A security problem with OpenSSL, dubbed the Heartbleed Bug, has been in the news recently. This vulnerability is significant, as much of the Internet relies on OpenSSL to secure Internet traffic. Until the affected servers are patched, the websites they host are potentially risky to visit, particularly if you are providing sensitive information to the site, such as usernames, passwords, and personal information.
What is IS&T doing?
Information Systems and Technology (IS&T) has verified that our central systems are not affected and has communicated with local IT support providers across MIT. Additionally, IS&T has scanned the campus network for vulnerable systems and contacted system administrators of affected systems to ensure that vulnerabilities are fixed and that private encryption keys and certificates are reissued.
Password best practices
This problem affects many popular off-campus websites and is another good reason not to use your MIT account password for any other sites or services. If you have used your MIT password on any other sites, we recommend you change your password as soon as possible.
To find out whether an external site is affected, along with the recommended action to take, you can use the following free tool: LastPass Heartbleed checker
Beware of scams and phishing
Heartbleed provides cyber criminals with a chance to take advantage of all the publicity about this vulnerability. Be very suspicious of any emails asking you to log into a site to verify your account or providing links to change your password. Also, please remember that IS&T will never ask you for your password.
To learn more about how Heartbleed affects MIT, see The Heartbleed Bug: What You Need to Know.