Skip to body

Security Services

Heartbleed Bug

The Dissection of a Vulnerability

Recent media coverage has raised a lot of questions about the “Heartbleed” vulnerability. Here are some quick facts that the Information Services and Security Services team put together to help you understand the risks, as well as how to protect yourself online.

What is the Heartbleed Bug?

When you visit secure websites, such as banking, shopping, and email, the communications between your computer and the web server is usually encrypted. Encryption makes it impossible for anyone else to read the sensitive information being exchanged between your computer and the web server.

The Heartbleed bug is a vulnerability in a program called OpenSSL and is designed to provide this communications security over the Internet. The Heartbleed vulnerability makes snooping and stealing of sensitive information over the Internet possible.

Heartbleed affects only vulnerable versions of OpenSSL but it is one of the more common encryption methods on the Internet. OpenSSL is used by approximately seventeen percent of all secure web servers.

How Does Heartbleed Work?

The Heartbleed vulnerability exploits a software coding error in the heartbeat functionality of OpenSSL. In this scenario, your computer would send periodic signals (or heartbeats) to the server you are communicating with to ensure it is still available. To make sure the right server responds, your computer will include a code word – and the length of that code word - that the server stores in its memory banks and then repeats back to you.

The vulnerability was introduced when the length of the code word was not limited to the actual length of the code word being sent. This means an attacker could send a short code word but claim it was much longer. When the server stores this code word in its memory banks, it would require a lot more room (because it thought the word was really long) and it would read back whatever else was located in that particular memory slot. This could include usernames, passwords, encryption keys and other confidential information.

Click the image below for a simple web comic that explains what the Heartbleed vulnerability is all about.

Is CWU Affected?

Yes.

Chris Timmons, one of CWU’s Senior Network Engineers stated that “a variety of products and systems involved in the delivery of secure services was potentially at risk [from this vulnerability].” He also pointed out that “because of the severity of the threat, less pressing work was put on hold as staff identified and deployed vulnerability scanning tools to probe CWU systems and networks for evidence of Heartbleed.”

After the initial analysis was completed, it was discovered that our critical and publicly available systems – such as the MyCWU portal - were not impacted by Heartbleed. However, while the immediate risk is to Internet websites, all components of a web infrastructure can be affected by this vulnerability -- including load-balancing products, virtual private networking (VPN) gateways and component solutions with built-in OpenSSL.

Chris points out that “other systems inside the CWU network were found to be running vulnerable software, which set in motion a process to identify, install and test the required updates without introducing new problems onto critical systems.”

What should I do as a computer user?

First, don’t panic. Although this is a serious vulnerability, security and technology professionals at the University and around the world are working to fix this flaw and reduce your risk. Here are some additional things you can do to protect yourself online:

  • If you want to test whether a website is safe, you can use the simple testing tool at https://www.ssllabs.com/ssltest
  • Be suspicious of any emails that ask you to change your password or provide other personal information. Phishing messages often target users based on recent news events, such as this vulnerability.
  • Many experts are advising users to change their passwords. As a good practice, you should periodically change your passwords to all of your sensitive online accounts.
  • Be sure to test the site first using the link above. If you reset your password on a vulnerable site, your password could still be at risk.

Information Services and Security Services will continue to provide updates on this issue as more information is gathered and analyzed.

Best Regards,

Andreas Bohman
Chief Information Security Officer
Central Washington University

Sources: 

http://en.wikipedia.org/wiki/Heartbleed

http://security.arizona.edu/