After the security bug Heartbleed was discovered on April 7, Boston University’s Information Services and Technology Department sent an email to the BU community Friday warning them of the software defect that could compromise users’ secure information.
“Heartbleed is estimated by security experts as potentially infecting up to 60 percent of all web servers online,” said Quinn Shamblin, executive director of information security for IT. “This makes it one of the most massive security issues we have seen in recent history. The character of the issue is such that people’s user names and passwords and sometimes even the website’s security keys were vulnerable to being read by the bad guys.”
Shamblin said there is no evidence that Heartbleed has affected the BU community.
“At BU, we had fixed the Heartbleed bug for most of our systems less than 24 hours from the time it was announced,” he said. “That is a very small window of opportunity for the bad guys to have tried to steal information from us.”
Though Heartbleed may not have affected students, Shamblin said it is still important to protect oneself against the bug.
“Once a website is fixed, security experts are recommending that you change your password on that website,” he said. “It may be that that password was never compromised, but you will never know whether it is or not, so it’s better to be safe. Considering how much we do online these days, you don’t want to risk having your credentials in the hands of the bad guys.”
As a result of Heartbleed, BU computer engineering professor David Starobinski, said many websites might ask people to change their passwords, which could lead Internet users to fall victim to “phishing.” Phishing occurs when malicious third parties pretend to be a legitimate website and ask for secure credentials, allowing them to abuse users’ accounts.
“Once your credentials are compromised, an attacker may be able to steal your money [through] using bank account or credit card information, get access to sensitive or classified data, or usurp your identity to fool others,” Starobinski said.
BU Computer Engineering Professor Ari Trachtenberg said though Heartbleed was only detected recently, it has been active on the Internet since 2011.
“Since the security community was not looking or its signs for these two years, it is very hard to gauge just how much information has been leaked already,” he said.
Shamblin said if an attacker gets access to even one low-priority username and password combination, a range of other accounts could be vulnerable.
In the email, IT recommends Internet users change their passwords and be wary of phishing attempts.
Trachtenberg said phishers use information that often seems harmless, such as a user’s address or friends’ names, to obtain much more sensitive information.
“Phishers can gain personal information such as email passwords and bank accounts,” he said. “However, the more insidious information they can get is actually the much more innocuous information. It is this innocuous information that can be used as a basis of trust with others in order to get even more sensitive information.”
Trachtenberg said that phishing is often a difficult cybercrime to detect.
“Our society relies on a certain level of trust to function, and phishers abuse and exploit this trust, often for malicious purposes,” he said. “Very few members of the public are resilient against well-crafted phishing attempts. However, even people who are familiar with phishing techniques are still susceptible to attacks because, ultimately, we do not want to live in an utterly paranoid society.”