[April 11, 2014] [Copy of email sent to DePaul University Community]
This email is to provide information to the University community on the recent, well-publicized Internet vulnerability known as the "Heartbleed bug"  and to advise you on actions you should take to protect your information both at DePaul and at other institutions.
The Heartbleed vulnerability is an exposure in software widely used on the Internet to secure network communications. Servers that run the vulnerable software could have their memory contents exposed to an attacker without the attacker logging in. Memory contents might include user credentials, other highly sensitive information, and even the "secret keys" by which network communication is secured. The bug has existed for two years, but was only recently discovered and made known to the public.
What we are doing
Organizations around the world, including DePaul University have been working to remediate the problem. DePaul Information Services has evaluated our data centers and has been in communications with other areas at DePaul which may also run servers. We have remediated those servers which were vulnerable and continue to monitor events relating to this and other security events.
What you can do
Because of the Information Services data center protection strategy and architecture, DePaul had very few central sites which were vulnerable to this bug. Although we believe that the likelihood of any particular user credential being compromised is not very high, in an abundance of caution, we advise all DePaul users to change their CampusConnect password, most especially if you use the same password on outside systems. For most customers on DePaul systems, this can be done through CampusConnect - Change My Password. If you use an external system for DePaul business, which is not tied in to your CampusConnect credentials, please also change your password on this external system.
The Heartbleed bug has affected a number of very large, high profile websites, including Yahoo, Tumblr, Amazon and other very popular online businesses. DePaul Information Security believes that it would be in each person's best interest to take this opportunity to change the passwords they use on all websites - both professional and personal, especially if the system does not employ some form of "two factor" authentication. If however, a website you have an account on has notified you that they have not yet remediated this issue - it is best to wait to change your password there until they have. This is a difficult situation in that it may not be possible to understand whether a particular site has been made safe or not. There are some pages which perform tests of a given site, yet they are not 100% reliable.
Although managing multiple credentials can be very challenging, please remember that it's not a good idea to synchronize passwords across websites when the information the account accesses is sensitive (such as health information, financial information, business-related private information). We have, unfortunately, seen many examples of credentials stolen from a weakly protected site used successfully on a different, more critical site.
We expect that coming soon will be numerous scam emails, purporting to be from companies you may or may not do business with, asking you to change your password because of Heartbleed and providing you a link. Please exercise extreme care with these emails. It is much safer to go to the website by typing it into your browser and navigating to the change password functionality. It is practically a certainty that most of us will be receiving an email of this type, attempting to gain access to our credentials. If you have any questions about the validity of an email like this that your receive, please forward it to firstname.lastname@example.org and we'll be glad to review it.
If you have any questions on this please write to email@example.com or call the Technology Support Center at 312.362.8765.
You have received this message because our records indicate that you are a current student, faculty member, staff member, or retiree of DePaul University. Such messages are sent periodically to the entire university community on a need-to-know basis. Students, faculty, staff, and retirees may not choose to unsubscribe to these messages. If you are NOT a current student, faculty member, staff member or retiree: contact firstname.lastname@example.org. Thank you.