A very serious international information security vulnerability was disclosed late on Monday, April 7, that has the potential to have exposed and continue to expose both the private digital keys used by websites to encrypt displayed data and the data submitted to websites (the processes used by secure web pages that present the little padlock icon in your browser).  Information that may have been compromised includes passwords, account numbers, and other information.  This vulnerability, officially named ‘Heartbleed,’ has affected a large portion (i.e. millions) of websites on the Internet and some here at Colby.

Since the time of disclosure, Colby ITS has been working to identify and re-secure the affected systems and websites, and at this time all Internet and Campus-facing websites have been secured.  However, because this vulnerability has existed for at least two years, the potential risks, especially to account names and passwords, remains significant.

What Should You Do?

1.  Be aware of this issue and that it still affects many websites on the Internet.  Be especially careful whenever you enter a password, account number or other sensitive data on line.  Because it will take some sites longer to install the necessary security updates wait a few days before logging into sites external to Colby, read any notices about this security issue posted on those sites and never use your Colby password for any external account.

2.  Be especially vigilant about fraudulent Email claiming to be from Colby or other organizations claiming that some action is necessary on your part, especially in response to this security issue.  An ideal opportunity for exploitation occurs at times like this.  Always verify the source of any such messages by contacting the company or the Colby ITS support center.  Don’t click on any link in suspicious email.

3.  Consider resetting your Colby password, which can be done through the Colby ITS web site or through the link on the IT tab in MyColby.  We do NOT recommend changing your password on any other service or account until you have verified that the website has been secured.  If you have used your Colby email address and Colby password to create any account out there on the Internet, you must change your Colby password and in the future never use your Colby password with any external account.

As always, do not hesitate to contact the appropriate Colby ITS support center with any questions you may have about computing and security:
Faculty and Staff Support: 207-859-4222/ campus x4222/support@colby.edu and Student Computer Services: 207-859-4224/ campus x4224/scshelp@colby.edu

Additional Resources:
Heartbleed: What you should know
http://www.washingtonpost.com/news/morning-mix/wp/2014/04/09/heartbleed-what-you-should-know/

Changing Your Colby Password:
Go to the ITS Home Page and click on the link on the right or go to the IT tab in MyColby and click on the link on the left.