HeartBleed Bug Security Issue

Published: 2014-04-11

Sent on behalf of Chief Information Security Officer, Office of the CIO

This week, a world-wide security issue was discovered called the “Heartbleed Bug”. The issue involves network software called OpenSSL, which is an open-source set of libraries for encrypting online services. Secure websites – with “https” in the URL ("s" stands for secure) – make up 56% of global websites, and nearly half of those sites were vulnerable to the bug. In theory, a cybercriminal could have exploited Heartbleed by making network requests that could piece together your sensitive data.

Here at Ohio State, we have identified the systems which have this vulnerability and are working with technology teams across the university to quickly fix the issue. We will be tracking closure of these through the normal vulnerability management process and are requesting that all tech teams either fix the issue or contact security@osu.edu within 48 hours of detection with a status update. Fixing this issue involves replacing the SSL certificate and retiring the old certificate – a relatively simple, no-cost process.

Ohio State Security is also working with specific external partners to ensure their websites, which handle OSU information, are equally protected (e.g. Box, Microsoft, Apple, etc.). If you have a concern about a specific partner site, please email security@osu.edu for assistance.

At this time we are NOT suggesting individual users reset passwords, as this could introduce more risk if they do this before a system is patched.

We also suspect that we will see an increase in phishing attempts to gather IDs/passwords, as criminals take advantage of the general confusion surrounding this issue. A separate “all user” communication will be distributed to raise attention to this threat.