No Heartbleed here, UI says

BY IAN MURPHY | APRIL 15, 2014 5:00 AM

SocialTwist Tell-a-Friend

One software program could have been bleeding information about users for almost two years before the hole was found last week.

University of Iowa officials said they patched the Heartbleed bug, found in a major software utilized by two-thirds of the Internet that allows web users to establish a “secure” connection with a server.

Jane Drews, the UI chief information security officer, said the OpenSSL software provides secure communication of data on websites, and the bug is an error in the program that would allow an attacker to connect to a system and extract information from a computer.

“That’s not data from storage,” she said. “It’s what’s actively being worked on in the computers.”
Drews said Information and Technology Services began assessing UI computer systems April 7 and fixed the UI public websites by April 9.

She said fixing the bug is relatively simple, and new security certificates are being installed on UI systems in case an attack successfully pulled any data.

Peter Reiher, an adjunct professor of computer science at UCLA, said the software hole could allow data to be accessed by an attacker, but it is hard to know whether data have been accessed.

Although the software is used by many webservers, Reiher said, the bug could have been exploited by more attackers as it became known.

“There wasn’t a lot of evidence that people were using the vulnerability [before the bug was announced],” Reiher said.

Drews said ITS officials added signatures to the UI network that would allow them to identify an attack.  She said the signatures detected some unsuccessful attacks.

“We have no evidence that any University of Iowa systems were broken into,” Drews said.

Chris Wilkins, information technology director for UI communication and marketing, declined to comment on the bug.

The vulnerability exists only on more recent versions of the software, Reiher said.

In addition to passwords, emails, and other data, this vulnerability could eventually lead to access to a private security key. Access to this key would allow the attacker to create a dummy website, passing off as a legitimate website, Reiher said.

For example, an attacker who had access to the key could pass a website off as a UI-affiliated website.

Reiher said data could be accessed and held onto for later use by an attacker. He recommended people wait until official word has gone out from websites before changing any passwords because this could compromise new passwords as well.

“I can’t imagine any U.S. university of comparable size that isn’t affected in some way by Heartbleed,” said Paul Rivers, the chief information security officer at the University of California-Berkeley in an email.

The university is taking similar steps to the UI.

“Our security operations team is actively scanning campus for vulnerable systems and monitoring for signs of attempts to exploit Heartbleed,” Rivers said.

Drews said the issues are in the software, not in hardware for computers.

“Our general guidance is that users should change all of their passwords, not just their HawkID passwords, but to wait until this week to do it so that the owners of other systems, non-university systems, can have their patch as well,” Drews said.

In today's issue:

Privacy Policy (8/15/07) | Terms of Use (4/28/08) | Content Submission Agreement (8/23/07) | Copyright Compliance Policy (8/25/07) | RSS Terms of Use

Copyright © The Daily Iowan, All Rights Reserved.