UBC IT Services Taken Offline
Below is a list of UBC IT services that have been taken offline to prevent exploitation through the heartbleed bug:
- (None at this time)
All updates relating to UBC IT services affected by the Heartbleed bug can be found here.
A serious vulnerability called the "Heartbleed Bug" has been detected in OpenSSL, a cryptographic library that enables SSL (Secure Sockets Layer) or TLS (Transport Security Layer) encryption, the technology that encrypts data over the internet. Websites that use SSL or TLS are indicated in browsers with a padlock symbol. The Heartbleed bug has the potential to expose huge amounts of private data, including usernames, passwords, credit card numbers, and emails.
This vulnerability is found in servers and server operating systems. Any information a user enters in a webform on a compromised server, such as bank and email servers, is available to an attacker. Additionally it's possible that a user's active sessions could be hijacked by a remote attacker. It takes minimal effort to perform the vulnerability and the attack is undetectable.
What is happening
Operating system vendors have responded quickly with patched OpenSSL packages. In particular, Debian, RedHat and Ubuntu have released fixed OpenSSL packages. The operating systems heavily used at UBC that are known to be impacted: Debian (7.x), RedHat (6.5) and Ubuntu (12.04, 12.10, 13.10). Other operating systems / appliances that run the affected version of OpenSSL are also impacted. Check with your operating system / appliance vendor.
All services relying on the vulnerable versions of OpenSSL should be considered at risk including SSL VPNs, RADIUS, HTTP, IMAP, SMTP, XMPP, etc.
What UBC is doing
We are communicating to server owners within UBC about this issue and providing instructions on fixes. Within UBC IT, we are conducting vulnerability assessments of all enterprise servers and implementing the patches released by vendors. Specifically, we recommend that owners of servers with these bugs to upgrade OpenSSL packages and generate new x509 certificates based on new private keys as soon as possible. Users should consider resetting passwords for their web services, especially those they have used in the last two days.
For more information about the Heartbleed Bug, please visit the following pages:
- http://heartbleed.com/
- http://www.kb.cert.org/vuls/id/720951
- https://www.openssl.org/news/secadv_20140407.txt
- http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html
- https://www.gandi.net/news/en/2014-04-08/1398-openssl/
What can I do?
The safest course of action is for system administrators to patch systems so they are no longer vulnerable.
Due to the nature of this vulnerability, it is difficult to know whether you have been affected by this security bug. If you use open wi-fi locations to connect through the internet, such as internet cafes, you are generally at higher risk for being exposed to more security attacks. If you think you may be at risk, we recommend that you change your passwords or stop using the service altogether. When changing your passwords, ensure you are doing so from a site that has not been compromised by the Heartbleed Bug. You can try using this tool http://filippo.io/Heartbleed/ to check if the site is safe.
Update: April 10, 2014
A list of consumer and social media websites affected by the bug or that recommend that you change your passwords can be found here:
http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
Additional technical details
For technical information regarding this vulnerability, and what to do if you identify a system that is vulnerable to this exploit, visit the Additional Technical Information and Resources page.
Further Information
For further updates on this issue, please visit our IT Bulletins.
