April 14, 2014
As you may be aware from national news reports, earlier this week a vulnerability was discovered in OpenSSL, which is a software library that is used to secure communications on many servers throughout the world. This bug may put your account passwords and other sensitive data at risk. The software flaw has been given the nickname “Heartbleed.”
The Heartbleed bug allows for a hacker to extract information from Internet web sessions that use https:// or SSL encrypted web sessions. The type of information at risk is normally protected in an encrypted format when traversing the Internet. The exposed information may include your name and password and the “keys” used to encrypt web sessions.
While the discovery of the bug was publicly announced this week, it has been in existence for over two years. This bug affected many sites and services used on the Internet including a few Mason web applications.
All Central IT (ITU) resources that were affected have been patched and new encryption keys have been installed. ITS resources are now safe to use. The IT Security Office is monitoring for unusual account activity. Just to be sure, the IT Security Office is continuing to scan systems on the Mason network for this vulnerability. While there are systems not being managed by the ITU, we are not aware of any vulnerable systems currently on the University network at this time. The IT Security Office has been working with key IT staff across the campus to address the situation. If you have concerns please contact the ITU Support Center at 703-993-8870.
The IT Security Office at Mason is recommending that you change your Mason password used to log in to central systems like Banner or E-mail. Although we know that Central IT systems using OpenSSL have been fixed, the Commonwealth and other respected IT security organizations are recommending changing passwords as a way to ensure the security of your business and personal information.
Please be aware that hackers will be taking advantage of confusion and concern and may attempt to steal credentials through phishing. A phishing e-mail may be a fake notification that you should change your password, and a link may be provided to a non-GMU web address. The only web site and mechanism that Mason provides for changing passwords is https://password.gmu.edu.
For more information on how you can protect yourselves, go to: http://itsecurity.gmu.edu
If you have questions or concerns, please contact the ITU Support Center at 703-993-8870.