Heartbleed Bug

[Valerie Vogel <vvogel () EDUCAUSE EDU>]

We understand that this is a concern for many in the community right now and wanted to share this information as 
broadly as possible. (Apologies for the cross-posting if you are subscribed to the CIO list.)
Best,
Valerie

From: <Eldayrie>, Elias Eldayrie
Date: Wednesday, April 9, 2014 12:03 PM
Subject: [CIO] Heartbleed Bug


Dear colleagues,



As many of you are well aware, serious security vulnerability in some versions of OpenSSL had been uncovered and 
publicly disclosed. This vulnerability is popularly referred to as the "Heartbleed Bug" (see http://heartbleed.com/).



We understand that your security and system administration teams have been hard at work identifying and correcting 
affected systems. That is great, and we do not want to distract from that critical ongoing work.



However, we did want to follow-up with some important points that you are welcome to share with your security team*:



-- *IF* you had servers that were vulnerable to this attack, after updating the OpenSSL code as required, please note 
that you should ALSO replace the public/private keys and associated SSL/TLS certificate associated with that 
server/those servers, revoking the earlier (now potentially compromised) SSL/TLS certificate(s).



-- We would also encourage you to review the configuration of each SSL/TLS server using the excellent 
https://www.ssllabs.com/ssltest/ evaluation page (note that you can check the box "Do not show the results on the 
boards" should you desire to do so).



As part of reviewing those results, we encourage you to consider enabling ciphers that support Forward Secrecy (see 
http://en.wikipedia.org/wiki/Forward_secrecy for basic background)



-- As part of managing the risks associated with this incident, you may also want to consider additional remedial 
steps, depending upon the content that may have been potentially intercepted on a vulnerable server (whether on-site or 
off).



For example, if there's a possibility that passwords were exposed, you may want to consider whether you'll need to 
reset or reissue those once the system has been updated and secured.



-- SANS is offering a webinar tonight (Wed., April 9) at 8:15 pm ET.

Faculty member Jake Williams will cover the actual structure of the vulnerability, methods for detection, and what you 
need to do (both as a systems admin and an end user). Jake will also perform live demos against a vulnerable server so 
you can see first-hand what can be exposed.

Registration is available at:

http://www.sans.org/webcasts/openssl-heartbleed-vulnerability-98105



Finally, here are some additional references:



* http://threatpost.com/openssl-fixes-tls-vulnerability/105300



* 
http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerability-reve<http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerability-revealed-7000028166/>aled-7000028166/<http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerability-revealed-7000028166/>



* 
http://www.itnews.com.au/News/382068,serious-openssl-bug-renders-websites-w<http://www.itnews.com.au/News/382068,serious-openssl-bug-renders-websites-wide-open.aspx>ide-open.aspx<http://www.itnews.com.au/News/382068,serious-openssl-bug-renders-websites-wide-open.aspx>



Thanks again for everyone's work in tackling this issue, and please don't hesitate to let us know if there's anything 
we can do to help people work

through this challenging vulnerability. We will continue to provide updates to the community and you may see a note 
from our colleagues at the REN-ISAC soon, as well.



Thank you,



Elias Eldayrie and Peter Murray, EDUCAUSE & Internet2 HEISC Co-Chairs





*With thanks to Joe St Sauver, InCommon Certificate Program Manager (under contract through the University of Oregon), 
who originally provided the above information to InCommmon members.