University should not be at risk to ‘Heartbleed’ security flaw, according to ITS

Nicole Bueno

While a flaw in an online security protocol has threatened the safety of passwords and other sensitive information on the Internet, it should not significantly impact the University, according to Cam Beasley, the University’s chief information security officer.

The flaw, nicknamed the “Heartbleed bug,” affects OpenSSL, which is a secure connection many websites use to communicate sensitive information such as passwords and credit card numbers. The flaw is believed to have been written by a German programmer in March 2012 and was discovered by researchers from Finland and from Google.

Dubbed one of the biggest Internet security flaws in history, Bloomberg reported the bug affects over two-thirds of all Internet websites. The bug could also affects smartphones, routers and other systems that employ OpenSSL.

Beasley said Heartbleed’s impact on the University is minimal, though he did confirm OpenSSL is used in UT information systems.

“[There is] no real risk to students using central IT services, but it is possible that various Internet services they use could have experienced some exposure depending on if they were vulnerable and how long they took to patch systems,” Beasley said. “Several systems were patched once the update became available, but no critical services were exposed.” 

Classical archaeology senior Beth Rozacky said, though the flaw is worrying for some people, she feels the information that could be potentially leaked is already more available to hackers than most people realize.

“My personal information is already out there because of the organizations I’m in, so, if someone wanted to find something, it would be pretty easy,” Rozacky said.

On Friday, the Obama administration denied that the National Security Agency, or other parts of the federal government, had known about the Heartbleed bug after Bloomberg reported the NSA had been withholding information about the flaw in order to pool valuable data for themselves.

“[The] NSA was not aware of the recently identified vulnerability in OpenSSL — the so-called Heartbleed vulnerability — until it was made public in a private-sector cybersecurity report,” said NSA spokeswoman Vanee Vines in a statement issued Friday.

Security researchers said the bug allows for data to be accessed in increments of only 64 kilobytes, making it less ideal for wide-scale espionage.

Engineering assistant professor Mohit Tiwari said the harm caused by the bug is apparent but difficult to assess.

“The Heartbleed bug does indeed have very bad consequences for systems that used the buggy version of OpenSSL,” Tiwari said. “There is really no way, however, to measure the extent of the damage since most system logs will have no record of this bug being exploited.”

Tiwari and Beasley both recommended students change their passwords frequently regardless of the risk posed by the bug. According to Tiwari, research into automatically analyzing large systems for such bugs should receive a big boost due to the bug’s discovery. Rozacky said she hopes the research will provide more information for the public.

“I think people should have been aware of the dangers of hacking before things like Heartbleed happened,” Rozacky said.