Heartbleed Bug infects Internet security

By Aaron Bocook, News Writer

Putting information on the Internet is risky.

Recently, a vulnerability called the Heartbleed Bug was discovered in a common cryptographic library called OpenSSL, which, according to EWU security engineer Colin Turnbull, is used by about two-thirds of websites out there. The vulnerability could leave information, which is protected under normal conditions, exposed.

“It’s a pretty significant exposure,” Turnbull said. “The vulnerability itself is called a buffer over-read vulnerability, which could essentially allow an attacker to grab small chunks of memory from the device they are connected to.”

Turnbull said if this happens repeatedly, enough information in memory could be collected that could lead to exposure of passwords and other encrypted data.

Dr. Carol Taylor, professor of computer science at Eastern, said Heartbleed is simply a new example of a flaw in a system that could potentially expose sensitive online information but may not be as unique as the hype suggests.

“Those kinds of things come up every so often,” Taylor said. “Everybody is going along using [Open]SSL, or any kind of cryptography, or any of the programs that you normally use, and then somebody actually spends the time to look at it in depth, and guess what? It’s not so secure anymore. There’s a hole in it. And that just happens over and over and over again.”

The Heartbleed Bug was officially disclosed April 7, which coincided with the release of a fixed version of OpenSSL. Turnbull said he was just leaving work when the Eastern IT department received the disclosure and started checking to see if any of the systems on campus were vulnerable.

“We did find systems that were vulnerable to it,” Turnbull said. “These weren’t enterprise-wide systems. Systems like Eaglenet or email weren’t vulnerable to it.”

Turnbull said the university uses load balancers in front of almost all of its websites that keep a potential attacker from having direct access to the server.

In other words, Eastern protected students before the flaw was even discovered.

In response to the Heartbleed Bug, the IT department sent out a campus-wide email to give faculty, staff and students information they needed to keep themselves safe, including a link to find which sites had already fixed the bug.

“We addressed the vulnerable servers that we did find,” Turnbull said. “Those all were addressed, most of those were addressed within 24 hours of the initial disclosure of the vulnerability. Nothing has been compromised.”

Even though the system has been secured, Turnbull said that does not mean there is nothing to worry about. He said about 1,100 different alerts indicating that people are probing for this particular vulnerability have been found through the intrusion detection system used by Eastern’s IT department, but none of them indicate any successful responses.

“They are constantly scanning,” Turnbull said. “We see scanning on a daily basis for this. But it’s all unsuccessful. The scans can come from researchers, or they can come from legitimate attackers. We see the IP addresses associated with the scanning, but it’s tough to identify who is really behind it.”

Taylor said since she has not had the chance to look at the Heartbleed Bug in depth.  She made an assignment for her students to research a current infection on the Internet and hopes that a few of them will come back with a lot of information about the vulnerability.

“I don’t think [Heartbleed] will put students at any more risk than they are at now,” Taylor said, “The smart thing to do is to watch your data.”