**OpenSSL HeartBleed Vulnerability Alert**
A vulnerability was discovered with OpenSSL which allows anyone on the Internet to read the memory of systems that run vulnerable versions of OpenSSL, revealing the secret authentication and encryption keys to protect the traffic. User names, passwords and the actual content of the communication can also be read. The bug appears to have been in OpenSSL for 2+ years since December 2011 and exploiting this bug leaves no trace in server logs so there is no easy way to determine if a server has been compromised.
OpenSSL 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1.
Is There a Solution?
OpenSSL and the UCIT Office of Information Security (UCIT OIS) recommend that users immediately upgrade to version 1.0.1g. Administrators are advised to apply the up-to-date version of OpenSSL, revoke potentially compromised private keys and reissue new keys. The newest version is available on OpenSSL’s website: https://www.openssl.org/source/.
QualysGuard Vulnerability Scanning
UCIT OIS uses QualysGuard, an enterprise vulnerability assessment, policy compliance, and remediation management tool that provides an extensive built-in database with the latest CVE vulnerability definitions. Monthly scans will be completed on the university’s network to ensure there are no vulnerable OpenSSL server’s on our network. If an outdated version of OpenSSL is found on the network, the IT Coordinator responsible will be contacted and told to upgrade their OpenSSL server. While upgrading however all certificates must be revoked and requested again once the upgrade is complete.
UCIT Office of Information Security (UCIT OIS) is pleased to announce the results from the campus Shred Event on Wednesday, April 2, at McMicken Commons on West campus.
Courtesy of sponsorship from Document Destruction, UCIT OIS collected, securely shredded and recycled nearly 4,400 pounds (2.2 tons!) of documents received from 26 departments/colleges in only 4 hours at zero cost to the university.
If you and/or your department or college were unable to participate in this first shred event, don’t worry. UCIT OIS will be hosting another one in the near future, so be looking out for a date!
All personal and professional documents are accepted, but paper clips, hanging file folders and other metal/plastic must be removed from the documents in advance. (Staples are okay.)
For additional information please visit the UCIT OIS website at http://www.uc.edu/infosec/services/shredding.html
UCIT Office of Information Security (UCIT OIS) is holding another Free Shred event on Wednesday, April 2 on West Campus in McMicken Commons. We will be accepting paper from 9 a.m. until 12:30 p.m.
All faculty, staff, and students are invited to drop off professional or personal sensitive documents to ensure they are securely destroyed and recycled. All metal, including paper clips and hanging file folders must be removed in advance; staples are permissible. Plastic also needs to be removed - comb bindings, transparencies, Polaroid pictures, Tyvek envelopes. Anything that cannot be torn is not acceptable.
UCIT OIS staff will remain present to ensure that all documents received are properly destroyed.
For additional information please visit our Shredding page.