Reporting Security Issues
If you are the victim of a security-related issue such as a phishing scam or spam attack:
Security Awareness Training: The Office of Information Security provides security training for departments on campus that deal with Protected Information (PI) and Personally Identifiable Information (PII). To learn more about this training, please visit the OIS website.
Be Aware: IS also developed Be Aware, a student-focused site which discusses security awareness and the effective ways to respond to security threats.
Helpdocs - Protect Your Computer: General information on protecting your computer from malware and malicious actors can be found on OSU's Helpdocs website.
A program (OpenSSL) that manages the secure transmission of data across the Internet was discovered to have a bug. This bug, known as “heartbleed,” could allow attackers to steal the private keys used to encrypt data prior to transmission across the Internet. With the keys, the attacker would be able to decode all of the data, including passwords and personal information entered into a website.
Information Technology personnel at Oregon State University have been aware of the problem since the disclosure of the bug on Monday evening, and have been working hard to identify and patch affected systems. So far, the impact on secure systems at OSU appears to have been minimal—ONID, for example, does not use a version of OpenSSL that is vulnerable to this bug; the main OSU secure webservers were not vulnerable as well. Systems that have been discovered as vulnerable are being patched, and if warranted, new encryption keys are being generated.
Although we have no evidence that any OSU sites have been compromised through this exploit, this bug existed for almost 2 years before being discovered by security researchers. We would encourage you to pay close attention to all your sensitive user accounts across the Internet and follow the recommendation of the owner of those services. Because of the widespread impact, we recommend that you change your OSU passwords, especially if you used the same password at multiple sites.
Warning: We’re starting to see evidence of fraudulent email claiming to be from affected companies asking that you change your password by clicking on a link in the email or replying to the email. Please do not fall prey to these.
If you run a server such as a web or email server or have a Network Attached Storage (NAS) or other device that uses OpenSSL, please follow the instructions at http://heartbleed.com to ensure that your device is secure. A running list of hardware/software vendors impacted by this bug is being maintained here: http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=720951&SearchOrder=4.
Additional information on the heartbleed bug can be found here:
High Risk Malware Warning
CryptoLocker is malicious software that encrypts files on your computer, on an attached USB drive, or on a network share, then displays a screen that demands that you pay a $100-300 ransom within 96 hours to get them back. There is no guaranteed way to recover the files if you do not pay the ransom. DO NOT PAY THE RANSOM.