Rutgers maintains security after Heartbleed bug
Heartbleed, a security flaw with the potential to disclose sensitive user information, has been affecting websites worldwide for the past month.
Heartbleed takes advantage of a flaw in the security software OpenSSL, which is one of the most popular web security services in use today, said Michael Gergel, director of the Information Protection and Security department in the University’s Office of Information Technology, in an article for The Daily Targum.
Myriad web providers were forced to patch their servers after the announcement of the bug on April 7, according to cnet.com. More than 30 of the top 100 U. S. web services had been using vulnerable versions of OpenSSL.
Gergel said as many as 500,000 websites worldwide were susceptible to Heartbleed at the time of the announcement, and anyone who logged into these websites before the update had the potential to be attacked.
Attackers targeting an affected website could obtain anything from user account information and passwords to encryption keys that would give access to any data stored on the web server, said Val Red, junior system administrator for the University’s Engineering Computer Services.
The bug allowed attackers to obtain random chunks of data stored in the server, Gergel said, so the chances of Heartbleed revealing sensitive information was low but definitely possible, and the likeliness increased with more attacks.
Rutgers’ Central Authentication Service was unaffected by the bug, he said, but the OIT urged students to remain cautious while browsing the web.
Donald Smith, vice president for information technology and chief information officer of the OIT, sent emails to all Rutgers students recommending password changes and advising them of other vulnerabilities attackers might use to their advantage.
“OIT expects that ‘phishers’ will attempt to exploit this opportunity,” Smith said in an email. “Please be vigilant in protecting your identity and do not click on links in emails.”
Phishers impersonate trusted web services in emails, fake websites or even phone calls to obtain private information, Gergel said, and unsuspecting users comply.
Red, a School of Engineering senior, emphasized in the Targum article the importance of taking the necessary steps to keep user information as secure as possible in light of the bug.
“Exercise situational awareness when accessing a site, and consider logging out every time you’re done,” he said in the article. “Be smart about what you do on the web.”