Contact: Allison Matthews
Photo by: Beth Wynn
Technology professionals at Mississippi State are addressing the worldwide computer security vulnerability called "Heartbleed" by patching affected servers and advising Internet users on campus to change passwords, among other steps.
MSU Security and Compliance Officer Tom Ritter said the bug is being actively used against websites throughout the Internet, allowing attackers to connect with servers to draw read-only information that was intended to be encrypted.
Unfortunately, the vulnerability has existed for about two years before being detected last week, he added.
Ritter said it appears about two-thirds of the Internet has been affected, including a few MSU servers. "We were impacted like other schools and other businesses were impacted, but we immediately implemented the needed patches.
"We've scanned campus for vulnerable servers, and all of the ones that we support have been patched," he explained, adding that, while many of the campus's largest sites were not vulnerable to the bug, some vulnerabilities were identified and corrected.
Ritter said ITS is urging all MSU students, faculty and staff to change their net passwords. Additionally, he recommends changing passwords on all non-university sites they use, including online banking, social media and websites where they have made online purchases or otherwise given credit card numbers and other sensitive information.
In the system-wide alert sent Friday morning [April 11], Mike Rackley, the university's chief information officer, issued a Heartbleed alert and advised the campus community to not use their net password as credentials at non-MSU sites.
Ritter cautioned, however, that many websites have not yet implemented patches since the Heartbleed discovery, and one-time password changes would not be sufficient if vulnerabilities still exist on effected websites.
Many websites already are posting statements about whether or not they've patched for Heartbleed or if they were vulnerable, he said.
"Some sites were not vulnerable, but many, many were," he said.
Sites that were vulnerable use OpenSSL, an open-source encryption technology that typically indicates personal information is safe with a lock icon in the web browser. Among these are Google, Facebook, Yahoo and Amazon, all of which now have made patches so new passwords will be safe.
"Protecting your identity is an important aspect of using Internet services, and people should be aware of the fact that there are hackers always out to steal information whether via phishing or vulnerabilities such as Heartbleed," Ritter said.
He recommended the close monitoring for inappropriate usage of all emails, social media and online bank accounts, as well as any other personal online accounts.
"Evaluate your risks and at the sites that you use, change your passwords," Ritter emphasized. "It's always a good idea to change your passwords regularly."
Ritter also warned of inevitable phishing messages that will spoof password change notifications. For that reason, Internet users should not follow a link to change a password, but, instead, go directly to the website by typing in the URL address before changing personal information.
For more information about Mississippi State University, see www.msstate.edu.