Heartbleed bug could leave campus computers open to attack

Computer servers holding personal information about staff and students, as well as intellectual property and sensitive research data, have been vulnerable to attack by hackers for two years because of a huge internet safety flaw.

The Heartbleed bug allows anyone with the know-how to access information protected by a piece of software known as OpenSSL – an encryption tool thought to be used by as many as two-thirds of websites.

It is unclear how many university sites worldwide are affected, but the higher education IT consortium Jisc said that most UK institutions used OpenSSL.

Within a week of the flaw’s being exposed, more than 40 institutions had been in touch with Jisc to enquire about acquiring new certificates to verify the security of their sites.

“This is huge news,” said Tim Watson, director of the Cyber Security Centre at the University of Warwick.

“Universities are responsible for managing intellectual property and sensitive information about staff and students, so they need to make sure they are protecting this information effectively.

“You don’t want systems in universities to be open wide for competitors to take the fruits of our hard-fought research efforts.”

In addition to research and intellectual property, universities also store detailed information about staff and students, including names, addresses, bank account details and photographs. Theoretically, hackers could exploit the Heartbleed weakness to extract this data from servers.

“If it is on the server, and somebody chose to attack it, then theoretically it could be taken,” said Tim Kidd, operations director for Janet, which handles university network security issues at Jisc.

He said that Jisc was offering universities free replacement verification certificates, which confirm the authenticity of university websites, once institutions had updated their software to protect against the bug. Certificate renewal usually costs £35.

“The flaw means that people could have taken data from a university, and then used it themselves to set up a web page that looked, to the user, like an official, verified university website,” Mr Kidd said.

The problem was only identified earlier this month, but was introduced to OpenSSL in early 2012. Conspiracy theorists have speculated that the weakness was introduced maliciously, but German computer programmer Robin Seggelmann has claimed that it is the result of an error made while programming updates for the software in late 2011.

Dr Seggelmann, who at the time was a PhD student at the Münster University of Applied Sciences, told the Sydney Morning Herald that both he and a reviewer had failed to notice an oversight in his code that left the programme open to exploitation.

“We should not treat this as a bolt from the blue that won’t happen again,” said Professor Watson.

“It will, and universities need to be properly managing the sensitive information that they hold about staff and students, and make sure they are protecting the intellectual property which is the core of what they do.”

chris.parr@tsleducation.com