A security vulnerability that affects OpenSSL, being referred to as Heartbleed, was recently discovered and has potential for widespread impact. OpenSSL is software commonly used to secure web servers, including many web-based services throughout the university.
This vulnerability is receiving a lot of attention – and rightly so due to its potential impact. However, it is important to note that at this point, it is only a discovered vulnerability. It is not an active attack. In fact, there are no known events at this time where passwords, credit card numbers, or other sensitive data have been compromised due to this vulnerability.
IT security principals on the University of Colorado campuses along with University Information Systems (UIS) staff are working to identify vulnerable systems, including externally hosted servers. As vulnerable systems are found, they are being patched and SSL certificates are being reissued.
All CU Employees: Although we are not requiring password updates at this time, it’s an excellent opportunity to highlight some password best practices:
Webmasters and other IT Practitioners: If you are running OpenSSL versions 1.0.1 through 1.0.1f, we recommend that you update as soon as possible to OpenSSL version 1.0.1g or later.
A major security vulnerability named Heartbleed was disclosed Monday night. The vulnerability affects a large portion of websites on the Internet and here at UCCS that use OpenSSL to encrypt webpages (pages that start with https). Tuesday morning, UCCS IT began evaluating and addressing all UCCS systems potentially impacted by this vulnerability.
Critical UCCS systems have already been upgraded to the latest version of OpenSSL, and we are actively upgrading secondary internal systems campus wide. Affected servers had to be updated to the latest version of OpenSSL and new SSL certificates obtained with new private keys to ensure that communications to servers remain confidential. We have no evidence that UCCS sites may have been compromised by this exploit and the web servers that handle UCCS authentication requests were never at risk, because they did not use OpenSSL.
In the meantime, we are advising everyone to be careful about what sites you visit. If you are curious as to whether or not a page may be impacted by the vulnerability, you can visit a heartbleed test site and put in the name of the website you are concerned about to see if it is vulnerable or not.
Also we have received notice from CU System that Nelnet’s vulnerabilities have been addressed by the vendor. Maintenance pages have been removed, and you can again make online and e-check payments.
A major vulnerability has been identified in the technology that encrypts most secure websites transactions. This vulnerability would allow an attacker to pull information from a secure web server. We have found that Nelnet, the application used by students and parents for online bill pay, is currently subject to this vulnerability.
Because this places the payment information of our community members at immediate and direct risk, we have disabled Nelnet until we have verification from the vendor that the issue has been addressed. Maintenance pages are currently in place where this application is integrated.
This impacts students, parents, admitted students and academic departments from making credit card and e-check payments, both online and in person, for the following:
• Tuition and Fees
• Application Fees
• Confirmation Deposits
• Registration Advanced Deposits
University Information Systems is working with the vendor to resolve this issue as soon as possible. In the meantime, customers needing to make a payment should contact their respective Bursars office to coordinate alternate forms of payment. Additional information on alternative forms of payment by campus can be found online:
CU Colorado Springs: http://www.uccs.edu/bursar/contact-us–payment-address.html
A communication will be sent once this vulnerability has been addressed and online bill pay is again available.
Today is Microsoft Tuesday, the second Tuesday of the month and is known as “Microsoft Tuesday” in the IT world. This is when Microsoft releases security and bug updates for all Windows Operating Systems. It is very likely that your computer will need to reboot to finish applying the security updates.
The IT Department recommends you shut your computer down every evening. However, if you leave your computer on, we recommend you save all work and close all open applications to ensure you do not lose any work. Your machine will automatically reboot after these updates have been applied.
If you use Windows 8.1 you receive an additional update. This update adds additional features new keyboard and mouse functionality making Windows 8.1 easier to use, these are very welcome changes. The following link provides exhaustive detail on all of the new features: http://winsupersite.com/windows-8/windows-81-update-1-review
Please let us know if you have specific questions and we will be happy to help.
In less than 2 weeks Microsoft will end support of their Windows XP operating system, with the official date being April 8th, 2014. What does this mean and what should you do if your computer still runs XP? Less than 2% of all computers connecting to UCCS are running Windows XP. However, if you own one of these computers this email may be of value to you.
End of support means that Microsoft will no longer issue security updates (Windows Updates) leaving your computer vulnerable to viruses, malware and other malicious software which can easily be compromised by criminals trying to gain access to your information.
Please let us know if you have specific questions and we will be happy to provide advice.
10:50 AM 3/27/14
Phone service has been restored. If you need to reach any of the departments impacted by this outage the numbers are listed below.
8:20 AM 3/27/14
We are currently experiencing issues with the phone system that handles many of the student services departments across campus.
The main lines for the following departments are currently unavailable. If you need to reach these departments, please send an email to the appropriate address.
We apologize for the inconvenience we are actively working with our vendor to restore service. We will send follow up emails as the status changes.
Beginning at 10:00 pm this evening and lasting until 12:00 am we will be performing emergency server maintenance that will impact multiple services.
During this maintenance the following services and systems will be unavailable:
Dear UCCS Students, Faculty and Staff,
This morning a phishing email was sent the entire campus with the subject of “Upgrade Status – Please Read!”. This is someone trying to gain access to your account by having you click on a link to provide your username and password. If you clicked on the link in the email and provided your password, please contact us immediately via phone 719-255-3536.
Below is the body of the email, you will notice that the link you are asked to click begins with http://aguacomunicaciones.cl/ this is not a UCCS website. If you have clicked on the link you will notice the page looks very much like our portal, however, it is not. If you have clicked on the link and provided your username and password, please contact us immediately.
This Sunday (3/14/14) from 8:00 am to 11:00 am, there will be multiple campus systems unavailable for maintenance. In preparation for the start of the fall semester, both UCCS IT and University Information Systems (UIS) will be performing maintenance on several systems utilized by the campus. Below is a brief summary of the maintenance schedule. All UCCS resources will be restored and accessible prior to the library opening at 11:00 am.
All Portals and DARS Unavailable 6:00 am – 6:00 pm
All campus IT Services will be intermittently unavailable from 8:00 am – 9:00 am
Orgsync, Simplicity and Mediasite will be unavailable from 9:00 am – 11:00 am
As of 12:15 pm access to all services has been restored. Please contact us at 719-255-3536 if you experience any issues.
At this time we are experiencing issues with multiple services, including but not limited to Email, Z: Drives, Department Shares, Office 365.
We are working to resolve the issue as quickly as possible.