites as well as mail servers and other systems.

OpenSSL, a library of security and cryptographic algorithms, was discovered to have a vulnerability that’s been present as far back as two years. Many websites and apps that you use every day are affected by this, and they are scrambling to fix the issue. Most notable software using OpenSSL are the open source web servers like Apache and nginx. The combined market share of just those two out of the active sites on the Internet was over 66% according to Netcraft’s April 2014 Web Server Survey.

How was Emerson impacted?

Some of Emerson’s secure websites relied on potentially-exploitable OpenSSL libraries. We have patched these sites with an update fixing the vulnerability, and have replaced their security certificates. This means that there should be no way for anyone to exploit these websites, or decrypt traffic coming to and from them, even if they had been compromised.

The Heartbleed.

How does this exploit work?

This vulnerability may have allowed malicious hackers to capture small bits of data on secured systems, including user account information, such as passwords, as well as the systems’ security keys themselves. This could allow unencrypted eavesdropping even after the vulnerability is closed, if the system’s security keys haven’t been changed. Unfortunately, there’s no way to know if anything actually was compromised, as the exploit leaves no trace. It’s that bad.

What now?

At this point, many affected websites across the Internet are applying the patch and getting new security certificates. You can think of this as replacing the deadbolt and rekeying the lock. Some websites you use may ask you to change your password in the coming days as an additional precaution. Make sure you do not click links in emails. Make sure you go to the website directly, and only if you have been prompted.

There is nothing to suggest that Emerson usernames or passwords were compromised, but to be safe, we strongly recommend you change your Emerson password as soon as possible. Please visit http://password.emerson.edu/ to do so.

You can read more about the Heartbleed bug as well as the internet’s response at TechCrunch.

If you have any questions or concerns, please feel free to contact us by phone at 617-824-8080 or online at it.emerson.edu/help.

Leave a Reply