By Sam Gringlas, Daily News Editor
Published April 9, 2014
The University’s Information and Technology Services staff are working to combat a security flaw that left sensitive information on some of the Internet’s most visited sites — as well as key University portals — vulnerable to prying eyes.
The flaw was first discovered last week by Finnish researchers and engineers at Google and made public Monday. But unlike the December Target security breach in which thousands of credit card numbers were stolen from the retailer’s servers, this particular finding — now nicknamed “Heartbleed” — stemmed from a coding error in a standard Internet security platform.
Though it’s uncertain whether any passwords or data were compromised by the flaw, major websites such as Facebook, Google, Yahoo and Amazon quickly patched the defective code, The New York Times reported. Many others are scrambling to prevent data theft and secure their affected servers.
In an interview Wednesday evening, Paul Howell, the University’s chief security officer, said Information and Technology Services staff had fixed most of the affected University’s sites Monday, including Wolverine Access and CTools.
“The severity of the issue was apparent and teams here and at many universities have been working around the clock to get servers patched and to get fixes in place,” Howell said.
OpenSSL, the affected software, is a toolkit included in many webserver programs, such as Apache, that is designed to encrypt communication between web browsers and servers.
Michael Bailey, an associate research professor of electrical engineering and computer science, said OpenSSL is a tool that is supposed to keep Internet users secure.
For example, OpenSSL prevents others from eavesdropping on communication between a professor entering grades in CTools from his or her browser and the University’s server that runs CTools. It ensures no one else can modify the grades between the professor’s input and their registry in CTools and lets the professor know it’s really CTools, and not an imposter site, into which the sensitive information is being entered.
The same principles apply to a student using Facebook. OpenSSL ensures information disseminated between one’s Internet browser and Facebook server is done so securely.
But websites using the March 2012 version of OpenSSL have not been protected due to the coding error that — unknown until last week — has existed since the version’s release and has left scores of websites vulnerable for more than two years.
While there are different security programs and versions available, The New York Times estimated the flaw in OpenSSL 2012 versions affects two-thirds of Internet sites.
According to a study conducted Tuesday by Bailey and Alex Halderman, associate professor of electrical engineering and computer science, 3.7 percent of the top one million Internet sites have been vulnerable to attack.
“The Internet is not falling down or coming to an end,” Bailey said. “The vulnerability exists because someone made a coding error.”
Howell said the problem was not well known, but now that the code for the security hole is public — made available in part for IT staff to test the efficacy of patching efforts — there is increased likelihood of others gaining access to sensitive information.
“This week there is definitely added risk,” he said.
However, Bailey said it’s impossible to know whether or not data, such as passwords or pin numbers, was stolen during the two years prior to patching the flaw.
Since the flaw’s discovery, University ITS staff worked to individually patch the codes for the University’s large portfolio of webservers and sites. Howell said it’s difficult to estimate how many sites were affected and how many are yet to be repaired, since information technology at the University is largely decentralized.
ITS officials in individual academic units have been notified on how to fix the issues and most main sites were fixed Monday, but it’s possible there are still sites affected by the problem that have yet to be identified.
While the University recommends people change their passwords at least biannually, Howell said ITS officials have not yet decided whether they will send out an e-mail to notify faculty, students and staff to change their uniqname passwords in light of the flaw.
He added that users might see an influx of phishing e-mails, which are scam messages posing as University official that prompt recipients to provide passwords and other personal information, and warned students to beware of any suspicious correspondence.
“I think it’s probably a good idea for folks to change their password,” Bailey said. “Whether or not I actually believe the University of Michigan lost information, I wouldn’t bet money on it. But good password hygiene has you changing your high-value passwords all the time.”