May 08, 2014

IT recommends network ID passphrase changes

As a precaution, the Office of Information Technology is recommending that all users, including faculty, staff and students, change their SIU Network ID passphrase at and any other password/passphrase associated with systems on campus.  The recommendation comes after disclosure last month of a major security vulnerability, the Heartbleed bug that affects a large number of websites. 

The vulnerability affects a large number of websites on the Internet and here at SIU that use OpenSSL to encrypt webpages -- pages that begin with https.  SSL, or secure socket layer, is a cryptographic protocol designed to provide communication security over the Internet.  The security issue allows confidential information protected by SSL to be stolen.  Websites affected by the security vulnerability can have login credentials stolen as well as other data that would normally be protected by an SSL connection.  In addition, once an attacker has the private key for a particular website, they can use the key to decrypt traffic previously sent to the server prior to the bug being disclosed.

Information technology staff on campus has been hard at work identifying, scanning and updating servers to ensure that communications to the servers remain confidential.  While only a handful of outlying systems remain, the vast majority of systems have been patched and new SSL certificates issued.

It is also recommended to change passwords to non-SIU systems that may have been vulnerable to the Heartbleed attack.  Systems including Google, Facebook, YouTube and others were affected.  If you are unsure whether a system was vulnerable, check the “CNET Heartbleed” status list.  Websites may also be verified using the "Qualys SSL Labs"

When changing passwords it is critically important to use strong passwords and passphrases and also avoid “password re-use.”  Guidelines for strong passwords/passphrases can be found here

While many people use the same password on multiple sites and systems for convenience, it is recommended at the very least to have three different, strong and long passwords: one for work, one for money-related uses, such as bank, credit card and retirement accounts, and a third for social activities, such as Facebook and Netflix. 

Employees are also reminded to beware of “phishing emails” that attempt to trick users into giving up personal information.  Pay attention to any notification sent by your bank, email provider, social networking provider, or other vendor about OpenSSL or Heartbleed and stay alert for email scams.  It is important to never send passwords or sensitive information in response to an email and do not click on links to get to a vendor’s website. It is recommended to type a known, good URL. 

For additional information or to report unusual behavior, notify immediately.