The OpenSSL/Heartbleed vulnerability has been recently spotlighted in the news media since being announced on April 7, 2014. UAB IT has reviewed all centrally supported systems for this vulnerability and, working with our vendors, have installed patches on all supported systems to mitigate this vulnerability. We have used results from our daily Nessus campus network scans to identify system which are/were vulnerable and mitigated those systems which are centrally supported. Additional mitigation steps were taken where needed to protect sensitive credentials and data from compromise.
We believe that the possibility of a data breach or compromise is very low at this time however we recommend that all users take additional steps from an abundance of caution perspective. Those steps include 1) if you have access as an administrator to a system change your password(s) after you have verified that the vendor supporting your system has patched it appropriately, 2) increase your effort to mitigate those vulnerable systems identified on the weekly Nessus vulnerability report available at https://silo.dpo.uab.edu/vulnreport (if you need assistance please call Information Security at 205-975-0482), 3) please ensure that all systems that use SSL encryption services are fully patched, then restart the service on that system, 4) replace all SSL certificates on those systems with one provide free of charge from UAB IT from www.uab.edu/uabcrt (certificates from UAB are vetted, patched and kept up to date), 5) change all privileged account passwords immediately after vendor patches have been applied, and 6) be aware that many network devices and printers have embedded SSL based encrypted web based access portals which should be updated with vendor patches to mitigate this vulnerability.
We also recommend that all users with privileged access change their BlazerID passwords immediately as a precaution to mitigate any possible exfiltration of sensitive data by the OpenSSL vulnerability. And we also recommend that users change their personal passwords which they may use to access personal non-UAB web sites such as on-line banking and others to assist in reducing the possibility of becoming a cybercrime victim.
If you need additional assistance, please call AskIT at (205) 996-5555.