University of Florida Homepage

Heartbleed and Phishing

heartbleed

By now, most of you have heard about the “Heartbleed” security vulnerability.  It has impacted a large portion of web-sites on the internet, and has been reported on in multiple sources of media. This vulnerability exposes the top secret key that is used to protect the data sent between a web-site and end user.  With that key exposed, all of the data could be read by a third party.  This includes passwords, and more.

Do we know that any web-sites were actually compromised?  No, we do not, but at the same time we do not know that a site was NOT compromised.  Unfortunately, that is the rub.  It is prudent to assume that any site that was vulnerable may have been compromised, and that you should change your password on that site.

One very important point about the Heartbleed vulnerability is that it is my belief that hackers will use this opportunity to engage in a very directed phishing campaign.  These phishing attempts may pretend to be from a site administrator, and they may inform you that their site was vulnerable to Heartbleed.  These emails may recommend that you click a link to change your password immediately.  They may inform you that your account will be suspended if you do not follow the link.

In light of this, please be skeptical of any email that requests that you change your password for any site.  Do not blindly follow links that you received in email.  Instead, use your web browser to go to the site and change your password using the normal password change mechanism associated with that service.

As I stated above, if you have an account on a site that was vulnerable, you should consider changing your password on that site as soon as possible.  cnet has published a list of the top 100 sites on the web, if you use one of them and it is listed as vulnerable, you should change your password there.

The cnet list is here:

http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/

Some notable sites that were vulnerable include Facebook, Google, and Netflix.

It should be noted that the list is not all inclusive, and several other sites were also vulnerable to the bug.

For the record, the University of Florida’s web-based login system, Shibboleth, was not vulnerable to the Heartbleed bug.  So any email that you receive suggesting that you should change your Gatorlink password immediately because of Heartbleed should be treated with suspicion.  When in doubt, a quick call to the UF Help Desk regarding your Gatorlink account is the best advice I can offer.