Quick Links ...
Award-Winning Security Videos
(created by college students)
Anti-Virus Software (free for DU students & employees)
Heartbleed SSL bug
What is Heartbleed and why is everyone so excited?
On April 7, researchers found a flaw in one of the tools used to secure internet traffic. The tool, called OpenSSL, is the main tool used by secure sites on the internet to secure your internet traffic. The bug allows an attacker to exploit the vulnerability and get chunks of memory from the targeted system - including usernames, passwords, and pretty much any other information.
Why should I care?
By some reports OpenSSL is used by over 60% of internet servers to protect traffic. Recent reports (Troy Hunt - Everything You Need to Know about Heartbleed) suggest 17% of all "secure" websites were vulnerable. Examples of personal computers, mobile devices, servers, and just about anything using the OpenSSL code have been identified as vulnerable. Not every computer is vulnerable, just those using a certain version of OpenSSL and only on specific operating systems - but until those systems are patched accessing those sites may put your information at risk.
What is DU doing?
DU has reviewed all critical servers using SSL, prioritizing those that can be accessed from the internet as first priority. We are pleased to report NO critical applications provided by DU are vulnerable - the handful of other servers and applications are being patched and checked as quickly as possible. We will continue the process by identifying internal servers and then coordinate patching with the appropriate systems administrators. We are actively monitoring the situation and we will notify owners and potentially affected users as we identify systems with the vulnerability.
What should I do?
Don't panic. While this is a serious vulnerability technology professionals around the world are working quickly to reduce the risk and eliminate the vulnerability from their systems. There are some things you can do to protect yourself:
- After sites announce they have updated their systems - change your password(s) on sites you visit. The vulnerability has existed since early 2012, it was just announced this week, so take some time and change your passwords - especially on financial sites or sites that have your private information;
- If you are paranoid (and that is OK), contact the site and ask them about what they are doing about the Heartbleed bug - if they have handled it (or just not vulnerable), then change your password(s);
- Be very suspicious of emails providing a link to change your password or enter sensitive information - when in doubt manually enter the address of the site into your browser, if they need you to do something the site will let you know when you login;
- Remember legitimate University of Denver emails will never ask you to response with sensitive information - and we will direct you to well-known, trusted, DU websites (e.g., www.du.edu, PioneerWeb, etc.);
- Always run the latest version of your anti-virus software and keep it up to date;
- Always set your computer to automatically download critical updates and patches; and
- When in doubt - ask! You can submit a question via ServiceNow (support.du.edu) or call the IT Help Center at (303) 871-4700.