As websites and Internet users scramble to assess vulnerability to the Heartbleed Bug, information technology officials have assured CSUN students and faculty that their sensitive information is safe.
The Heartbleed Bug is otherwise known as CVE-2014-0160. It is named after the OpenSSL extension in which Google Security researcher Neel Mehta and Codenomicon, a Finnish-based security-testing firm, discovered the vulnerability.
An OpenSSL Connection stands for Open Secure Sockets Layer and is the most basic way of encrypting information on the web.
The bug has affected at least 500,000 sites according to Netcraft, an Internet research firm.
While a patch has been made for the bug, not all websites have started using it.
CNET has compiled a list of websites that are safe. These include Google, Facebook, Twitter and Amazon.
As soon as CSUN IT found out about the bug Hilary Baker, vice president of Information Technology, said they performed scans on all central servers and patched any servers that had the OpenSSL version.
“The central CSUN authentication servers that handle most of the authentication were not impacted,” she said via email. “We replaced SSL certificates in all impacted systems.”
While Google Gmail was affected, Baker said students should be safe. “Google reported that they patched their Google gmail servers.”
Baker said faculty and staff were not affected because Microsoft does not use OpenSSL
As far as future threats, she said CSUN subscribes to various lists that assess threats to cyber-security.
“CSUN uses scanning and monitoring tools to assess the threat and, where necessary, an ad hoc group is formed to evaluate and recommend remediation if necessary,” Baker said.
The Heartbleed Bug is otherwise known as CVE-2014-0160. It is named after the OpenSSL extension in which Google Security researcher Neel Mehta and Codenomicon, a Finnish-based security-testing firm, discovered the vulnerability.
The bug has affected at least 500,000 sites according to Netcraft, an Internet research firm.
Dr. Jeff Wiegley, computer science professor at CSUN, said OpenSSL is a library of code that implements the secure socket layer protocol (SSL) used to do all the https web surfing.
Wiegley said when you see https on a page, it has to have done the SSL protocol and one of the most used implementations for that protocol is the open source product called the OpenSSL.
Wiegley said the seriousness of the flaw is based on the ability of someone to access sensitive information such as passwords.
“If a system is implementing its SSL with OpenSSL implementation, then a user can exploit the security flaw in the OpenSSL library to access memory on the host computer and get anything that is in memory at that time,” Wiegley said. “Because things like passwords are often cached, other people’s passwords could be in memory at the time someone is accessing the web page and exploiting the security flaw.”
While cyber threats are a daily occurrence, Wiegley said the Heartbleed Bug is different given the security history of OpenSSL.
“It’s only unique in that it is implementation dependent on OpenSSL and there has not been an identified security flaw in the OpenSSL implementation before this,” Wiegley said. “It’s also unique in that there are a lot of sites that rely on the open source product OpenSSL to in order to implement their SSL features.”
Netcraft’s 2014 web server survey indicates 66 percent of active websites utilize OpenSSL.
While Wiegley understands the level of concern given the popularity of OpenSSL, he says the threat to users has been a bit overstated.
“It’s not that big of a scary bug because a lot of things would have had to have taken place for your specific information to have been available to somebody,” Wiegley said. “Somebody would had to have done the exploit before its been fixed, but there have already been updated versions of the OpenSSL package that have been put out there and don’t have the flaw.”
Wiegley also said that access to a site would have to coincide with the time the vulnerability is exploited.
“You also would have had to access the site and had your password cached by the system at about the same time the individual exploited the flaw,” Wiegley said.
While OpenSSL is commonly used, Wiegley said many sites have taken a proactive approach to assuring site users their information is safe.
“There are a number of commercial websites that are saying you don’t have to change your passwords because we don’t implement SSL with OpenSSL because we use one of the commercial proprietary packages,” Wiegley said.
For example all Windows based servers, by default, do not implement OpenSSL.
Despite Wiegley believing the threat to web users being not as high as the public perceives, he said students should change their passwords as a precaution.
“Chances are you are safe, but the chance is not zero so you should change passwords on sites that use the OpenSSL library for their security implementation,” Wiegley said.