Heartbleed

Recently a significant security vulnerability has been found in OpenSSL. This security software package is a global standard that is heavily used across the internet. Since the Information Technology Office was running this software we took immediate action to resolve this issue.

It is difficult to understate the catastrophic nature of this issue. One of the things that makes this such a widespread problem is the path that must be taken to fix it:

1. The operator of a website or vendor that creates a device must acknowledge they have a vulnerability.
2. Patch the affected software.
3. Revoke and re-key the affected security certificates.
4. Announce to their end users that this issue has been identified and corrected.
5. Once steps 1-4 are complete the end users must reset their password(s).

If you reset your password prior to the completion of the first four steps then you are still potentially vulnerable. You must wait to hear from the websites that you visit regularly as to whether or not they were affected by this issue. Sites that were not affected are probably ok without needing a password change. If you have questions about a specific website/service you should contact them directly.

How did the IT Office respond to this issue?

The IT Office immediately patched the affected software on our web server. The Heartbleed vulnerability allows the exploitation of the heartbeat mechanism of OpenSSL to read 64kb of server memory. If this is done repeatedly the data encrypted by our SSL certificates (usernames, passwords, etc.) could potentially be exposed. There is mounting evidence that this vulnerability was exploited before it was publicly announced. As such, we have to assume that any user accounts on a vulnerable server should have its password reset immediately.

As of this writing the vulnerability has been identified and resolved within the Conference network. All systems under our control have been updated. All SSL certificates have been revoked and re-keyed.

What Conference systems were affected by this issue?

• Websites – The main Conference website (https://nccumc.org), the NC Advocate (http://nccadvocate.com) and the Ramus website hosting system (http://nccumc.net) were the only internal systems affected by this issue.
• Conference email – The Google Apps system was also affected by this issue. This is a third party solution that we do not directly control. Google’s recommendation is to not change your password now that they have finished repairing the issue on their servers. The Conference IT Office recommends that you change your Google account password immediately.
• Online Data Collection System – The server hosting the Online Data Collection System was not running the vulnerable software. It is not included in this advisory as it was not affected. No account changes are needed at this time.

What should I do now?

Now that the IT Office has completed all of the needed repairs to our systems. You should follow these steps:

• Reset your Ramus account – If you have an account on our Ramus web hosting system (http://nccumc.net) you should reset your password immediately. When you next log into your website you should be prompted to change your password automatically. If you have trouble logging in click the Lost your password link at the bottom of the form.
• Reset your NC Advocate Online Subscription – If you have an account on our NC Advocate website (http://nccadvocate.com) you should reset your password immediately. Click the login link in the User Access section of the website. When you next log into your Advocate account you should be prompted to change your password automatically. If you have trouble logging in click the Lost your password link at the bottom of the form.
• Reset your Conference Website account – If you have an account on our Conference/District website(s) (https://nccumc.org or http://districts.nccumc.org) you should reset your password immediately. When you next log into your website you should be prompted to change your password automatically. If you have trouble logging in click the Lost your password link at the bottom of the form.
• Reset your Google account password – Given the severity of this issue the IT Office recommends that you reset the passwords on all of your Google accounts, even personal ones. You can find information on changing your Google account passwords here.

Please note: If you use the same password (or same few passwords) everywhere you should take advantage of this issue to start changing them. It’s that important – you should start now.

I reset my password X days ago – does that mean I’m ok now?

If you reset your password for any of these systems prior to April 8th, 2014 then you should reset them again.

Additional Resources

• Symantec Heartbleed Page
• Symantec Connect blog post
• Passwords you need to change right now
• Heartbleed checker for individual websites
• Heartbleed.com
• Lastpass Heartbleed checker
• 7 Heartbleed Myths Debunked