Getting to the heart of Heartbleed
By Olivia Krauth–
A new bug called Heartbleed was discovered this past week, and it may have been in computer software for two years. However, professionals are unsure if it has affected anyone yet.
“Heartbleed is a recently discovered vulnerability in a common software toolkit used by many web servers to encrypt sessions between the website and the end user,” explained Andrew Wright, a computer information systems assistant professor at U of L.
Wright said that Heartbleed “creates a serious vulnerability” in sites that do not have the most current version of OpenSSL project software. Attackers can have access to user data on the affected sites.
“This data could include user ids, passwords, and even the server’s own keys that could be used to impersonate the web site or potentially decrypt sessions with end users that are supposed to be secure,” said Wright. “While the bug has existed for two years, it is not thought that hackers knew of its existence until earlier this week. Attacks are very likely against unpatched servers in the coming days and weeks.”
U of L’s IT department sent students an alert email about the issue on April 10. The email warned about the power of Heartbleed, and suggested students change all passwords to online accounts. The email also said that IT had “identified and patched the affected enterprise systems” prior to the sending of the email. Wright noted this, saying, “Most of the major web sites on the internet are moving quickly to install updates, as well.”
As the bug may be found in sites that use the open source toolkit in OpenSSL project software, anyone can be a target. Several popular sites, including Facebook and YouTube, use the software. Some sites, including Amazon, do not use the software, therefore not affecting users. Wright suggests that students check out lists online to see which sites have protected themselves and their users against the bug.
Wright does not believe that college students will be more affected by the bug than the general community.
“This vulnerability affected so many popular sites, it is likely that most of us will have to take action to protect ourselves after these sites have been patched,” said Wright.
“Heartbleed is a vulnerability in web server software, so end users won’t have to install any updates on their own computers to address it,” said Wright when asked about prevention of Heartbleed. “However, once a vulnerable site that you’ve logged into in the last two years is fully patched, you should change your password on that system. If you’d used that same password on other systems, you should consider them at risk and change those, as well.”
Wright believes that fake emails will be sent out in attempt to “prey” on users. “This may be confusing to users because they will also be receiving legitimate requests from affected sites asking them to reset their passwords after the sites have patched their web servers,” said Wright. He recommends going straight to the site to change your password as opposed to following links in emails.