Heartbleed vulnerability FAQs
- What is Heartbleed?
Heartbleed is a recently discovered vulnerability in OpenSSL, which is an open-source implementation of an encryption protocol used by many systems, especially web servers. The vulnerability can leak critical, sensitive data, such as passwords and private keys.
- How is it affecting McGill?
It is impossible to determine exactly how much of an effect this has had on our data and systems, because it leaves no traces. This vulnerability has existed for the last couple of years, but was only made public this week. It is important to note that most of our core IT systems, such as Banner and Minerva, do not use a vulnerable version of OpenSSL. We are in the process of reviewing our vulnerabilities and patching the systems that require it in order to ensure the integrity and confidentiality of our data.
- How does it affect me?
This problem goes far beyond McGill. Organizations around the world are checking and updating their systems to deal with this vulnerability. It is possible that some of your personal data (passwords, etc.) has been compromised, but not necessarily at McGill. As mentioned above, it is impossible to know how much data has been stolen on a global basis. CNET (an external, third-party website) has an updated list of Heartbleed’s impact on the most popular American social, email, banking, and commerce sites.
- What do I have to do to protect myself?
At an appropriate moment, when vulnerable systems have been fixed, you will begin to hear from organizations, like McGill, that it’s time to change your passwords. When creating a new password, choosing a strong password increases its security. But please note: McGill will not send you an email asking you to “click here to change your password”.
- Is the system fixed? If not, when?
We anticipate our central IT systems will be updated to address vulnerability by the middle of next week (April 16). We will proactively replace system certificates before we can ask you to change your passwords. This will take an additional week or so. We will send a message in advance of the request to change passwords.
- What about my exams that start next week? Will this have any effect on them?
We’ll make every effort to schedule system downtime to minimize any negative impact on the McGill community.
- When will we be back to normal?
Our goal is to have the central systems fully updated before the end of April.
- Have you detected anyone trying to take advantage of this?
Yes. We have blocked a number of attempts to exploit the vulnerability. We continue to monitor network traffic for potential abuses and take corrective action when needed.
- What about my computer at home? My iPhone/iPad?
When directed by various legitimate organizations, you will need to change passwords on all your devices & in any locations where you have saved your password. LINUX users may be especially vulnerable to this threat. It is always a good idea to keep software on your devices up to date.
- How will you tell me what to do next? By email?
We will continue to communicate with you by email, the McGill Reporter, and through the McGill IT website, where you can validate the information we send to you. As noted above, we will never send you a message asking you to “click here” to change your password.
- I've seen fake McGill emails that look like they come from IT. How will I know if they're legitimate or "phishing"?
Check the IT Security alerts page to see if the email has already been identified as a phishing scam. If it is not there, we encourage you to send the questionable email to the IT Service Desk at ITsupport [at] mcgill [dot] ca, making sure not to click on any links in a suspicious email. When in doubt, don’t hesitate to ask.
For more information on phishing see:
- Is my direct-deposit paycheque vulnerable?
Just like with any phishing campaign, if your McGill credentials are compromised, then your bank direct-deposit information could have been changed on Minerva. However, McGill will be taking additional precautions to validate direct-deposit account changes made through Minerva.
- Can someone else access my T4s or my transcripts?
Just like with any phishing campaign, if your McGill credentials are compromised, then your personal information could have been at risk.
- What's the worst that can happen to me?
Identity theft would be among the most serious consequences. As a result, please take the time to monitor your banking, credit ratings, online identities for any unusual activity.
- How can I know if I will be secure given that it took the community 2 years to find this bug?
There will always be risks associated with the transmission and storage of private information. The IT community is constantly looking for new vulnerabilities and adjusting their practices in response. As an end-user, you always need to be vigilant and take steps to safeguard your data and online presence.