Heartbleed and you

You’ve no doubt heard of “Heartbleed” by now — the computer systems vulnerability that has generated international headlines this week.

The vulnerability has seriously impacted many of the world’s webservers. It affects certain versions of a webserver component for servers prefixed with the familiar “https” URL.

Dalhousie has many https servers, and there are many more that our community accesses outside the university.

So how does this affect the university community?

John Bullock, Dal’s information security manager, explains that Information Technology Services (ITS) moved quickly to address any potential vulnerability on Dal’s servers.

“The majority of ITS-managed servers were either never vulnerable or were patched within a few hours of the issue coming to light,” he explains. “On Wednesday afternoon we added network protection to guard the remaining servers until they can be patched.”

ITS is currently working to identify persons responsible for non-ITS servers on campus so they can be patched shortly. Blackboard (ie. Owl) was never vulnerable to Heartbleed.

Should you change your password?

While Bullock describes the risk as “low to medium,” and there is no evidence that any given system has been compromised, it is entirely possible that passwords could have been discovered from any service (Dal or otherwise) that was vulnerable.

• If you are at all concerned, you can change your NetID password at https://password.dal.ca (That site was patched prior to noon on Tuesday. If you changed your password since then, you are already covered.)
• ITS advises faculty and administrative staff to change their Dal password. The more sensitive the data you have access to, the more important it is to play it safe.
• You should change your passwords for other non-Dal services (email, banking, social media sites) once you know they have been successfully patched.
  

For more on Heartbleed, visit the Government of Canada's "Get Cyber Safe" blog.