Heartbleed OpenSSL vulnerability

What do I need to do?

Change your passwords

After updating your PennKey password, you will need to update the credentials for devices connecting to AirPennNet, as well as mail clients on your computers or phone.

Enroll in two-step verification

All PennKey holders should enroll in Penn WebLogin two-step verification. This program provides an additional layer of security on your PennKey account by requiring a unique code in addition to your password. You can use a smartphone app to manage access to these codes, as well as print out a paper copy.

If you are using Google@SEAS or a personal Google account, you should enroll in Two-Step Verification with Google. Facebook and Twitter also offer two-step verification.

Fraudulent email alert

Please be on the lookout for fraudulent email claiming to be from companies with which you do business (including Penn), as criminals may use this event to create phishing email messages designed to trick people into divulging their passwords. If you have any questions or concerns about this issue, please contact cets@seas.upenn.edu.

Where can I find more information?

A vulnerability in OpenSSL, a cryptographic protocol used by many websites to secure web traffic, was disclosed Monday evening, April 7, 2014. The Heartbleed vulnerability has affected a large number of systems worldwide and can be exploited to expose the keys used to encrypt traffic from the vulnerable sites, as well as other data meant to be protected, including usernames and passwords.

CETS and Penn's IT staff have been working diligently to identify vulnerable machines. CETS email and web servers were vulnerable, and have been patched. Cosign (Penn Weblogin), PennNet wireless authentication, and SSH were NOT vulnerable. We have replaced the SSL certificates on vulnerable machines. In addition to continuously scanning for vulnerable machines, CETS and ISC Information Security are monitoring network traffic for any active attacks on Penn systems.

See the ISC documentation on Heartbleed for Penn-specific information. The official Heartbleed site has further technical information on affected versions, as well.

© Computing and Educational Technology Services | Report a Problem
cets@seas.upenn.edu | 215.898.4707