Sacred Heart University IT Security Site
Protect Your Privacy
Email Scams
Personally Identifiable Information
Social Engineering
 
 
Guard Your Information
Passwords
Safe Internet Browsing
Social Networking
HeartBleed Information
 
 
Secure Your Devices
Desktops and Laptops
Home Computing
Mobile Phones
 
 
IT Security Blog
Report an Incident
 
 
Internet Storm Center Infocon Status

IT Alert: The Heartbleed Bug


What is it?
The Heartbleed bug is very simple. It's an exploit that has been out for almost two years but only recently discovered.
 
No, really, what is it?
Ok, ok... It's a bug, or a vulnerability, that takes advantage of 'heartbeat', a built-in feature of OpenSSL. Specifically, OpenSSL versions 1.0.1 through 1.0.1f, inclusive, have the vulnerability. What the bug actually does is give the attacker back more information than s/he should get!

Ok, I think you've got me interested - what else?
Well, heartbeat is simply the webserver's way of saying "I'm up and listening for your request." Normally, the website (or web server) only responds back with the amount of data your computer sent. But this is not the case with a server having the heartbleed vulnerability. Instead, the attacker (or hacker) can make a request to the server hosting the website which is actually beyond the amount of data of the request.

'Beyond the amount of data'? Explain that!
All this means is that the hacker can get up to 65k more data than s/he is supposed to get back. And this is leftover data from other user transactions. Some examples? Others' login credentials, cookies, and other information that attackers can use to exploit the system.

I like cartoons. Can I see one that explains this a little better?
Absolutely. Here you go...



It looks like the web server gave the hacker a lot more data than "HAT" in that last frame.

Now you've got it! That's exactly what it did. This is leftover code from other transactions remaining in memory (RAM) and the attacker took it. This could be your credentials, a private key, and any other conceivable kind of information hosted on a website. Anything.

What do I do now? Any suggestions?
Yes, change your passwords. We strongly suggest you do this and follow our Password Guidelines. Also, over the next few months it is best to monitor your accounts and transactions.

Where do I start? Which passwords?
You can start with the with the ones that have been confirmed as having the vulnerability and are now fixed. Google and Yahoo are two of them. Most companies have been diligent in notifying their users of any problems. So once notified of a potential issue and a fix, change your passwords immediately following our Password Guidelines. Pay special attention to any passwords protecting financial information.

Well I should be changing my passwords regularly anyway, shouldn't I?
You said it, we didn't!

What is the IT Security team doing to protect Sacred Heart University?
SHU ITS has been working over the past several days to discover, patch, and proactively address any systems which may possibly have the vulnerability. We are continuing to scan for the Heartbleed bug and are working ongoing with vendors to address this security concern.

Are my SHU login credentials safe?
We have no indication presently that your SHU password needs to be changed. However, if you are using your own PC (not managed by SHU) we do ask that you apply any operating system and application patches as soon as possible.

Any good news in all this?
There is. It is estimated that only about 20% of Internet servers have the Heartbleed vulnerability. But that's still one in five. So you never know which site has the vulnerability.

I'd like to read up a little further on this...
We've got further information for you:
What is Heartbleed, anyway?
The Heartbleed Bug