Heartbleed infests, UIS spared
A recent computer virus sent UIS’ Academic Technology Service Specialist Clayton Bellot into an afternoon of crisis containment with university network servers: Heartbleed.
When the flaw was released, Bellot began scanning UIS’ entire network. The UIS systems were found unaffected by the bug.
Bellot said, “All of our servers that students, staff and faculty deal with were on a version that was unaffected. None of them had the particular flaw.”
After much discussion, its label leads it to have more power than it actually holds. The first misconception is it isn’t a virus, it’s a flaw. Bellot said, “It’s a security flaw that was found in something referred to as open secure socket layer or OSSL and only specific versions had the flaw.”
Another revelation with the Heartbleed ‘bug’ is the kind of information it is capable of obtaining.
Bellot explained, “What it’s doing is when your computer communicates with a server, the Heartbleed contracts extra memory from your information causing a memory dump to occur. It’s really not an aggressive breech. Really, this bug is only grabbing memory that is in use at that particular time [when] it becomes infected.”
Certain personal information, such as credit card numbers and social security numbers aren’t at risk. However, if they were being used at the time the memory dump occurred, then there is cause for concern.
The only major issue is when a private key is leaked during a memory dump. Servers that have the flaw have to request new key pairs for their system, which include a new public and private key. With this process, people who use the server or have any technological ties must then reset usernames and passwords.
Bellot said, “Companies are now sending out notifications to [their] users letting them know their account[s] may have been potentially compromised.”
Computer Science graduate student Kyle Noland said, “If you are a spammer right now, [this] is a prime time for phishing because everyone knows, ‘oh hey, people are gonna [sic] be needing to reset passwords.’ It’s a perfect time [for cyber attacks].”
Phishing is the act of obtaining financial or other confidential information from internet users, typically using emails that resemble legitimate organizations.
Bellot said, “The silver lining in this is that it’s helping people go out and reset their passwords just across the board. People hold onto passwords way too long. It’s just bad practice.”
Certain accounts with hypersensitive information, such as banking, should have passwords updated at the least monthly. For the majority of the population, having to remember just one or two different account usernames and password pairs can be a hassle. Bellot recommends password managers for this inconvenience. He said, “Last Pass and Key Pass are [systems] we use and suggest. They allow you to have one password to get into a database of passwords and you only have to remember one password.”
Noland said, “One thing to get out of this is hopefully people are changing passwords. Hopefully, people will think about using a password manager, because it does make life easier and it does make things more secure.”