Heartbleed Vulnerability

Recently a major security vulnerability called Heartbleed was publicly announced. Heartbleed impacts many web sites throughout the world, as well as servers here at Luther College that use OpenSSL to provide encrypted web pages. The Heartbleed vulnerability allows an attacker to steal sensitive information from a vulnerable server, including usernames and passwords or encryption keys.

Many popular websites have already begun recommending that their users change their passwords as a precautionary measure. You are likely already receiving emails from a variety of organizations, prompting you to change your password, and you will likely receive more in coming days. It is important to be on the alert for phishing emails and not become a victim of them. You should never follow a link provided in an email message to change your password. You should instead open your web browser and go directly to that organization’s website and, once there, go through the change password process. Also remember that no legitimate organization will ask for your password by email.

Luther College will soon recommend that users change their Norse Key passwords as a precaution. At this time we are recommending that users wait until we have verified the status of all software that uses Norse Keys for authentication but is hosted by a third party vendor.

LIS has worked to identify all of our vulnerable servers, and applied the appropriate patches where needed to ensure that our servers are not vulnerable. At this time, we have no indication that this vulnerability has resulted in unauthorized access to any systems or accounts at Luther College. Because this exploit leaves no trace, we have also taken the additional step of revoking and reissuing the ssl security certificates on all affected systems. We are also in the process of contacting any vendors that host software services that we use to verify that any necessary action has been taken to ensure that those services are not vulnerable.

For more information on the Heartbleed vulnerability see: