A coding error may have compromised hundreds of thousands of servers, leaving them vulnerable to attack.
This vulnerability, known as HeartBleed, is a couple lines of code that were added approximately two and a half years ago by a developer working on the OpenSSL project, technologies strategist Ryan Matteson said.
The affected servers run a program called OpenSSL (secure socket layer), which provides encryption for web and email programs. The vulnerability can be found in a feature called HeartBeat.
Approximately 500 different services on Cal Poly’s campus use SSL, Ryan Matteson said. However, only approximately 200 of those were actually vulnerable to attack. Within 24 hours, Matteson said Information and Technology Services (ITS) was able to “patch” approximately 90 percent of those services.
ITS employees from various areas — those who develop software such as the student portal, run the databases that store student info and operate the network and wireless — scrambled to fix the issue, Matteson said.
Matteson said the overall impact for campus has been minimal. However, he expects there will be some cases where ITS reaches out to specific students, though not because they’re passwords have been stolen, he said — they just want to be extra cautious.
“I expect the numbers of that will be about 100, but not much more than that,” he said.
Because the servers had this vulnerability, there was a window of opportunity where an attacker could have commented to the server and tried to get information out, Matteson said.
“So we’re looking for signs of an attacker trying to get info, (but we) haven’t seen any specific signs of that occurring before we patched the vulnerability,” he said.
Matteson said ITS can tell that “a lot of people” have been scanning Cal Poly’s servers looking for this flaw.
The vulnerability happened because a developer working on the feature HeartBeat didn’t perform a “bounds checking,” which means he or she didn’t check the numbers to make sure they were in an expected range. As a result, an attacker could connect to Google’s server or a server at Cal Poly and obtain private information, Matteson said. Examples of this information include passwords, private keys and other info an affected server has access to, but would never intentionally give it up, he said.
Because this vulnerability occurred on the server side, there was nothing users could have done to protect themselves, computer science assistant professor Zachary Peterson said.
As a matter of fact, when it comes to protecting oneself from cyber attacks, Peterson said, “sometimes, you just can’t.”
There are some safe practices people can partake in to help themselves. For example, using a different password for every website and occasionally changing that password, as well as not communicating something on the Internet that you wouldn’t necessarily want to be public, Peterson said.
In the real world, people have learned to act a certain way to keep themselves safe, for example, identifying that “something’s off” when walking down a dark alleyway. However, that’s harder to do on the cyber world, especially since we haven’t been living there for as long, Peterson said. Being safe online is a mindset people need to adopt, Peterson said.
“But it’s hard to differentiate what’s the dark alley on the Internet,” Peterson said.