Educause Security Discussion mailing list archives
Heartbleed Bug
From: Valerie Vogel <vvogel () EDUCAUSE EDU>
Date: Wed, 9 Apr 2014 19:09:24 +0000
We understand that this is a concern for many in the community right now and wanted to share this information as broadly as possible. (Apologies for the cross-posting if you are subscribed to the CIO list.) Best, Valerie From: <Eldayrie>, Elias Eldayrie Date: Wednesday, April 9, 2014 12:03 PM Subject: [CIO] Heartbleed Bug Dear colleagues, As many of you are well aware, serious security vulnerability in some versions of OpenSSL had been uncovered and publicly disclosed. This vulnerability is popularly referred to as the "Heartbleed Bug" (see http://heartbleed.com/). We understand that your security and system administration teams have been hard at work identifying and correcting affected systems. That is great, and we do not want to distract from that critical ongoing work. However, we did want to follow-up with some important points that you are welcome to share with your security team*: -- *IF* you had servers that were vulnerable to this attack, after updating the OpenSSL code as required, please note that you should ALSO replace the public/private keys and associated SSL/TLS certificate associated with that server/those servers, revoking the earlier (now potentially compromised) SSL/TLS certificate(s). -- We would also encourage you to review the configuration of each SSL/TLS server using the excellent https://www.ssllabs.com/ssltest/ evaluation page (note that you can check the box "Do not show the results on the boards" should you desire to do so). As part of reviewing those results, we encourage you to consider enabling ciphers that support Forward Secrecy (see http://en.wikipedia.org/wiki/Forward_secrecy for basic background) -- As part of managing the risks associated with this incident, you may also want to consider additional remedial steps, depending upon the content that may have been potentially intercepted on a vulnerable server (whether on-site or off). For example, if there's a possibility that passwords were exposed, you may want to consider whether you'll need to reset or reissue those once the system has been updated and secured. -- SANS is offering a webinar tonight (Wed., April 9) at 8:15 pm ET. Faculty member Jake Williams will cover the actual structure of the vulnerability, methods for detection, and what you need to do (both as a systems admin and an end user). Jake will also perform live demos against a vulnerable server so you can see first-hand what can be exposed. Registration is available at: http://www.sans.org/webcasts/openssl-heartbleed-vulnerability-98105 Finally, here are some additional references: * http://threatpost.com/openssl-fixes-tls-vulnerability/105300 * http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerability-reve<http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerability-revealed-7000028166/>aled-7000028166/<http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerability-revealed-7000028166/> * http://www.itnews.com.au/News/382068,serious-openssl-bug-renders-websites-w<http://www.itnews.com.au/News/382068,serious-openssl-bug-renders-websites-wide-open.aspx>ide-open.aspx<http://www.itnews.com.au/News/382068,serious-openssl-bug-renders-websites-wide-open.aspx> Thanks again for everyone's work in tackling this issue, and please don't hesitate to let us know if there's anything we can do to help people work through this challenging vulnerability. We will continue to provide updates to the community and you may see a note from our colleagues at the REN-ISAC soon, as well. Thank you, Elias Eldayrie and Peter Murray, EDUCAUSE & Internet2 HEISC Co-Chairs *With thanks to Joe St Sauver, InCommon Certificate Program Manager (under contract through the University of Oregon), who originally provided the above information to InCommmon members.
Current thread:
- Heartbleed Bug Valerie Vogel (Apr 09)