Reaching Others University at Buffalo - The State University of New York
Skip to Content

UBIT SECURITY ALERT, 4/14/2014

Heartbleed Security Vulnerability 4-17-2014

IT Security Alert

A major security vulnerability named Heartbleed was disclosed on Monday, April 8, 2014. The vulnerability affects websites on the Internet as well as here at UB.

April 17, 2014

UBIT is working closely across campus to further address the Heartbleed bug.   The following activities are underway:

  • Checking all institutionally managed servers for the vulnerability
  • Patched systems that utilized the affected software where a software patch is available from the vendor
  • Sequestered servers that could not be patched awaiting vendor software updates
  • Reviewed enterprise vendor hosted software products and have no known Heartbleed issues.

In addition to these activites, efforts are underway to continue to verify campus servers and software during the next several days,  and then on a regular basis for known vulnerabilities.

Similar to other major outbreaks, UBIT is using this opportunity to review information and system security procedures.

April 14, 2014

Version 3.0.09353 of Cisco AnyConnect Secure Mobility Client for Apple iOS is now available and not affected by the Heartbleed bug. Compatible with devices running iOS 6 or 7, this is the VPN client for iPhones, iPads and iPods. To use the latest, secure version, you must accept the update directly from the iTunes app store and install it before using the client again.

April 11, 2014

As a precautionary measure, many websites and social media channels are highly recommending that you change your passwords immediately.

These sites include Facebook, Google, Instagram, Pinterest, Yahoo, Dropbox, Tumblr and more. Find the full list, which is currently updated daily.

April 10, 2014 - 2 p.m. Update

UBIT has determined that all versions of the Cisco AnyConnect Secure Mobility Client for Apple iOS are affected by the Heartbleed bug. This is the VPN client for iPhones, iPads and iPods. This client is downloaded directly from the iTunes app store and will be updated by Cisco once a fix is developed. The current version is 3.0.09266 (released 2/7/2014). We recommend not using this VPN client until the app is updated; use of the VPN client may expose data on your device.

April 10, 2014 - Noon Update

UBIT staff have reviewed all central and distributed servers and confirmed whether each server is either unaffected, fixed the vulnerable software where appropriate, or protected by other means if a fix is not immediately available.

UB's UBITName and password servers do not utilize the compromised software, so it is highly unlikely that any passwords have been hacked.

We strongly recommend that you never use your UBIT password for other purposes, but if you do, we strongly recommend that you change your UBIT password and discontinue the practice. Visit ubidm.buffalo.edu to change your password.

We will continue to monitor the situation and respond appropriately to any new developments.

April 9, 2014 Update

The security issue allows information such as UBITNames, passwords and other normally protected data to be stolen.

Since learning of the problem, UBIT has been working to ensure that services are securely configured to mitigate risks associated with this problem.

The web servers that maintain the UBIT login, the primary web-based authentication method used by campus services, are not vulnerable to this problem. Other campus services that utilize the affected technology are being reviewed and updated as quickly as possible.

Although we have no evidence that any UB sites have been compromised through this exploit, we do know that this bug has existed for two years before there was any knowledge of this specific vulnerability. We suggest you pay close attention to all your sensitive user accounts across the Internet and contact the owners of those related services if you have any questions.

Also, watch for fraudulent email claiming to be from companies with which you do business, as criminals will undoubtedly use this issue to create targeted phishing email messages to trick people into divulging their passwords.

Find a list of vendor notifications regarding Heartbleed.

If you have any questions, contact your local IT support or the CIT Help Desk.

DATE ACTIVE:

4/9/2014

THREAT LEVEL:

High

TYPE:

Information Stealer

Did This Page Answer Your Question?

(Required)
 
Email, UBITName or phone number
(Required)
Enter the letters or numbers you see below in the space provided. Click "Get a new challenge" if they are not readable.