Skip to Navigation | Skip to Content

Important New Web (OpenSSL) Vulnerability

« "NYU WARNING!!!" phishing scam | Main | New Internet Explorer bug *UPDATED 5-1* »

As many of you may have read or heard, a flaw has been discovered in one of the Internet's security methods—a flaw that could enable hackers to access user names, passwords, or other sensitive data.

A fix for this flaw, which was announced this week, is available and NYU is now working quickly to patch all of the University's systems that need patching. The flaw is associated with a widely-used technology known as OpenSSL, which is used to secure server transactions, and it is known as the "Heartbleed" vulnerability. OpenSSL is used by Internet service providers, system administrators, and universities around the world, including NYU.

What NYU is doing:
Technology Security Services (TSS) at NYU is reviewing our centrally provided systems and servers that need to be patched are being patched. TSS has been in touch with the NYU system administrators group (system administrators across campus) to alert them to the issue and the recommended fix. The CIO Council (IT leads at the schools) has also been alerted to this issue for any locally maintained and housed servers.

What should you do:
First of all, don't panic. Not all systems use OpenSSL, some that do are not vulnerable, and many websites are already installing patches on their systems.

If you are an administrator of any system, you should immediately upgrade your system to the latest version of OpenSSL. For more guidance, NYU system administrators should contact the IT Security Group at security@nyu.edu. Administrators of systems outside of NYU (e.g., cloud services) should contact the service provider or refer to the links below.

For users of NYU systems: ITS and other service owners across NYU are working quickly to patch systems as necessary. As examples, NYU Google Apps, NYU Classes, Albert/SIS, NYUHome, www.nyu.edu, NYU Login, PeopleSync, and all core NYU systems have either been patched, or are not vulnerable to this bug.

For users of non-NYU systems: If you don't know if the server you are connecting to has been patched, the most prudent thing to do is refrain from logging into non-NYU sites that contain sensitive data for a few days while those non-NYU servers are patched. If there is no information from the system owners after that time, you should contact the site to confirm that the patch is in place. If you are curious as to whether a page may be affected by the flaw, you can visit this Heartbleed test site and put in the name of the website you are concerned about to see whether it is vulnerable. However, not all sites can be tested in this way.

What the Internet is doing: Internet providers and server administrators around the world are doing assessments of their systems in order to patch their version of OpenSSL.

References: