On Wednesday, April 23, the Vassar community received an email from Computing and Information Services (CIS) warning of a recent concern for a computer virus known as “Heartbleed.” As the email read, “Vassar Computing & Information Services has been working diligently to replace certificates on any servers that were identified to have the Heartbleed Bug vulnerability. That work is now complete, and we highly recommend you change your Vassar passwords.”
According to the Business Insider, the Heartbleed Bug is a vulnerability in coding software that over half the websites on the Internet use when it requires users to log in with a username and password.
This security bug was recently disclosed to the public, on April 7, when a fixed version was released. At the time, around half a million Internet users were believed to be vulnerable to the attack. The bug put security and private information at risk to be stolen through email, websites, instant messaging and VPNs.
Essentially, the Heartbleed bug tricks the server into releasing information from storage, and this stored information is often time personal information like passwords, credit card information and other sensitive data (Businessinsider.com, “Heartbleed Bug Explained in One Cartoon,” 4.11.14).
Usually, all of this stored information is encrypted, but Heartbleed can decode the encryption because of the vulnerability in a part of OpenSSL called Heartbeat. Regularly, the Heartbeat message contains a length field of the information the user is inputing and repeats it into the server to show that the connection is secure. Heartbleed is causing the length field to be longer than intended, sharing more information and data without meaning to.
The Heartbleed Bug has had a long exposure period, so a large amount of private information was vulnerable for people to take and exploit. There are four categories of data that were leaked: primary key material, secondary key material, protected consent, and collateral (heartbleed.com). Primary key material are the encryption keys themselves; with these keys, attackers are able to decrypt all the encrypted information stored in computer memory systems. Secondary key materials are usernames and passwords that are used in the websites that were vulnerable.
Protected consent is the actual content that is handled by the online services, including financial information, emails, instant messages or any documents worth being protected by encryption. Leaked collateral are the other details that were exposed to attackers in the information content that was leaked. One of the most dangerous aspects of a computer bug is the fact that those whose information is leaked cannot detect if their information has been shared, as exploitation through this bug doesn’t leave any trace of it.
This bug was discovered on April 1st by a group of security engineers at Codenomicon and Google Security, while they were making improvements to a safety feature in OpenSSL. Although a recovery patch was written fairly soon, it was discovered that the websites exposed by Heartbleed could have been exploited by users for at least five months before the bug was found. Some of the most popular websites that were affected include Yahoo!, Pinterest, Reddit, Soundcloud, Tumblr, Stack Overflow and Imgur.
People are also able to check their most used websites at lastpass.com/heartbleed to see if those websites were exposed as well.
Tomas Guarnizo ’16 talked about how he was impacted by the bug. He explained, “It is a virus that is designed to gather personal information from webpage users, so there is not much you can do about protecting your information. There should be a list of pages online showing the likelihood of how they might have been affected.”
He continued, delving into the deeper mechanical explanation of the computer bug, its functions and possible risks posed to Internet users who could be vulnerable. “It used a loophole in the system which was meant to protect information so the actual programs used for privacy protection services were the ones used to retrieve information from web users. I guess you could change your password, but I don’t know how much that would help. If you are worried about your information, you should stay offline.”
The CIS homepage offers advice on creating safe passwords and offers detailed instructions. According to the CIS, some passwords are more secure than others. As the website reads, “As easy as it is to use “changeme” or “password” or your name, you are taking a huge security risk by using passwords that are easy to hack. There is an art to choosing a good password. While a good password may take longer to remember, it’s worth the effort to protect your desktop and the entire network. Passwords are an integral part of overall security. A weak password is one of the vulnerabilities most frequently targeted by a hacker.”
Guarnizo also spoke about experiences he has had with stolen information and the kinds of situations people can expect if their private information is stolen by a computer bug.
“Someone did take my information and used my debit card and stole some money so I had to go to Chase bank and get a new card. Fortunately, Chase paid me the money that was stolen and I got a new card. I am not sure if the bug had anything to do with it. There are also number generating programs that produce numbers of 16 characters and 3 characters in order to get card numbers and security codes. If people have these programs working all day long, one might match up, so that could’ve been what happened. Or maybe it was the bug, who knows?” he said.
He continued, “I learned about all this through Google; funny how hackers were probably getting my information while I was looking up how someone was getting my information.”
So much personal information is shared online today that any type of bug or program malfunction can lead to loss of private information to hackers ready take advantage of others. Vassar CIS has responded to Heartbleed, posting on their website and in several sent messages: “Vassar Computing & Information Services has patched and replaced certificates on any servers that were identified to have the Heartbleed Bug vulnerability. We highly recommend you change your Vassar passwords if you have not done so already.”
Pushing further, it read, “Many of the other websites you log in to may be vulnerable, and you may be getting emails from those services, requesting you change your password. When this occurs, it’s important to remember the not to click on any links in the email. Phishers may use this opportunity to catch users with their guard down. Change passwords by going directly to the websites. If you use the same password (your Vassar password) for other sites or services, particularly banking or financial services, you should change those passwords as well, even if those services were not affected by Heartbleed.”