There has been much publicity about the recently discovered Heartbleed bug in OpenSSL software. The bug is used to encrypt and protect sensitive information such as passwords and credit card numbers, during transmission across the Internet. Only certain versions and configurations of OpenSSL are vulnerable, and early reports describing the types of sensitive information that are exposed may be somewhat misleading.
In order to proactively address this issue, Fermilab has identified and addressed any of our systems (primarily Web servers) that were vulnerable. We have also been watching for and blocking any external attempts to use this bug to extract information from us. Moreover, the secure sites and services most commonly used by Fermilab users — FermiMail, SharePoint, Fermilab Time & Labor, ServiceNow and VPN — were never susceptible.
If you have concerns about your personal information being vulnerable at non-Fermilab websites, see this list of which popular sites are affected. Be careful about changing passwords until you are informed that a site has been secured. And continue to be alert for spam email and phishing attempts to exploit people’s nervousness about these recent events to obtain your passwords by more traditional means.