Heartbleed vulnerability


You may have become aware, through media or other means, of a computer security vulnerability called Heartbleed that is affecting networks around the world.

This bug, which has existed since late 2011 but was only widely recognized this week, makes password and other sensitive data vulnerable to theft.

I first want to reassure you that McGill’s IT Services is devoting their full attention to this problem in order to patch any vulnerabilities and reinforce the security of our systems in general. The work needed to reinforce the security of our systems will not be accomplished overnight but will take place in stages over the next couple of weeks. Urgent matters, such as applying patches to vulnerable systems, are being dealt with first.

At the moment, we are not asking you to change your McGill password. Later, once other elements of our systems have been updated, we will ask you to change that password. There will be a separate communication to the McGill Community on this. But please note: MCGILL WILL NOT SEND YOU AN EMAIL ASKING YOU TO “CLICK HERE TO CHANGE YOUR PASSWORD.”

As always, it is important to be vigilant about “phishing” scams, where people try various means to harvest your personal information, such as passwords. If you receive an email that looks like it comes from McGill, but includes a “click here to change your password” link, please do not click on the link, but send the email to ITsupport [at] mcgill.ca so a warning can be posted on the IT Security alerts page.

We will send out a more detailed email before the end of this week that will include a list of Frequently Asked Questions and their answers.

IT Services will make this issue a priority over the next few weeks. As such, other non-emergency services may be delayed or slower than normal. We apologize in advance, but ensuring the security of McGill systems and data is paramount.