Heartbleed OpenSSL vulnerability
What do I need to do?
Change your passwords
- Resetting your PennKey password
- Resetting your SEAS password
- Resetting your Google@SEAS and personal Google passwords
- Reset your Facebook and Twitter passwords
After updating your PennKey password, you will need to update the credentials for devices connecting to AirPennNet, as well as mail clients on your computers or phone.
Enroll in two-step verification
All PennKey holders should enroll in Penn WebLogin two-step verification. This program provides an additional layer of security on your PennKey account by requiring a unique code in addition to your password. You can use a smartphone app to manage access to these codes, as well as print out a paper copy.
If you are using Google@SEAS or a personal Google account, you should enroll in Two-Step Verification with Google. Facebook and Twitter also offer two-step verification.
Fraudulent email alert
Please be on the lookout for fraudulent email claiming to be from companies with which you do business (including Penn), as criminals may use this event to create phishing email messages designed to trick people into divulging their passwords. If you have any questions or concerns about this issue, please contact email@example.com.
Where can I find more information?
A vulnerability in OpenSSL, a cryptographic protocol used by many websites to secure web traffic, was disclosed Monday evening, April 7, 2014. The Heartbleed vulnerability has affected a large number of systems worldwide and can be exploited to expose the keys used to encrypt traffic from the vulnerable sites, as well as other data meant to be protected, including usernames and passwords.
CETS and Penn's IT staff have been working diligently to identify vulnerable machines. CETS email and web servers were vulnerable, and have been patched. Cosign (Penn Weblogin), PennNet wireless authentication, and SSH were NOT vulnerable. We have replaced the SSL certificates on vulnerable machines. In addition to continuously scanning for vulnerable machines, CETS and ISC Information Security are monitoring network traffic for any active attacks on Penn systems.