April 9, 2014

Lafayette’s response to the Heartbleed vulnerability

On April 7, 2014, a significant vulnerability in OpenSSL was disclosed. OpenSSL is a software package used by some of the Internet’s most popular web servers to secure connections. Known as the Heartbleed bug, this vulnerability could allow an attacker to read portions of a server’s memory, possibly resulting in disclosure of private information such as usernames and passwords.

ITS evaluated the potential threat to the Lafayette community and determined that a small portion of our public infrastructure was at risk, including the e-mail system and several public-facing web servers. ITS performed emergency maintenance on the e-mail system on the afternoon of April 8th, taking the system offline for approximately three minutes.

ITS has since patched the rest of the public-facing systems and believes them to be secure. We will continue to monitor systems to ensure security.

Given the severity of this vulnerability, we recommend changing the password you use here at Lafayette. This recommendation is a precautionary measure; we have no evidence that any passwords were compromised. It is good practice to change your password on a regular basis.

We expect a rise in e-mail phishing schemes because of the publicity this vulnerability has received. Please treat all unsolicited mail with skepticism and think twice before clicking on any links sent to you. This is especially true for links that send you to sites requesting security information such as usernames and passwords. Please forward suspicious emails to spam@lafayette.edu for analysis.

posted in ITS News

0 Comments

Leave a Comment