IU websites vulnerable to Heartbleed bug

IU students discovered Tuesday they have been exposed to hackers on seemingly secure websites since March 2012.

The Heartbleed bug, an error found in some versions of the OpenSSL encrypting tool used extensively to protect sensitive information, is presenting a threat to personal online security.

Secure Sockets Layer, or SSL, is a protocol used extensively on the Internet to protect sensitive information such as passwords and credit card numbers.

The most common use of SSL is to protect information sent between a web browser, such as Internet Explorer, and a web server, such as Facebook. 

It’s a popular implementation of SSL, Chief Security Officer Tom Davis said in
an email.

It is used on almost every website that begins its URL with “https,” the “s” meaning it is secure. A green padlock near the URL signifies similar security.

Despite this, if the website is running with OpenSSL, it may still be at risk.

“Normally, users can take direct and immediate action to protect themselves against most computer security threats,” Davis said. “However, in the case of Heartbleed, it’s a little more difficult than that.”

Davis said the bug can affect anybody that is using a site version of OpenSSL that has gone untreated or unfixed.

Heartbleed allows hackers to read sensitive information such as passwords and credit card numbers directly from the server’s memory, where it’s stored temporarily so that
it may complete its task, Davis said.

It also allows the hackers to obtain online security keys that can let them
eavesdrop on communications or even impersonate the web server a user wants to
access.

If a hacker impersonates the server, a user may think they are securely logging into their online banking account.

But simultaneously, they are giving their credit card number, social security number and bank code directly to a hacker.

Davis said the University Information Security Office has not received reports of students experiencing this.  

Doctoral student Nathaniel Husted of the School of Informatics and Computing said IU’s websites have checked out so far.

“As far as I can tell, IU’s services have already been patched,” Husted said.

The bug came out publicly Tuesday morning, and by Tuesday afternoon most websites, including websites maintained by UITS, had already patched up the
Heartbleed problem, he said.

Husted said patching the problem is an easy task.

“It’s literally just the software update,” he said. “That’s all we need to do.”

Websites such as indiana.edu seem to be secure again, he said.

Despite this reassurance, Husted said he cannot confirm that any non-UITS websites have been fixed, though they should be managed rather quickly due to the nature of the situation.

He said department servers may need to be patched by locals as opposed to UITS, depending on whether or not they run under UITS.

Now that Heartbleed is no longer a threat to many big web servers, Husted encourages students to heighten their online security.

“The important thing is to change your password after things have been patched,” he said.

Changing your password before the patch can be detrimental because if the website is still unsafe, hackers will now have access to both your new and old passwords.

Husted said people can check to see if a website has been patched using Heartbleed and SSL tests, available online.

Students need to change all of their passwords and consider adding form authentication to as many websites as they can, he said.

Form authentication is when a web server such as Google or Twitter sends a message to your cell phone number containing a code you must enter to access your account, even after you have put in a password.

If a hacker does have your password, they still cannot access your information without the code that is on your cell phone.

“It can buy you a little extra time to change your password,” Husted said.
Davis says work is still being done to ensure students’ safety and protection online.

“The University Information Security Office has been pro-actively identifying other services on the University network running vulnerable OpenSSL, and will continue to work with UITS and our departmental IT colleagues to identify, patch and appropriately respond to any that are found vulnerable,” Davis said.

Follow reporter Amanda Marino on Twitter @amandanmarino.