Heartbleed bug might cause online security issues

Heartbleed Logo

Heartbleed Logo

Martin Harp

An exploit in many websites has recently come to the national spotlight and might put the personal information of students at risk. The exploit, known as Heartbleed, can result in the compromise of login information on certain websites.

What is SSL and why is it important?

  • SSL, security socket layer, is a popular encryption technology that allows web users to protect the privacy of information they transmit over the internet.
  • SSL is shown as a padlock next to the URL, indicating communications with that website are encrypted.
  • A padlock indicates that third parties cannot see the information you send or receive. SSL accomplishes that by transforming your data into a coded message that only the recipient knows how to decipher.
  • SSL standard includes a heartbeat option, which allows a computer at one end of an SSL connection to send a short message to verify that the other computer is still online and get a response back.
  • Malicious heartbeat message can trick the computer at the other end into divulging secret information.
  • SOURCE: http://www.vox.com/2014/4/8/5593654/heartbleed-explainer-big-new-web-security-flaw-compromise-privacy

The Heartbleed exploit according to Heartbleed.com is “a serious vulnerability in the popular OpenSSL cryptographic software library. SSL, a secure socket layer provides communication security and privacy over the Internet for applications such as web, email, instant messaging and some virtual private networks.”

Joel Moore, Tech Spot technician and junior computer information systems major, said the exploit has actually been around a lot longer than the majority of the public has known.

“The exploit has been around for two years, and nobody really knew about it,” Moore said.

Now that more people are aware of Heartbleed, Moore said the risk is at an all time high.

“It’s scarier now because more people know that the exploit is there and maybe a lot of websites still haven’t patched it yet,” he said. “Now that everyone knows that the exploit is there, the danger is more real than it was.”

Moore offered some advice to students to avoid having their personal information exposed or losing their login information.

“What I wouldn’t do is go around and start changing your passwords, because more people are aware that the exploit is there,” Moore said. “If someone wanted to take advantage of it, now is the time they would do it.”

Joshua Bodnar, Tech Spot technician and senior computer information systems major, said if students are scared about protecting their passwords, there is a password manager that will help.

“If people are really worried they can use LastPass,” Bodnar said. “[It] helps secure passwords and helps against keyloggers.”

Moore said a way for students to stay safe during the Heartbleed scare is for them to stick to websites that they know are legitimate.

Eric Soros, Tech Spot technician and senior computer science major, said students need to be more cautious about what websites they use more than ever right now.

“It’s really down to the website,” Soros said. “It’s scary because of that and because it’s really just out of your hands.”

Moore said that aside from Heartbleed, Zeus bot is something Tech Spot is actively trying to shield students from because it can steal bank account information.

“We actually block access to the network if a student has it until it is removed,” Moore said. “It may seem like an inconvenience, but it’s really for their benefit. We want their information to stay safe.”

When it comes to the generic adware that Tech Spot removes, Moore said being more cautious will help against that.

“Stop going to websites to watch free TV if you don’t have a good ad blocker,” Moore said. “These days if you click on the ‘X’ on an ad, you might be agreeing to download something and not even know it.”

Moore said there is free anti-virus software out there if students on a budget need protection.

“If you can’t afford a good anti-virus, Microsoft has one for free called Microsoft Security Essentials. You can get it off of their website,” Moore said.

Contact Martin Harp at [email protected].