As you probably heard in the news, a vulnerability in software that is used extensively at many online sites called Heartbleed, was announced on Monday, April 7. This vulnerability made it possible for an attacker to contact a web server and look into the server's memory a little bit at a time, without being detected. One of the side effects of this vulnerability is that by looking into the server’s memory, a client’s username and password could be compromised and captured by an attacker.
To investigate the possible effects at UIC, ACCC Security immediately scanned the entire UIC network to detect all of the servers running a vulnerable version of the software. A small number of servers (27) were identified and we notified the units and provided steps to remedy the problem. At the same time, a scan was performed on all ACCC internal networks and servers to find the vulnerable software. A total of 43 ACCC servers (14% of all ACCC servers) were found running versions of the software with the Heartbleed vulnerability and were immediately updated. In addition to patching the servers, we need to close the door on anyone who may have gained access to these systems. We are doing this by installing new digital certificates on these servers.
The main question here is, “Was my UIC password compromised?”
The answer to this question for the majority of the campus community is “No”. However, there is a small subset of users that might need to change their passwords.
UIC passwords you should change
Google Apps - for most people, accessing Google Apps would not have compromised your account. However, IF
you have an email client (Outlook for example) configured to contact Google to read your UIC email from a UIC Google Apps account using the IMAP protocol. Or, IF
your login to Youtube matches your UIC netid and common password, then we recommend that you change your password.
Box - for most people, access to Box would not have compromised your account. However, IF
you have used the 'Create External Password' feature to create a password to connect your Android phone or an Apple iOS app to access your University Box account, that password may have been compromised. Or, IF
you used the same password as your common password, then you should also change your common password.
Finally, if you have used your firstname.lastname@example.org/common
password credentials for any site other than UIC, then please change your UIC common password. Keep in mind that you should never use this combination to authenticate with external services for this reason.
Questions about changing your password?