Iowa State's information technology experts have identified and patched university servers that were susceptible to the latest Internet security risk -- the "Heartbleed Bug."
The pervasive bug was announced Monday, April 7, sending techs on campus and around the world scrambling to apply the fix.
Information technology services (ITS) staff "were up half the night," patching the bug on Iowa State's critical servers, said Andy Weisskopf, senior systems analyst.
Net-ID, AccessPlus passwords
Fortunately, the core systems that protect ISU Net-ID and AccessPlus passwords were not compromised, said chief information officer Jim Davis.
"There's no need for faculty, staff and students to change their Net-ID passwords at this time," Davis said. "However, we do recommend that everyone regularly change his or her password as a good security practice. And we strongly recommend that individuals change their passwords for personal online services."
Big sites affected
An estimated two-thirds of sites on the Internet, including Facebook, Google, Twitter and Yahoo, were affected by the Heartbleed Bug.
The fix involved upgrading OpenSSL software, which is commonly used by Internet sites to encrypt data. Researchers recently discovered a flaw in the software that could allow exploiters to retrieve data, including passwords and other personal information, from vulnerable computers.
Protecting all your other passwords
There's no way to know whether unscrupulous types discovered the flaw and exploited it, Davis said. He advises individuals to check all of the other websites on which they use passwords and make the necessary changes. Here's how:
Determine if websites you sign into are vulnerable to the Heartbleed Bug and, if so, whether they've applied the Heartbleed patch. Here are a few ways to check:
- View Mashable's Heartbleed Hitlist for the status of larger sites
- Type a site's URL into LastPass Checker
- Visit the site in question and do a "Heartbleed" search
- If there was no Heartbleed vulnerability on a site, no password changes are needed
- If there was Heartbleed vulnerability on a site AND the site has been patched, change your password
- If one of your websites is vulnerable to the Heartbleed Bug, but hasn't yet applied the patch, don't change your password. Wait for the website to make the fix.