YOUNGSTOWN, Ohio (WKBN) — Youngstown State University officials are working on fixes for its computer servers in the wake of the Heartbleed internet security bug, and have not obtained new security keys for some servers which need them, a university worker said Tuesday.
The lack of keys means some information on YSU’s servers could be at risk, although there is no way to know for sure.
According to YSU Media and Academic Computing Associate Director Lloyd Painter, the school has been working on assessing its servers for their levels of security risk and installing security fixes since the weekend of April 12 and 13, starting with the ones that need them most.
“We take all security pretty serious,” YSU Principal Systems Engineer David Kitt said in regards to the university’s level of worry over the virus. “We’re concerned, I guess, in general, at being the vulnerability, but I think we’re mitigating the risk as fast as we can, so I think the concern is there, but it’s not a panic situation.”
Because information stolen through Heartbleed is undetectable, there is no real way to know if a person’s personal information was leaked during the two years the bug went unnoticed.
Painter recommended website checkers like Lastpass.com, Filippo.io, or SSLLabs.com to check the security of important websites. Those sites can give internet users an indication of whether or not a site is currently at risk of being exploited by Heartbleed, whether it ever was, and whether or not a password for that site should be changed to protect personal info. He also said using a different password for each site that requires one and using difficult-to-guess passwords can help keep data secure.
Painter said the security-fixing process at YSU is ongoing, and he does not know when it will be finished. The university’s network security and network infrastructure workers are tackling the problem.
Many of the fixes will require help from third-party vendors which provide solutions for the university, according to Kitt. That means waiting for vendors to provide fixes before the servers can be completely secured.
Kitt said the school’s servers which are on the internet and offer public services, like the school’s homepage and My YSU portal, are the most at-risk.
“It’s a pretty big deal, and it’s gonna take a while,” Painter said. “A lot of these companies have already fixed the vulnerability.”
Heartbleed is a flaw in widely-used internet security program OpenSSL which sparked concerns over the protection of sensitive information across the internet. A researcher at Google and workers at a Finnish coding firm simultaneously discovered the bug in March. OpenSSL publicized it on April 7.
OpenSSL is a program used by many companies to keep sensitive data like passwords or bank account information secure while being transferred on the internet. The flaw in the program, a simple error in its design, existed for about two years before being discovered.
Heartbleed gets its name from the imitation of a feature of OpenSSL called the “heartbeat,” which allows a computer and the server which accesses it to verify one another’s identities. Heartbleed, however, allowed computers to request and receive much more data from the server than just its identity, including personal data.
Painter said that, according to reports he has seen, Heartbleed may have affected as many as 500,000 different web systems.
“I would say it’s pretty high in terms of the impact it could have, potentially, because so many people use OpenSSL,” Painter said. “It’s a very popular product.”
Painter said there are two steps to restoring the schools’ servers’ security: fixing broken code in OpenSSL, then changing security keys.
Once OpenSSL is fixed for a site, computers can no longer receive more data from the site’s server than they are allowed. However, while the Heartbleed flaw still existed within OpenSSL, the site’s identification key could have been stolen.
With that key, a hacker could access sensitive information on the site. Thus, some of YSU’s servers need to have their keys changed as well, according to Painter.
Painter said once a site is assessed, then patched and re-keyed–if necessary–the security threat is over.