CEDAR FALLS | Some University of Northern Iowa computer servers were patched as a precaution after the recent discovery of the Heartbleed bug, an Internet threat with the potential to breach security systems and grab computer memory data.
About two dozen UNI servers were recently found to be vulnerable and upgraded with a secure version of their software. Luckily, just one server at UNI acts as an access point for all incoming and outgoing data, and it wasn't deemed vulnerable to attack.
No sensitive information was stored on those vulnerable servers, so computer specialists are saying there's no cause for alarm -- yet.
“It’s just a matter of time until the Heartbleed bug evolves into something bigger. That’s what everybody is waiting for. Is the shoe about to drop?” said Paul Gray, a professor in UNI's department of computer science.
The bug was created Jan. 1, 2012, but only officially recognized by the National Vulnerability Database on April 7.
According to heartbleed.com, the bug allows anyone on the Internet to read the memory of systems protected by vulnerable versions of the OpenSSL software. Attackers could potentially eavesdrop on communications, steal data directly from or impersonate services and users.
“Right now we just know you can dump memory, but some clever people are going to find out how to leverage that into making it even a more vicious compromise,” Gray said.
The OpenSSL code is free to use, and that's why this bug has shaken popular sites like Facebook, LinkedIn, Twitter and Gmail.
At first, security bloggers and other voices in the tech world recommended users change their passwords once those vulnerabilities had been patched.
But according to Gray, that's just a knee-jerk reaction to the unknown ramifications of this bug.
Here's how it works:
Computers are not intuitive. They interact with a person or user through a simple, call and response process; a kind of mirroring effect. If you're a computer and someone asks you to think of the first thing that comes to your mind when they say the word "password," you, the computer, would respond with "password."
An attacker would do something like that to elicit the bug but on a much larger scale, asking the computer to tell them the first 64,000 things that come to mind.
"Then (the computer) has to tell you all of the last 64,000 things that interacted with its memory," Gray explained.
If a server is running software using OpenSSL, the vulnerable computer code, an attacker can leach caches of computer memory before setting off a tripwire, like a firewall.
That memory may include passwords to bank accounts and Social Security numbers. There's really no limit to what an attacker could access.
The other dozen UNI servers that were vulnerable didn't store any sensitive information and were patched within 24 hours to a few days, confirmed Shashi Kaparthi, chief information officer at UNI.
"Security flaws are routinely discovered, and manufacturers of software release updates (or) patches to fix them. This is similar to how we get updates from Microsoft, Adobe, etc. on our desktop computers," Kaparthi said.
But the tech world is still waiting for any indication that the bug has been used criminally. Universities are particularly at risk to security breaches, according to Tripwire, a major computer security software company.
"Universities are a treasure trove of information that criminals care about: personal information, medical information and even banking and payment card information," said Dwayne Melancon, the chief technology officer.
Melancon said it's too early to tell if Heartbleed could be the source of recent mass identity thefts and security breaches at universities, but he wouldn't be surprised if they could be traced to the bug.
The bottom line, he said, is people should get into the habit of changing and maintaining multiple passwords between their bank accounts and social media.
"Better safe than sorry," Melancon said.