What has been called one of the biggest security bugs to ever hit the web could potentially crawl into some campus systems, prompting a campuswide recommendation that students change their passwords on academic, professional and social media accounts.
The campus is identifying systems that are vulnerable to the “Heartbleed bug” — so named for its potential to “bleed” out encrypted information from memory in certain systems. While the CalNet login and student email do not fall into one of these systems, other campus systems and about 70 percent of all servers may be at risk and potentially have been for years.
In an email message sent to all students and staff Thursday, Larry Conrad, UC Berkeley associate vice chancellor for information technology and chief information officer, gave tips on how students can protect their personal information and explained how the campus is addressing the bug.
The Heartbleed bug affects systems running on the program OpenSSL, whose purpose is to enable computers to talk to servers safely and securely. Hackers find a hole in the program through which they may steal personal information. Any campus server running this program is exposed, though Paul Rivers, interim chief information security officer, could not disclose which systems — nor how many — that would be.
“We don’t make public vulnerabilities about campus systems,” Rivers said.
According to Nicholas Carlini, a penetration tester for UC Berkeley’s Information Security and Policy Office, computers communicate by sending messages to one another with the number of characters in the message attached — like (5, hello) — and the server will respond with confirmation it has received the five-letter message. The bug, however, makes servers say messages contain many more characters than they do — for example, (1000, hello). The server then sends a confirmation of the message, but with an extra 995 characters following it.
“So, if (my friend) logged in just now, his password might be in memory,” said Paul Pearce, a UC Berkeley graduate student in computer science. “Then, I am able to extract that out of memory through this vulnerability.”
According to Conrad, campus information security is actively checking for hackers’ attempts to exploit the flaw. The campus network is monitoring signs of compromise and intrusion, and all devices connected to the campus network are being scanned and probed, Rivers explained.
A systemwide patch for the bug has been released for websites that run on OpenSSL and is currently being implemented by websites across the globe. The campus information technology team is currently reviewing campus systems and applying available patches to the bug.
Mashable.com recently released a list of a few of the websites for which users are encouraged to change their passwords, including search engines Google and Yahoo and social media sites Facebook and Tumblr.
Because the bug is targeting website servers and not individuals, there is not much computer users can do — but Conrad has recommended students change their passwords in two rounds as the patch is applied and to meanwhile avoid opening any suspicious emails or sharing any personal information online.
“You can say the bug has been fixed, just all you need to do is update,” Carlini said. “Now it’s a race between people updating and people attacking.”