Earlier this month, UR’s network, along with millions of other websites that use the same software package, were been exposed to have a major security susceptibility in its Secure Sockets Layer (SSL) program called Heartbleed.
An SSL is an encryption scheme used to make web sources secure for services such as banking and login services. A popular software suite known as OpenSSL is used by many different websites for this reason, from small sites to bigger ones such as YouTube and Gmail, and the University network.
This suite has been shown to have a vulnerability which can be exploited to access secure data contained within, such as login information. An attacker can force the server to send random information from the server’s memory, which can contain important data that the attacker can then use.
If the data contained any confidential information about the users, such as login or banking information, the attacker can impersonate the user, use credit card information for transactions and read anything stored about the user.
It is because of this bug that many different websites are advising their users to change their passwords to more secure ones.
Heartbleed has only been found in a few systems across the University network, and Information Security Officers have assessed the situation and deemed the risk as low. IT Staff is working to patch any vulnerable sites. They advise students to change their network password to stay safe.
As for other websites affected by the Heartbleed bug, it is best to wait until the website has confirmed that the issue has been patched before changing the password, as it will do nothing if the bug has not been fixed. Furthermore, changing the password prematurely may risk exposing the information that is asked during the password reset process, such as mother’s maiden name or social security number.
Users are advised to change the password to a random, nonsensical block of characters rather than something personally significant to help keep the risk level low.
After the bug was discovered, the website filippo.io/Heartbleed/ was started to test if a server has been affected and if it has been fixed.
Kanakam is a member of the class of 2015.