HeartBleed

There are many stories on the news about the Heartbleed bug, a security flaw/vulnerability found on data encryption programming code used on many websites (media has stated approximately 66% of internet websites use this code).  I would like to share some information with you about this risk and what you can do to protect yourself.  I also wanted to let you know that IT&R is taking this vulnerability seriously and has already scanned our systems and where needed fixed our systems.  Because this encryption coding is used on so many websites it is likely that many of the websites you use in your business and personal life may have this vulnerability. 

Unlike a conventional security breach where malicious attackers break into a site and download a bunch of encrypted usernames and passwords – usernames and passwords they then have to crack open, which can be extremely difficult if you use a good password – this bug lets attackers grab information in relatively tiny chunks of data as it’s flowing through a server.  Unfortunately, this bug has shown that sometimes usernames, passwords and other protective data can be grabbed unencrypted, meaning that once it’s grabbed, there’s no need to then crack it.

So what should you do?  Check websites, e-mail services and applications you log into, many are starting to post information on if they are affected by the vulnerability and if they have resolved the issue.  If the website has been fixed, then you should change you password.  If they haven’t, then you will have to wait until they do fix the issue to change your password, and I recommend you not log into the site until that occurs.  If they state they were not affected by this vulnerability then you should be safe to log in. 

This information was drawn from an email sent out to Oregon 'State employees