Tech’s Main Systems Not Compromised by Heartbleed

Most users do not need to worry about changing their GT login passwords — with a few exceptions

This week’s Heartbleed web security vulnerability had users of numerous popular websites scrambling to change passwords. Thankfully, none of Georgia Tech’s significant systems were affected.

“As soon as we became aware Monday, we did a scan of all our campus systems,” said Jimmy Lummis, cybersecurity policy and compliance manager in the Office of Information Technology. The scan reported 120 unique IP addresses as being vulnerable. After five days of patching by OIT employees across campus, that number is now fewer than 30.

Because Tech’s main systems were not affected, most users do not need to worry about changing their Georgia Tech login passwords — with a few exceptions.

“Where I would be concerned is if users are using the same password for Georgia Tech as they are with other websites or systems,” Lummis said. He advised those users to change both passwords as a security measure.

“The other important thing to remember is that just because a site was vulnerable to Heartbleed, it doesn’t mean people got ahold of your information,” Lummis said. “All someone would get from exploiting Heartbleed would be a segment of memory stream for a particular process, which may or may not have any authentication information.” This differs from other types of security breaches in which large volumes of names, personal information, and credit card information are compromised.

OIT continues to run periodic scans to monitor systems as they are patched. Firewalls will block anything attempting to launch the Heartbleed vulnerability against any of Tech’s systems. For external sites, Lummis advised users to find out if the site has been patched before changing their passwords, or else they’ll have to be changed a second time.

Faculty and staff can also consider using LastPass, a password management tool for which they can get a license from OIT. This tool was not vulnerable to Heartbleed, and in security breach situations it can notify users on which accounts passwords should changed.

Additional Images