Published April 28, 2014
J. Brice Bible, who was named UB vice president and chief information officer on Nov. 18, 2013, sat down with the UB Reporter to explain how UBIT is dealing with the recently reported “Heartbleed bug” and what steps members of the UB community can take to keep their computers, accounts and information safe.
JBB: UBIT is the team of IT professionals who work collaboratively across campus to safeguard and protect our computers and information assets. When it comes to information security problems, the people in UB’s Information Security Office spearhead our response to impending dangers by first bringing the threat to UBIT’s attention, and then helping to coordinate the actions we will take to thwart those attempts. It’s important to know that UBIT professionals interact with other organizations worldwide in protecting our campus from threats.
In the case of the Heartbleed bug, once UBIT workers were aware of the nature of the “exploit,” steps were immediately taken to “patch” those systems using the affected software, or to remove them from the Internet until they could be fixed. This action happens very quickly — in a matter of minutes and hours. Longer term, a complete scan is done across UB’s network to identify any other systems that could be affected by the exploit and to notify the administrators of those systems.
We scanned more than 63,000 devices late last week and identified a few dozen systems, some of which were embedded systems within service appliances like classroom video-recording systems.
JBB: That’s a good question and it underscores the importance of everyone taking personal responsibility for his or her computer and Internet use safety. Here’s our Top Five list:
JBB: Yes, it makes sense to change your UBIT password in response to the Heartbleed bug, especially if you ever used this same password on nonUB Internet based-services, or if you have used the same password for more than one year. While the Heartbleed bug did not affect the UBITName system, exploits of a similar kind are likely.
Changing your password is easy to do and is an appropriate step in taking personal responsibility for your information security.
Many nonUB Internet-based services have sent communications directly to their customers urging — even forcing — password change because their systems were affected by Heartbleed. UBIT urges you to comply with their recommendations.
Remember: Never use your UBITName password on nonUB systems, services and apps.
JBB: UBIT staff members are engaged in a constant struggle to protect UB’s computers and information assets using the latest tools and procedures available. We look at what more can be done, what new protective standards can be set and how we can work together more efficiently in times of crisis. Each new exploit is a challenge, but also provides us with a learning opportunity about protecting UB better.
We recently updated the UBITName Manager software interface to make it simpler for people to reset their UBIT passwords. It’s not widely known that you can set answers to security questions so you can reset your own password. There’s a strength meter for passwords, too.
One recent initiative we’ve put in place is a better way to inform the campus of Information Security Alerts using the UBIT website. When major information security events happen, we now include a special banner that calls out the particular exploit and where to go for more information. We’ve gotten good feedback on that feature.
These Information Security Alerts have addressed prevalent phishing attempts, major software exploits and other events, such as the one for the Heartbleed bug.
When the situation calls for immediate and direct communication, again like Heartbleed, we will send emails directly to all UB community members at their @buffalo.edu email addresses, and to major campus news and emergency websites.
JBB: You can report any suspicious computer and Internet activity to CIT-Helpdesk@buffalo.edu, 716-645-3542, that involves your UBITname and the use of UB resources.
If you have suspicions regarding your personal accounts with other services, like Netflix, Google or your financial institutions, go to their websites and look for “report abuse” or “report issues” links. You can do the same thing with your Internet service provider, like Verizon or Time-Warner.
JBB: UBIT Alerts, including UBIT Information Security Alerts, all appear on the UBIT Alert webpage.
We try to make the language in the alerts as informative as possible in nontechnical terms.
You can also subscribe to receive UBIT Alerts via email or Twitter.