Important information about the Heartbleed exploit
UPDATED May 2 at 10:00am
There is a serious bug in the technology that is used to secure communications with various websites and Internet systems. This threat is known as the “Heartbleed” bug and it has been circulating in the news over the past few days.
The Heartbleed bug impacts some websites that are using common encryption technology to implement the Hypertext Transfer Protocol Secure (HTTPS) protocol commonly used for websites that require usernames and password (e.g. online shopping and banking).
Since this is widespread, you will continue to see notices from very large companies and critical service providers that they are patching or checking for vulnerabilities. We recommend that you pay attention to any notifications and communicate with your service providers with respect to whether you need to take action. If you are advised to take action, you will typically be instructed to change your password. Generally speaking, it is a good practice to change your password regularly, use a strong password, and not use the same password for multiple services.
At UVic, our Information Security team is working with all systems areas to scan and detect all web-based services to identify any services that may be at risk and to apply patches, as appropriate.
To date we have confirmed the following web-based services are NOT impacted:
- The main university home page (www.uvic.ca)
- Outlook Web Access (web-based access to Microsoft Exchange Email & Calendaring for faculty and staff, mail.uvic.ca)
- Student WebMail
- My Page (uvic.ca/current)
- Websites hosted on web.uvic.ca
- SharePoint (share.uvic.ca)
- CourseSpaces (coursepaces.uvic.ca)
- Moodle (moodle.uvic.ca)
- Online Academic Community (oac.uvic.ca)
- PaperCut (papercut.uvic.ca)
- B-Link (share.business.uvic.ca)
- CMS (Cascade)
- PHPmyadmin (phpmyadmin.uvic.ca)
We have also confirmed the following services that support encrypted connections are NOT impacted:
- UVic Email (POP, IMAP, SMTP)
- Unix.uvic.ca (SSH)
- VPN Service
The Cisco AnyConnect iOS VPN application has been identified as impacted by this issue. Cisco has released an updated version of the application in the Apple App Store and all users should immediately upgrade.
Mobile devices using Google Android version 4.1.1 and some using Android 4.2.2 are vulnerable to the Heartbleed bug. Other Android versions may also be affected.
To test your device for this vulnerability, University Systems recommends using the Heartbleed Security Scanner app from the Google Play store:
An additional Heartbleed Detector tool from TrendMicro will check for vulnerable applications on your device:
We recommend you do not access any Internet resources including email and UVic services until you have:
1) Confirmed that your Android device is not vulnerable using both scanners above
2) Upgraded any vulnerable software on your device and confirmed that it is no longer vulnerable using both scanners above
If your device is vulnerable to Heartbleed and a software update has not been released to address the Heartbleed vulnerability you may choose to stop using it to access Internet resources until an update is released or switch to an unaffected device. (For faculty and staff with university-owned devices, we recommend using our institutional standard device, the Apple iPhone; upgrade costs may apply, please contact firstname.lastname@example.org for more information.)
For any questions or assistance with verifying the version or upgrading your Android device, please contact the Computer Help Desk at email@example.com or 250-721-7687.
Apple iOS and Mac OS
While not impacted by the Heartbleed vulnerability, University Systems recommends that all computing devices are kept up to date to ensure that all known security vulnerabilities are patched. Apple has released iOS 7.1.1 and Security Update 2014-002 for Mac OS to resolve another security issue pertaining to SSL connections.
We are continuing to assess systems on campus and will update the above list accordingly.
You can find more details about the security bug here at: http://heartbleed.com