April 11, 2014
A major security vulnerability named Heartbleed was discovered in the openSSL protocol used to secure Internet web services (https) on April 7. The heartbeat service, used to maintain the connection between your computer and the server, could be compromised, allowing the theft or ‘bleeding’ of information. An attacker could obtain usernames, passwords, as well as information shared between the user and the server during the session.
Once the vulnerability was identified, Lewis and Clark IT staff formulated an incident response team and developed a strategy for addressing our campus systems. The team ran scanning tools against all of our external facing services and found no instances of this vulnerability.
As services patch their systems, users may receive notifications to change their passwords. Please exercise caution when clicking on embedded hyperlinks (urls) due to an uptick in phishing, targeted messages tricking users to give up their account information.
Users can test other websites they visit outside of Lewis & Clark with the Heartbleed test sites:
Information Technology recommends you change your L&C password. We also recommend that you consider changing your password for other services after checking the site or after receiving legitimate notifications to do so.
For more detailed information about the vulnerability and mitigating efforts, please check the Heartbleed FAQ page (https://www.lclark.edu/information_technology/security/news/openssl/)