HEARTBLEED: what it is and how it affects you at BCIT

heartbleed

BCIT students are booting up their desktop computers on campus to find a troubling message displayed on the monitor: all students and staff are urged to immediately reset their BCIT passwords as a precautionary measure against the OpenSSL bug Heartbleed.

A quick Google search on this bug may cause some panic; and while the BCIT website states that the IT Services team have patched all affected systems, other websites may still be at risk.

We at Link Magazine want to help you get some peace of mind in the time of what is called the greatest security threat in the history of the Internet, so here are some basic things you need to know about Heartbleed.

What is Heartbleed?

Heartbleed is an encryption flaw in the OpenSSL cryptographic software library, which allows for memory leaks at set time intervals. OpenSSL, in simple terms, is a service that scrambles information meant to be private (for example, passwords) into a string of numbers and letters while the account is not being accessed, and unscrambles it once the user logs in.

Numerous websites use the OpenSSL system to protect users’ information, and the bug may allow for things that are normally password-protected to be accessed by someone other than the user or the web service.

XKCD explains Heartbleed

XKCD comic explaining Heartbleed

Which websites are affected by Heartbleed?

The official web page dedicated to Heartbleed sombrely states that everyone is “likely to be affected either directly or indirectly” by the bug, by virtue of OpenSSL being the most popular cryptographic library on the Internet.

Many Internet giants have admitted to having been affected by the OpenSSL flaw: Google has reported that they have successfully installed patches against the vulnerability; Facebook have released a statement that the bug was fixed even before Heartbleed became publicly known; and Instagram stated that they have applied the needed patches, and that no accounts have been harmed to their knowledge.

What can I do to protect my information?

The best way to ensure your private information stays that way is to change your password, especially if you use the same one for multiple websites (and especially if they are still “password1” or “123456” or “guest” – we know some of you are still guilty of this!).

But before you go on a massive password-changing spree, check if the websites you use often are still affected by Heartbleed (if they are, the passwords would need to be changed once again once the bug is fixed). Most websites now display a message, which explicitly states the status of the OpenSSL update.

rbc_heartbleed

RBC addressed the Heartbleed vulnerability on the front page of their online banking site.

If the message is not there, or is not clearly visible, there are a couple of ways to check: look up the website on this frequently updated list Mashable put together; or test the web page address using a test, such as SSLLabs or LastPass Heartbleed Test, which determines the state of the OpenSSL software.

Although most web services have swiftly put system administrators to fix the Heartbleed issues, tech experts emphasize that this will not prevent or punish any information that may have been stolen as a result of the security breach.

BCIT IT services remind all students and staff to change all their passwords before the April 22, 2014 deadline; otherwise, there is a risk of being locked out of my.bcit.ca account.

How to change your BCIT Passwords:

1.    Login to  my.bcit.ca

2.    Select  “Change Password”   (from the Online Self Service pane – right hand pane)

3.    Enter  new password information into the ‘Change your Password’ section.

It will take approximately 5-15 minutes to synchronize your new password across all systems.
 
 
Other systems (these may or may not be centrally managed by ITS) 
MSDNAA 
Specialized Program systems

If your password was changed on a date later than April 14 at 4pm, then you don’t have to change it again.

For more information, check IT Services page.