Welcome to the University of Hawai'i Information Security homepage! The Information Security website and team are here to provide guidance and assistance to the University community to keep its resources safe and secure from both cyber and physical threats. The InfoSec Team is also responsible for the development and implementation of the University of Hawai'i Information Security Program.
This information is being updated frequently - please check back often for any updates.
A major security vulnerability named Heartbleed was disclosed on April 7, 2014. This vulnerability affects many websites on the Internet that use OpenSSL to encrypt webpages (pages that start with https). SSL, or secure socket layer, is an Internet protocol which is designed to encrypt traffic over the Internet to hide sensitive information from prying eyes. SSL is often used to encrypt passwords that are used to securely access services offered through a website.
This OpenSSL security issue allows the stealing of information protected by SSL by revealing the private keys that protect the confidentiality of the information. Sites affected by the security vulnerability can have login credentials stolen as well as other data that would normally be protected by an encrypted SSL connection. In addition, once an attacker has the private key for a particular website, they can use the key to decrypt traffic previously sent to the server prior to the bug being disclosed.
It is important to note that only specific versions of OpenSSL are vulnerable. More detailed information about Heartbleed can be found at: http://heartbleed.com
The Washington Post offered a reasonable summary of this vulnerability and impact across the Internet.
Please note that individual campus or departmental applications are not listed here. Check with your IT support staff for local service/application information.
A few UH services were affected by the Heartbleed vulnerability. Users of those services will be contacted directly to change their passwords.
You may also be notified by your campus or department to change your UH password if it may have been exposed through their server or service.
CNET is maintaining a list of the top 100 web sites and their status available at: http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/
If you logged-in to any website listed as vulnerable or if you have been notified by the service, you should change your password AFTER the website has been fixed. If you are not sure if a site was vulnerable, or if it has been fixed, you can check the website using the Heartbleed test site: http://filippo.io/Heartbleed/
IMPORTANT! You should NOT use your UH username and password to login to any non-UH website! If
you did use your UH credentials to login to any vulnerable website, you should change your UH password using
the UH One-Step Password Change page:
You may need to reset your UH password more than once if you used your UH credentials on websites that are vulnerable AND used your new/reset password on a vulnerable website that has not yet been fixed.
Be on the alert for phishing attempts! Watch for fraudulent email claiming to be from UH or other companies with which you do business. Criminals will use this as an opportunity to create targeted phishing email messages to trick people into divulging their passwords. Information Technology Services (ITS) will NEVER ask for your password in an unsolicited email. Be on the lookout for sites that purport to tell you whether your site or your information has been compromised, especially if they demand personal details, login credentials, or payment.
Last updated: April 14, 2014 02:30 PM HST