What You Need to Know About the Heartbleed Vulnerability

Wednesday, April 16, 2014

What is "Heartbleed"?

On April 7, researchers found a vulnerability in a technology called OpenSSL that is widely used to secure traffic on the Internet. The security vulnerability has been dubbed "Heartbleed", and experts estimate that it affects more than a third of Web servers worldwide. If exploited, it can allow a hacker to capture usernames, passwords, and other information that is shared with affected websites or online applications.

What is Pitt doing?

Computing Services and Systems Development has conducted a detailed inventory of enterprise systems that could be susceptible to the Heartbleed vulnerability and has applied the appropriate security updates. We are also working with University departments to identify and patch any susceptible departmental servers and systems.

What should I do?

  • As with any widespread vulnerability, Computing Services and Systems Development recommends you change your University Computing Account password.
  • If you have used the external password feature of pitt.box.com, you should change your external password. (The external password feature is used to access certain apps like SimpleShare that do not support single sign-on with your University Computing Account username and password.) To change your external password, log in to pitt.box.com using your University Computing Account username and password, click the Gear icon at the top of the page, select Account Settings, and then click Edit password.
  • Review the following list of websites to see if any of the sites you use regularly are affected by the vulnerability and follow their published password reset guidelines: http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/.
  • Remember that no legitimate organization, including the University of Pittsburgh, will ever ask you to provide confidential information like your password or Social Security Number over the phone or via email.
  • If you manage a server in your department and would like assistance determining if it is susceptible, please contact the Technology Help Desk at 412-624-HELP [4357] or submit a request online.

Get Help