HeartBleed at UW-Eau Claire
A major security vulnerability named Heartbleed was discovered on April 7 and has the potential to impact all Internet use between users' computers and servers that use Open SSL (Web pages that start with https). The security vulnerability permits the theft of some information, including userID and passwords, in addition to any information shared between the user and the server that would normally be protected during the session.
Since Tuesday morning, LTS and IT administrators for the university's schools and departments have been evaluating university-managed servers and have confirmed that none of the core critical IT services using SSL, including Single Sign-On or www.uwec.edu are affected by this vulnerability because they do not use the version of OpenSSL that is vulnerable.
Although there has been no evidence that a UW-Eau Claire website has been compromised, we know that the vulnerability has existed since March 2012. We urge UW-Eau Claire users to subscribe to multi-factor authentication with popular services, such as Google, Yahoo, Facebook, iCloud, Evernote and Twitter.
UW-Eau Claire users are advised to exercise caution with websites they visit. The exploit can affect both servers and users' Web browsers. Users can expect all major browsers to address this issue with an update (e.g. Chrome has already released an update). As server and site owners double their efforts to patch their servers, users may be notified to change their passwords with the service providers. We anticipate a new wave of phishing messages using this vulnerability as an excuse to steal login credentials and compromise accounts. Beware of spam messages.
At this time, LTS is not asking users to change their UW-Eau Claire network passwords.Please contact the LTS Help Desk at 715 836-5711 with additional questions or for assistance.