April 14, 2014

New Web Vulnerability: “Heartbleed”—What You Should Know

bleeding heart graphic

A major Web security vulnerability named “Heartbleed” was disclosed by security researchers last Monday afternoon. It affects a large portion of websites on the Internet that use OpenSSL to encrypt Web traffic (pages that start with https), and could enable remote attackers to steal sensitive information such as passwords from a vulnerable server’s memory.

At the UW, the Weblogin servers, which handle authentication of your UW NetID passwords before you can access online services, were patched less than 24 hours after disclosure and are no longer vulnerable. Other critical servers managed by UW-IT were similarly remediated.

At this time, UW-IT staff have found no evidence that NetID passwords were successfully captured by malicious attackers. However, this is a good time to review your password habits. Here’s what you can do:

  • Change your UW NetID password if you have been re-using it for other accounts. Your UW NetID password should be different from passwords you use elsewhere.
  • Do not click links in unexpected emails that ask you to reset you password or otherwise disclose personal information.

Details for the UW community about Heartbleed, including FAQs and resources, are available on the UW Office of the Chief Information Security Officer (CISO) website. Please contact help@uw.edu if you have questions.