What is "Heartbleed"?
A major security flaw, name Heartbleed, was announced last week. This bug can affect you and your secure communications and transactions on the internet. Security researchers found a flaw in software used to secure internet traffic. That software, called OpenSSL, is responsible for providing security on the internet, and is used by numerous web services worldwide. The bug allows an attacker to capture usernames, passwords, and pretty much any other information being protected by OpenSSL. Confidential information that you have transmitted through secure websites or services could have been compromised. The threat continues to exist until vulnerable systems are patched appropriately. Services such as online banking and social media are potentially affected. This bug is now known worldwide and is not unique to Calvin's network. CIT does not believe there has been any compromise of our systems at this time, but we will be taking some precautions to ensure that data and personal information remain secure.
What is Calvin/CIT doing about it?
Calvin IT is taking this issue very seriously. We understand that security threats can be an inconvenience, and share the frustration that all members of the internet community are experiencing from Heartbleed. Calvin does not believe there has been any compromise of our systems at this time. We are committed to proactive and measured steps to securing our systems. External/customer facing services were evaluated and rapidly addressed last week. Calvin IT continues to work with third party vendors that we contract with to patch their vulnerable systems as well.
CIT will be implementing two changes in the coming week that will impact the Calvin community:
- CIT will update security certificates on our Eduroam wireless network this Thursday, April 17, by 8:00 AM.
- Once we have made the necessary changes to the wireless system, CIT will ask everyone to change their Calvin passphrase. A message to campus will be sent on Wednesday, April 23 with more information. Please do not change your passphrase until you have received this communication or are prompted to do so.
What do you need to do?
To maintain wireless connectivity
- If you use a Windows computer on Eduroam wireless, please connect your computer to the "wireless_setup_instructions" wireless network, re-load your web browser, and follow the instructions. To maintain uninterrupted wireless connection, please make this change before Thursday morning.
- If you use a Mac computer or mobile devices on Eduroam wireless, you do not need to do anything until Thursday. You will be prompted to accept the new certificate when your computer connects to Eduroam. Please accept these changes when prompted.
- NOTE: In either case you will NOT need to re-register your device and run the Bradford scan.
To change your Calvin passphrase
You can now reset your Calvin Passphrase at this link: http://www.calvin.edu/cgi-bin/chpass.pl
You will begin to receive emails from CIT that your passphrase is set to expire. All Calvin users need to change their passphrases by Thursday, May 1st, at which time unchanged passphrases will expire and will have to be reset using the procedures to reset an expired passphrase. If you have reset your passphrase after Thursday, April 17th you will not have to reset your passphrase again.
Calvin Faculty and Staff should restart your computer immediately after resetting you passphrase in order to allow your new passphrase to sync with all systems. If you are using a Calvin-provided laptop, you will need to make sure your laptop is physically plugged in to the Calvin network via an Ethernet cable before restarting and logging in to your computer again.
Remember that all services which use your Calvin Passphrase will have to be updated. This includes reconnecting to the eduroam wireless network with your new passphrase, as well as updating your passphrase in any mobile mail applications or third-party mail applications you may use to connect to your Calvin email.