This bug will break your heart

A major flaw in website security has left many people vulnerable


Graphic by Karl Enghofer, The Spectator

Story by Austin Mai, Staff Writer

It’s one of the biggest security threats to ever hit the internet.

The Heartbleed Bug, a software flaw in the encryption phase of website log-ins, attacked the authentication process of many websites and made off with a lot of personal data.

Chip Eckardt, chief information officer with UW-Eau Claire’s Learning and Technology Services, said the university was on top of things once the bug was announced.

“We scanned all our network devices as soon as we heard about the issue,” Eckardt said. “Because of the software we currently use, we did not have anywhere near the number of issues some other businesses and campuses had.”

Eckardt said the university has a few printers and a PolyCom video camera that are susceptible, but no confidential data goes to them.
Eau Claire computer science professor Jack Tan said the bug is a malicious hack.

“It was an open secure socket layer type of hack,” Tan said. “So what it did was gain access to your passwords and other memory.”

According to an article published by Lookout, a computer software and mobile security company, if somebody logged on to an affected site, the website would encrypt the password per usual and send it to be authenticated. Hackers catch  cloaked passwords and unscramble them to receive login information directly. The hacker can use this information to snatch data at the rate of 64 kilobytes per request from the affected system.

“This flaw is that an attacker can continually request different data like user passwords and security certificates,” said Peter Bui, assistant computer science professor. “This exposes data which is usually protected.”

Bui said another flaw is the OpenSSL authentication process doesn’t usually log security transactions.

“Since (login authentication) is such a low level protocol, it’s normally not logged,” Bui said. “No one can be sure if they were exposed or attacked because of this.”

Bui said he believes this bug is a major problem because of the other ways hackers could exploit the flaws.

“Anytime you go to a website with a lock in the corner, it’s a metaphor for trust,” Bui said. “If security certificates are stolen, someone else can impersonate an entity.”

Bui said this means someone could steal and impersonate the web presence of Eau Claire. A hacker could create a fake doppelganger site and send emails to students from this new site, he said. The website would check out with most browsers and appear to be secure, because the hacker has the security certificate.

At that point, Bui said a hacker can ask for credit card, bank account or social security numbers.

Reddit recently sent a message to users saying they’ve been affected, and they can’t be sure whether any user information was stolen. The site recommends all users delete their accounts.

According to an article published on Mashable, websites like Facebook and Google were affected by the Heartbleed Bug. All these online services have patched their websites since, but it is highly recommended to change passwords for any of these sites.

Bui said all people can do to try to protect themselves is change their passwords and email addresses for affected sites. When possible, avoid giving important information out. There is no way to track the bug, and it’s the best way to keep your accounts safe.