Last Updated: April 15, 2014
As many of you are already aware, a serious bug was announced last week in a common security package (OpenSSL) deployed on a vast number of servers on the Internet. The “Heartbleed” bug has the potential to expose usernames and passwords on a wide variety of services. Since this is a widespread issue, we want to update you with information related to what you should do to protect your information.
What Stony Brook is doing
Since the the vulnerability was announced, DoIT has been engaged in the following proactive activities:
- Checking all institutionally-managed systems to make sure we are not vulnerable.
- Scanning the campus network in an effort to identify and contact the owners of any non-DoIT managed servers which might be vulnerable
- Monitoring the perimeter of the campus network to watch for intruders attempting to exploit vulnerable local machines.
- Deploying active protection to guard against potential external exploits of University systems.
What you should do as a user of Stony Brook systems
Due to our current understanding of the Heartbleed Bug that has impacted the majority of the Internet, I wanted to provide you with a brief update on our progress and immediate next steps. We have no evidence that any Stony Brook University system or user credentials have been exploited by the Heartbleed Bug. However, we feel in order to protect your data and the institution’s data and out of an abundance of caution, you should change your Stony Brook NetID password.
To change your Stony Brook NetID password, please follow these directions carefully:
What you should do as a user of non-Stony Brook systems
There are a large number of third-party websites which were vulnerable to this bug, including some very popular sites such as Facebook, YouTube, Pinterest, Twitter, Tumblr, and Dropbox. We also recommend that you immediately change your passwords on any of these social media sites, and any websites where you frequently transmit sensitive data such as online banking accounts, private email accounts, and any accounts created for online shopping with the use of credit card information.
A comprehensive list of sites affected has been provided by Mashable.
Why are we now asking people to change their password?
Although changing passwords regularly can be inconvenient, it can also serve as a protection against a wide range of threats. Some individuals on campus have not changed their password for several months or more. That in and of itself is not good practice, but when combined with the wide-spread vulnerabilities due to the Heartbleed Bug, we feel it is critical to perform the simple act of changing NetID passwords. Additionally, this past week more services on the Internet have alerted users that they were indeed vulnerable and that they have patched their systems. With so much of the Internet affected we want people to establish new, strong, and unique passwords for Stony Brook that have not been in use in other locations.
Ask questions, receive status updates
If you require assistance from the Stony Brook University Client Support Help Desk, please contact us at (631) 632-9800 or email firstname.lastname@example.org.
In addition we have created a secure Stony Brook Yammer group that has ongoing Heartbleed status updates. This is also where you can ask us questions and find out what other people in the Stony Brook University community are doing to protect their data and devices.
Cole W. Camplese
Vice President for Information Technology & CIO
Stony Brook University