Technology Advisory Group

——————————————————

A major security vulnerability named Heartbleed was disclosed Monday night. The vulnerability affects a large portion of websites on the Internet and here at the University of Scranton that use OpenSSL to encrypt webpages (pages that start with https). SSL, or secure socket layer, is a cryptographic protocol which is designed to provide communication security over the Internet.

The security issue allows the stealing of information protected by SSL by stealing the private keys that protect the confidentiality of the information. Sites affected by the security vulnerability can have login credentials stolen as well as other data that would normally be protected by an SSL connection. In addition, once an attacker has the private key for a particular website, they can use the key to decrypt traffic previously sent to the server prior to the bug being disclosed.

Since Tuesday morning, the Information Security Office has been working with Enterprise Systems and other system owners across campus to ensure that their services are securely configured to mitigate risks associated with this issue.

The web servers that maintain CAS, the primary web-based authentication method used by campus services, were not vulnerable to this issue. Other campus services that utilize OpenSSL have been updated as quickly as identified, in order to mitigate the risk associated with the vulnerability.

Although we have no evidence that any University of Scranton sites have been compromised through this exploit, we do know that this bug has existed for 2 years before there was any knowledge of this specific vulnerability. We suggest you pay close attention to all your sensitive user accounts across the Internet and contact the owners of those related services if you have any questions.

Also, watch for fraudulent email claiming to be from companies with which you do business, as criminals will undoubtedly use this issue to create targeted phishing email messages to trick people into divulging their passwords.

If you have any questions or concerns about this issue, please feel free to contact the Information Security Office at <security@scranton.edu> or by calling the Technology Support Center at 570-941-4357.