Heartbleed, one of the biggest internet-security breaches to date, affected N.C. State servers and computers, sending campus IT scrambling to patch the vulnerability overnight.
The security breach was discovered April 7 at N.C. State and was patched on April 8. However, some information may have been stolen before the breach was patched.
Named after a “heartbeat,” or a virtual “handshake” between a computer and a server, Heartbleed affected OpenSSL, a security protocol that verifies the identity of a user and a server, according to Stan North Martin, director of Outreach, Communications & Consulting at N.C. State.
“Basically, it’s a bug in code that was used to encrypt our information that gets passed between file servers and your computer on the internet,” Martin said. “The interesting thing is that while it’s used for encryption, the actual bug itself had nothing to do with the encryption part of the protocol or the service that does the encrypting.”
The bug affected hundreds of services, such as Yahoo, Facebook, Instagram and many other major companies and social networks.
“The bug itself was a way of sending a request for a piece of information without giving you full verification of what you wanted, and you ended up getting more information than you requested,” Martin said.
Although that may seem harmless at first, the bug allowed people to obtain password information of other users, Martin said.
“Once it was patched, people could not use the bug to get any information, but there was still a chance that people had already gotten some information from these computers,” Martin said. “We had little way of knowing if we had been impacted or not and whether someone used this bug to steal sensitive data from the university.”
As a result of the existing breach at N.C. State, students changing their Unity passwords is strongly recommended by the Office of Information Technology.
“Although we don’t think that the vulnerability was exploited on campus, we still encourage that everyone goes and changes their passwords,” Martin said. “We have no reason to think that passwords were stolen, but we strongly encourage that people change their passwords.”
N.C. State may have avoided a security disaster, but not everyone was as lucky.
“Yahoo said that some folks have been able to extract data from Yahoo before it patched the bug,” Martin said. “It’s a fairly lengthy process to get the data, but they were able to get some password-related information.”
Martin also warned of a phishing scheme related to Heartbleed.
“We already started seeing phishing emails that have gone out and have taken advantage of this vulnerability,” Martin said.
The phishing emails pretend to tell users to change their password due to Heartbleed by telling them to follow a link designed to trick people into giving up their account information.
“We haven’t seen these aimed at N.C. State yet, but I got one over the weekend that claimed to be from an online service provider that I use,” Martin said. “We know we are going to see more of these out there, and we encourage people to be wary of phishing schemes that are going to exploit Heartbleed.”
Martin said N.C. State and OIT will never ask students for their password via phone or email.
“Phishing scammers can impersonate OIT, and that’s why we are very wary about sending out mass emails,” Martin said. “If a mass email came from OIT, you can go on the OIT website to verify it. We are not going to ask in an email to respond with your password or to give your password over phone.”
