How the Heartbleed Bug Affects Ohio State

This week, a world-wide security issue was discovered called the “Heartbleed Bug.”  The issue involves network software called OpenSSL, which is an open-source set of libraries for encrypting online services.

WHAT THIS MEANS AT OHIO STATE
The media coverage that has surrounded Heartbleed opens the door for phishing attempts, so you can expect to see more Phishing emails – don’t fall for them! If you receive emails that instruct you to click on a link and provide an ID and password, do not do it.  Representatives from Ohio State will NEVER ask you for a password via email – if you suspect a phishing email please forward it to security@osu.edu for verification.

In terms of Ohio State systems, we have identified the systems that have this vulnerability, and are working with technology teams across the university to quickly fix the issue.  We are also working with specific external partners to ensure that any websites handling Ohio State information are equally protected.  If you have a concern about a specific OSU or partner site, please email security@osu.edu for assistance.

OUTSIDE OF OHIO STATE
Secure websites — with “https” in the URL ("s" stands for secure) — make up 56% of global websites, and nearly half of those sites were vulnerable to the bug. In theory, a cybercriminal could have exploited Heartbleed by making network requests that could piece together your sensitive data.

For individuals, we urge caution, and advise people to not rush to change their passwords. Changing a password before the fix is applied will likely result in the password being exposed – so timing is critical.  Most major sites (Banks, Social Media) will announce on their websites when the vulnerability has been fixed.