Important New Web (OpenSSL) Vulnerability
As many of you may have read or heard, a flaw has been discovered in one of the Internet's security methods—a flaw that could enable hackers to access user names, passwords, or other sensitive data.
A fix for this flaw, which was announced this week, is available. Information Management and Technology (IM&T) recognized the seriousness of this issue and began working immediately to assess and then begin to patch the University's systems that need patching. The flaw is associated with a widely-used technology known as OpenSSL, which is used to secure server transactions, and it is known as the "Heartbleed" vulnerability. OpenSSL is used by Internet service providers, system administrators, and universities around the world, fortunately we only had a couple of systems here at UNC that were impacted.
What UNC is doing:
When the vulnerability was announced IM&T reviewed the issue, identified the systems that were potentially impacted and began working with vendors to address the systems and servers that needed to be patched.
What should you do?
First of all, don't panic. We only had a couple of systems with OpenSSL, so the vulnerability had a light impact , and many external websites are already installing patches on their systems.
For users of UNC systems: IM&T has been working quickly to patch an extremely small number of systems as necessary. As examples, URSA, Outlook Web Access (OWA), www.unco.edu, and all core UNC systems were not vulnerable to this bug.
For users of non-UNC systems: If you don't know if the server you are connecting to has been patched, the most prudent thing to do is refrain from logging into non-UNC sites that contain sensitive data for a few days while those non-UNC servers are being patched. If there is no information from the system owners after that time, you should contact the site to confirm that the patch is in place. If you are curious as to whether a page may be affected by the flaw, you can visit this Heartbleed test site and put in the name of the website you are concerned about to see whether it is vulnerable. However, not all sites can be tested in this way.
We recommend that if you are using any non-UNC system, particularly those that use your university email address as a login, you change the password. It is extremely important that you do not use the same password as your current university password.
What the Internet is doing: Internet providers and server administrators around the world are doing assessments of their systems in order to patch their version of OpenSSL.