Heartbleed security vulnerability creates need for password changes by May 5
April 30, 2014
The Virginia Tech Information Technology Security Office is requiring all PID, Oracle (Banner), and VT Google Apps (Gmail) users to change the passwords for these accounts by May 5.
This password change will complete the university’s response to the Heartbleed vulnerability, and protect university resources.
The Heartbleed vulnerability is a flaw in OpenSSL, a widely-used open source cryptographic software library that is used in two-thirds of the world’s websites and a large portion of the operating systems and software offered by the world's biggest software developers.
Heartbleed is essentially a simple coding flaw, which allows an attacker to remotely extract data including usernames and passwords from vulnerable Web servers without the user’s knowledge. The attack cannot be detected.
At Virginia Tech, all servers known to be vulnerable have been patched, and security certificates have been replaced on more than 450 servers across the university.
There has been no evidence that Virginia Tech data or systems have been accessed inappropriately as a result of the vulnerability.
“However, the possibility exists that some usernames and passwords could have been extracted before the flaw was discovered,” notes Randy Marchany, Virginia Tech’s information technology security officer. Because of the nature of this vulnerability, password changes will be required to reduce the possibility of any malicious access to Virginia Tech resources.
All PID, Oracle (Banner), and VT Google Apps passwords were affected, and must be changed to a new, strong, and unique password on or before May 5.
Hokies (Exchange) passwords and Network passwords, used for VT-Wireless and the VPN (virtual private network), are not affected by this password change requirement.
Users who changed their passwords on or after April 22 should not need to change them again, however, any passwords changed before that date will need to be changed again.
Users who have not changed these passwords by May 5 will be required to select a new password the next time they log into services requiring PID or Oracle (Banner) passwords.
Virginia Tech students, faculty, and staff are also urged to change passwords for all other outside Web services affected by Heartbleed, including many social media, cloud computing, news, banking, and commerce sites. The Heartbleed hit list site from mashable.com lists many of the popular Internet services affected, and the vendor security recommendations for those services. Users changing passwords for services outside the university should be sure not to reuse any Virginia Tech passwords.
Students, faculty, and staff are directed to Virginia Tech’s main computing website for complete instructions on how to change passwords. For further assistance, users may contact 4Help by calling 540-231-4357, or click the ‘Ask a Question’ link at the upper left of the website.