A recently discovered security weakness called Heartbleed has caused quite a stir in the Internet world. It’s being described as one of the most significant breaches of online confidential information in history.
Heartbleed was discovered in early April by a member of Google’s security team, and at this time most major websites have either implemented a patch or released statements claiming their servers were not affected.
Portland State’s Desire2Learn and Banweb websites use Open SSL, the open source cryptology protocol which Heartbleed targets. Open SSL is commonly used by major websites, including Instagram, Tumblr, Google, Yahoo and Gmail.
Chuck Lanham is the chief information security officer at PSU’s Office of Information Technology. He explained the origins of the flaw and fevered public reactions.
“It’s a result of a coding flaw in an open source piece of code called Open SSL,” Lanham said. “Open source is a publicly available code so anyone can grab it and make their tweak. A coder for Open SSL inadvertently created the flaw. Because it’s part of an open suite it has a high visibility and high usage. That’s why Heartbleed is getting such notoriety.”
One of the more alarming aspects of Heartbleed is how long it’s been around without anyone’s knowledge. The vulnerable code was adopted in widespread use in March 2012, so in the last two years a large portion of Internet traffic has been susceptible to information thieves.
“Traffic thought to be encrypted was not encrypted,” Lanham said. “If that web server was performing any sort of e-commerce and credit card info was being passed—and everyone thought Open SSL was encrypted, but it wasn’t encrypted as expected—cards, passwords, and other sensitive data could have been obtained by someone it’s not intended for.”
Also problematic is the lack of ability to track those who steal this info.
“The worst part is if someone knew about this exposure they could gather information and there is no trace left behind of the intrusion. It was undetected,” Lanham said. “The chaos from an IT perspective is over. People have heard about Heartbleed, I’m not sure they’ve taken sufficient steps. If someone has ownership of their sensitive info perhaps they haven’t used it yet but they could and assume your identity.”
PSU has taken measures to prevent Heartbleed from affecting its systems, and according to OIT, there is no indication that any personal information was harvested from PSU servers. When the chaos of Heartbleed spread, other Open SSL users installed patches similar to those used by PSU.
“It varies by company. This caught enough attention of the IT community [that] everyone dropped what they were doing to upgrade their web server,” Lanham said.
OIT recommends that all PSU students and staff change their passwords not only for pdx.edu, but for all major websites. They emphasize that the risk of intrusion is real, and that often people don’t take the necessary steps when threats like Heartbleed emerge.
“In general, people don’t understand the complexity,” Lanham said. “Once they’ve been affected or someone close to them has, they pay attention. They aren’t fully in tune with the seriousness of the consequences.”
This article at mashable.com explains the Heartbleed bug in more detail, including a list of affected sites: mashable.com/2014/04/09/heartbleed-bug-websites-affected/