Guidance on the “Heartbleed” Internet security vulnerability

To All SPH Faculty, Staff, and Students:

Last week, a security flaw dubbed “the Heartbleed bug” was discovered in a common Internet security protocol (OpenSSL) that protects credentials, such as usernames, passwords, and credit card numbers. An explanation of this flaw can be found on the Harvard Information Security website at: http://security.harvard.edu/heartbleed.  Harvard IT professionals across the University, and our own server team, web team, and Andy Ross our security manager, acted quickly to assess and patch any websites or applications that may have been vulnerable.  The Harvard PIN system and other enterprise applications were not affected as a result of Heartbleed, and Harvard Information Security currently has no indication that any information has been compromised.

Although there is a low risk that your Harvard account credentials were compromised, you are at greater risk if you use the same password for your Harvard accounts as for your personal accounts, such as personal email, social media, and other websites. We strongly recommend that you change your Harvard password immediately if you have also used it for external non-Harvard accounts.   Furthermore, it is important to not use the same password for Harvard and personal accounts going forward. It is always good practice to periodically change all your account passwords, and this may be a good opportunity to refresh your Harvard passwords even if you believe you are at low risk of being affected by Heartbleed.

You can find full instructions on how to change your Harvard passwords on our I/T Dept. website at: http://isites.harvard.edu/fs/docs/icb.topic731455.files/password_information_41414.pdfIf you have an SPH encrypted laptop,  pay close attention to the instructions under section 2.2 and 2.3.   Also, BEFORE changing your OUTLOOK Email password (see section 2.5), be sure to turn off all your portable devices (iPhone/iPad/Android/Tablet), to avoid your email getting locked out on that device.

If you have any questions or concerns about this security issue or need assistance to change your passwords, please contact the Helpdesk at 617-432-HELP or Helpdesk@hsph.harvard.edu  (Mon-Fri: 8 a.m.-6 p.m.)

Taso Markatos
CIO, SPH I/T Dept.