Today @ Colorado State has been replaced by SOURCE. This site exists as an archive of Today @ Colorado State stories between January 1, 2009 and September 8, 2014.

Working at CSU

The Heartbleed Bug: What does it mean to me?

April 10, 2014

Steven Lovaas, IT Security Manager for Colorado State University, answers your questions about this serious threat to Internet security.

What’s all this about Heartbleed?

On April 7, researchers found a flaw in one of the tools used to secure Internet traffic. That tool, called OpenSSL, is responsible for providing security on the Internet. The bug allows an attacker to capture usernames, passwords, and pretty much any other information.

Why does this matter?

This is a big deal. Much of the Internet relies on OpenSSL to protect secure traffic. At least 500,000 servers worldwide appear to be affected by the bug, and some personal computers and mobile devices are also affected. Until the bulk of affected computers are fixed, or “patched,” any secure site on the Internet is potentially dangerous to visit.

What is CSU doing?

CSU has patched all our vulnerable servers that are exposed to the Internet. We’re also working on hunting down all internal servers that are still vulnerable, and will be getting those all patched very soon.

We’re monitoring the situation, and we’ll notify owners of any additional affected computers we find. Further information will be distributed through departmental IT managers, as well as being posted on the ACNS security site.

What should I do?

First off, don’t panic. While this is a serious vulnerability, security folks at CSU and around the world are working around the clock to reduce the risk. Nevertheless, there are some things you can do while the world catches up:

  • Avoid online banking and shopping for a few days, if you possibly can.
  • Don’t change your online banking password until your bank tells you that it’s OK; otherwise you may just be giving attackers your new password.
  • Be very suspicious of any emails asking you to change passwords.
  • Remember that legitimate CSU emails will never ask you to respond with sensitive information such as password, SSN, or bank account number.
  • Apply the latest security updates to your home and work computers, as well as to your mobile devices.
  • If in doubt, ask! Feel free to email me with questions or concerns.

For more information, NPR’s Marketplace story is a great place to start.

Contact: Steven Lovaas
Phone: (970) 297-3707