A major security vulnerability named Heartbleed was disclosed on Monday, April 8, 2014. The vulnerability affects websites on the Internet as well as here at UB.
UBIT is working closely across campus to further address the Heartbleed bug. The following activities are underway:
In addition to these activites, efforts are underway to continue to verify campus servers and software during the next several days, and then on a regular basis for known vulnerabilities.
Similar to other major outbreaks, UBIT is using this opportunity to review information and system security procedures.
Version 3.0.09353 of Cisco AnyConnect Secure Mobility Client for Apple iOS is now available and not affected by the Heartbleed bug. Compatible with devices running iOS 6 or 7, this is the VPN client for iPhones, iPads and iPods. To use the latest, secure version, you must accept the update directly from the iTunes app store and install it before using the client again.
As a precautionary measure, many websites and social media channels are highly recommending that you change your passwords immediately.
These sites include Facebook, Google, Instagram, Pinterest, Yahoo, Dropbox, Tumblr and more. Find the full list, which is currently updated daily.
UBIT has determined that all versions of the Cisco AnyConnect Secure Mobility Client for Apple iOS are affected by the Heartbleed bug. This is the VPN client for iPhones, iPads and iPods. This client is downloaded directly from the iTunes app store and will be updated by Cisco once a fix is developed. The current version is 3.0.09266 (released 2/7/2014). We recommend not using this VPN client until the app is updated; use of the VPN client may expose data on your device.
UBIT staff have reviewed all central and distributed servers and confirmed whether each server is either unaffected, fixed the vulnerable software where appropriate, or protected by other means if a fix is not immediately available.
UB's UBITName and password servers do not utilize the compromised software, so it is highly unlikely that any passwords have been hacked.
We strongly recommend that you never use your UBIT password for other purposes, but if you do, we strongly recommend that you change your UBIT password and discontinue the practice. Visit ubidm.buffalo.edu to change your password.
We will continue to monitor the situation and respond appropriately to any new developments.
The security issue allows information such as UBITNames, passwords and other normally protected data to be stolen.
Since learning of the problem, UBIT has been working to ensure that services are securely configured to mitigate risks associated with this problem.
The web servers that maintain the UBIT login, the primary web-based authentication method used by campus services, are not vulnerable to this problem. Other campus services that utilize the affected technology are being reviewed and updated as quickly as possible.
Although we have no evidence that any UB sites have been compromised through this exploit, we do know that this bug has existed for two years before there was any knowledge of this specific vulnerability. We suggest you pay close attention to all your sensitive user accounts across the Internet and contact the owners of those related services if you have any questions.
Also, watch for fraudulent email claiming to be from companies with which you do business, as criminals will undoubtedly use this issue to create targeted phishing email messages to trick people into divulging their passwords.
If you have any questions, contact your local IT support or the CIT Help Desk.