A serious vulnerability in Internet security was reported late Monday April 7. You should change your passwords on any websites that are affected. Drew systems were largely not susceptible, but users who are not enrolled in Duo Security and sync their Drew email to their smartphone or third-party email software should change their uLogin or device passwords as applicable.
Earlier this week, researchers at Google Security announced the discovery of a serious vulnerability in OpenSSL, a popular implementation of the protocol which is used to provide secure encrypted communication over the internet. The vulnerability, now popularized in the media as the “Heartbleed bug,” allows an attacker to read the contents of vulnerable web server’s active memory, potentially revealing sensitive details such as passwords of logged in users, and keys used to encrypt communication.
The Heartbleed bug is serious and global in scale. According to the Netcraft organization, just over two-thirds of the world’s web servers use some version of OpenSSL and they estimate over a half million web sites–about 17% of secure web sites on the internet–were or are using a vulnerable version. Successful proof of concept exploits exposing users’ passwords have been demonstrated against consumer web sites such as Yahoo! Mail.
University Technology has been working to analyze the impact of the Heartbleed bug on Drew systems and services and this bulletin contains our current findings and recommendations. While the vulnerability is serious, the best advice at this time is not to panic, but to simply stay informed and follow available recommendations. Staff in University Technology and security professionals the world over are working around the clock to respond to this issue. This is an evolving situation and we will endeavor to keep you informed as things unfold.
Secure communications for nearly all Drew web sites–including secure areas of www.drew.edu, as well as Moodle, TreeHouse, all Banner applications, U-KNOW, the Library catalog, CloudPC, etc. are all managed by our Central Web Infrastructure. We have confirmed both from vendor announcement as well as independent testing that the Riverbed Stingray software behind the Central Web Infrastructure was not vulnerable to the Heartbleed bug.
We did identify two standalone systems, not under the umbrella of the Central Web Infrastructure, which were running vulnerable versions of OpenSSL. These systems have been patched and certificates replaced. As those systems are used by a small number of users, primarily in University Technology, the specific users of those systems have been contacted with appropriate recommendations.
Our review also considered Drew services provided by Google. At the time of this writing, Google has confirmed that Google web sites were vulnerable to Heartbleed. Google has patched their systems but at this time is not advising Gmail users that they need to change their passwords. Google’s current public statement is not in agreement with the prevailing viewpoint of independent security professionals, who have in large part advised that Gmail users should change their passwords. Drew’s situation is somewhat more complex as your Drew Google login is delegated to Drew’s systems, and when logging in to your Drew Google account via the web, your Drew password will not transit Google systems. Our recommendations below reflect the more cautious position, specifically for those situations in which your Drew uLogin password does pass through Google systems.
We have also contacted Drew’s provider of online payments and payment plans, Tuition Management Systems. TMS reports that like us, their infrastructure was not vulnerable to the Heartbleed bug.
While our Central Web Infrastructure was not vulnerable to Heartbleed, this situation does further validate Drew’s recent implementation of two-step login with Duo Security. In the event we were vulnerable, and that vulnerability were used to acquire user passwords, two-step login would provide an additional layer of protection to your account. A stolen password alone would not allow an unauthorized user to log into your uLogin account.
We are continuing to actively monitor the issue, particularly with respect to third-party services which Drew relies on and their response to the issue. We will post updates on the UT web site as they become available.
Our recommendations for Drew services
While we are fortunate that in large part Drew services do not appear to have been affected by the Heartbleed bug, out of an abundance of caution, we are making the following recommendations for changing Drew passwords:
If you have made your password on any non-Drew web site match your Drew uLogin password, please change your uLogin password. You may do so at password.drew.edu. Do not change your password on the non-Drew web site until you have confirmed from the web site’s owner that the site has been patched. You should always pick a unique password for Drew that is distinct from the password you use on any non-Drew web site.
For students and retirees who have not enrolled in Duo Security and who have also set up the built in Mail app on a smartphone or tablet, or a third-party email program such as Apple Mail, Thunderbird, or Outlook to sync with their Drew email, we recommend that you change your uLogin password. You may do so at password.drew.edu. When accessing your Drew Google account via these third-party applications, your Drew uLogin password passes directly through Google’s systems, which were vulnerable to the Heartbleed bug.
If you only access your Drew Google account via a web browser, it is not necessary to change your uLogin password. Under these circumstances, your Drew uLogin password does not pass through Google systems, but is validated directly by Drew’s system. Drew’s infrastructure was not vulnerable to the Heartbleed bug.
For users who are enrolled in Duo Security, including all employees and some students who have opted in or are required to do so, it is not presently necessary to change your uLogin password. Your uLogin password does not transit Google systems if you are enrolled in Duo Security.
If you have your smartphone or tablet’s built in Mail application or a third-party email application such as Microsoft Outlook, Apple Mail, or Thunderbird connected to your Drew email account, then we recommend that you generate a new “device password”. While your uLogin password does not pass through Google systems if you are enrolled in Duo Security, your device password does. The device password only provides access to these specific applications and cannot be used to access any other Drew service. To change your device password, please visit the Two-Factor Authentication Self-Service web site and click Generate a new device password. We recognize that most device passwords will be expiring naturally in the next few weeks anyway.
Our recommendations for general internet safety
The world’s response to the discovery of the Heartbleed bug is evolving and many web site owners are still in the process of assessing their systems and responding to the vulnerability. We recommend the following safety tips while the full extent of the Heartbleed bug’s impact is understood:
Avoid online banking and shopping for a few days, if you possibly can. Many online stores and financial institutions have not yet disclosed their exposure to the Heartbleed bug.
Don’t change your online banking and other non-Drew web site passwords until the site owner tells you that it’s OK. If the web site is still vulnerable, you may simply be giving your new password to attackers.
Try to use different passwords for different websites whenever possible. It is especially important to use unique passwords for critical services such as Drew, your banking institutions, and your personal email account. You want to decrease the chance that a password disclosure on one system will allow access to other systems.
Apply the latest security updates to your computers, as well as to your mobile devices.
Stay informed. Review the sites below to learn more about progress in addressing the Heartbleed bug and how any personal web sites that you use may be affected. Change your password on vulnerable web sites after the site owner has patched the vulnerability.
If in doubt, ask! Feel free to contact us with questions or concerns.
The following sites provide more information about the Heartbleed bug and ongoing efforts to respond to this important security issue.
List of websites known to be affected (Mashable)
Web site vulnerability checker (Lastpass.com)
Technical description (heartbleed.com)
News report (Reuters)
News report with advice (NPR)
Comic explanation (xkcd)
Please stay tuned to University Technology’s own Heartbleed Information Center at www.drew.edu/ut/heartbleed for more news and updates.