Bug may reveal private Internet information
One of the most widely used data protection services on the Internet announced last Monday that a security flaw was found that has the potential to expose private user information.
The bug, dubbed Heartbleed, is a vulnerability within the popular security software OpenSSL, said Michael Gergel, director of the Information Protection and Security in the University’s Office of Information Technology. It allows attackers to access information normally protected by the OpenSSL software.
OpenSSL is a tool web services used to encode sensitive data so that outsiders cannot access it, Gergel said, and is the most common encryption tool used.
The Heartbleed bug works by exploiting the “heartbeat” feature in certain versions of OpenSSL, said Val Red, junior system administrator at Rutgers Engineering Computing Services.
The heartbeat sends small amounts of information between a website’s server and the user currently logged in, said Red, a School of Engineering senior.
Attackers are able to send fake heartbeats to the server and receive responses that may include account information, user passwords or encryption keys, he said.
While security breaches happen fairly regularly, the severity of Heartbleed’s impact is due to both the popularity of OpenSSL and the delay in software updates since the bug was made known, he said.
“When a vulnerability is announced, it’s not only the people that need to fix the problem who get informed about it, but the people who take advantage of the problem and begin to look for ways to exploit it,” Gergel said.
In the case of Heartbleed, not much time existed between the OpenSSL developers learning of the bug and the announcement of its existence, he said, so the developers had less time to fix the bug before attackers learned of it.
While OpenSSL is the most widely used encryption tool, Gergel said, only the versions containing the heartbeat feature can be targeted. Older versions and some customized versions are not affected.
Still, as many as 500,000 websites were running the faulty versions when Heartbleed was announced, he said. Many have since updated their servers, but there is no way to tell what information, if any, has been stolen.
Most affected web services are recommending password changes, and users should check an individual service provider’s statement on the security breach and follow its advice on keeping the user accounts safe, Gergel said.
Information Protection and Security at Rutgers is aggressive about ensuring security within the University, he said and is regularly monitoring to identify any affected systems.
He said that the University’s Central Authentication Service is not operating on a version of OpenSSL vulnerable to Heartbleed, and student information remains protected.
“Banking institutions can customize their versions and disable the heartbeat because they see it as potential for information to be leaked,” Red said.
Many social and entertainment sites — including Google, Yahoo, Netflix and possibly Facebook — comprise the Heartbleed victims, he said.
The importance of a websites security depends on the purpose of the website, said Nicole Aubourg, a sophomore in the School of Environmental and Biological Sciences.
She said she takes great measures to ensure that she logs out of any site containing financial information and also clears her browser history. She is much less concerned about protection of social media.
Red said although social media sites do not contain as much sensitive information, many people are surprised by what attackers can obtain using trivial information.
Christina Parry, a School of Engineering first-year student, recognized the importance of protecting any information web users put online.
“We use the Internet for so much now that we didn’t in the past, like banking and shopping,” Parry said. “We rely on it so much more that it’s more important than ever to stay on top of our information.”