The Heartbleed security flaw affects websites across the Internet. Users are changing their passwords as sites install patches to protect against the flaw. Image via Wikimedia Commons.

Heartbleed bug precautions

Users advised to change passwords for HawkID and other accounts as a precaution

Friday, April 11, 2014

Written by: Information Technology Services

Responding to the Heartbleed bug, the Information Security and Policy Office is issuing the following message to University of Iowa IT users:

As you have likely heard in the news, IT security researchers recently discovered a vulnerability named the Heartbleed bug in many online encryption systems used around the world (e.g., OpenSSL encryption). This is a serious vulnerability that could allow attackers to steal passwords and other secret information from seemingly secure website servers.

The University of Iowa has taken an aggressive approach to remediating this vulnerability, and all affected UI public-facing systems have been patched to remove the vulnerability or be isolated from the network. The hospital is also following its remediation protocol. We have no evidence at this time that any UI system has been compromised. However, as a precaution, the Information Security and Policy Office recommends that members of the UI community:

1) Avoid clicking links found in unusual or unexpected emails that ask you to reset your password or to reveal personal information. The number of these emails will probably increase over the next couple of days as thieves try to take advantage of the situation.

2) Consider changing your online passwords at UI and elsewhere—especially at banks and commercial sites—early next week. (Waiting a few days gives the external sites time to fix the vulnerability and provide their own advice.) This vulnerability existed for nearly two years before it became public knowledge, and it isn’t clear if attacks were successful before then. In this case, the sage old advice of better safe than sorry is probably appropriate in terms of changing passwords.

You can change your HawkID password through the Information Technology Services website at: http://hawkid.uiowa.edu. Changing passwords is critical if you use the same one for your HawkID and other accounts. As a general rule, your HawkID password should differ from passwords used for non-UI services. If you have elevated privileges on any UI system, your password must be changed.

If you have questions, please contact your local IT provider or the ITS Help Desk at 319-384-4357 (4-HELP) or its-helpdesk@uiowa.edu.

Thank you for your cooperation in addressing this important security matter.