Heartbleed

  • What exactly is Heartbleed? Why is it dangerous?

Hearbleed is a flaw in certain versions of the technology(OpenSSL) that secures much of internet's secure communications.  The flaw ultimately allows an attacker to ask an internet resource, such as a website, to specifically to return more data than it is supposed to, the data returned is data in the computer's memory.  This is dangerous because data stored in memory could contain unencrypted information such as usernames, passwords, credit card information etc.  What makes matters worse is there is no trace left behind to see if someone has attacked the resource.

  • How is Heartbleed affecting UCCS

The UCCS IT Security team and system administrators worked quickly to identify and patch several systems that were affected by the flaw.  Any resource that was not able to be patched quickly was either taken offline or was already quarantined from the internet and campus.

  • What resources on campus use OpenSSL?

Many systems do.  Most all websites, including secure ones, wireless controllers, phones, printers, etc.  However any customer facing resources either were not affected or patched.

  • Do I need to change my password? 

Since your UCCS password would not have been used on any UCCS resource that was affected by the Heartbleed flaw, you do not need to change it unless you use your UCCS password on other websites.

  • What can faculty, staff and students do to protect themselves and their internet presence? 

Everyone should check if the websites they access with usernames and passwords or shop online with were affected by the Heartbleed bug.  Lastpass.com has a resource, www.lastpass.com/heartbleed that will let you know if you should change your password for a specific website.  IT Security also encourages users to use a password manager, such as Lastpass.com that keeps track of their passwords and allows users to generate and store unique passwords for every site.

IT Security Principal, Greg Williams