About two dozen UNI servers were recently found to be vulnerable and upgraded with a secure version of their software. Luckily, just one server at UNI acts as an access point for all incoming and outgoing data, and it wasn't deemed vulnerable to attack.
No sensitive information was stored on those vulnerable servers, so computer specialists are saying there's no cause for alarm -- yet.
"It's just a matter of time until the Heartbleed bug evolves into something bigger. That's what everybody is waiting for. Is the shoe about to drop?" said
The bug was created
According to heartbleed.com, the bug allows anyone on the Internet to read the memory of systems protected by vulnerable versions of the OpenSSL software. Attackers could potentially eavesdrop on communications, steal data directly from or impersonate services and users.
"Right now we just know you can dump memory, but some clever people are going to find out how to leverage that into making it even a more vicious compromise," Gray said.
The OpenSSL code is free to use, and that's why this bug has shaken popular sites like
At first, security bloggers and other voices in the tech world recommended users change their passwords once those vulnerabilities had been patched.
But according to Gray, that's just a knee-jerk reaction to the unknown ramifications of this bug.
Here's how it works:
Computers are not intuitive. They interact with a person or user through a simple, call and response process; a kind of mirroring effect. If you're a computer and someone asks you to think of the first thing that comes to your mind when they say the word "password," you, the computer, would respond with "password."
An attacker would do something like that to elicit the bug but on a much larger scale, asking the computer to tell them the first 64,000 things that come to mind.
"Then (the computer) has to tell you all of the last 64,000 things that interacted with its memory," Gray explained.
If a server is running software using OpenSSL, the vulnerable computer code, an attacker can leach caches of computer memory before setting off a tripwire, like a firewall.
That memory may include passwords to bank accounts and
The other dozen UNI servers that were vulnerable didn't store any sensitive information and were patched within 24 hours to a few days, confirmed
"Security flaws are routinely discovered, and manufacturers of software release updates (or) patches to fix them. This is similar to how we get updates from
But the tech world is still waiting for any indication that the bug has been used criminally. Universities are particularly at risk to security breaches, according to
"Universities are a treasure trove of information that criminals care about: personal information, medical information and even banking and payment card information," said
Melancon said it's too early to tell if Heartbleed could be the source of recent mass identity thefts and security breaches at universities, but he wouldn't be surprised if they could be traced to the bug.
The bottom line, he said, is people should get into the habit of changing and maintaining multiple passwords between their bank accounts and social media.
"Better safe than sorry," Melancon said.
(c)2014 Waterloo-Cedar Falls Courier (Waterloo, Iowa)
Visit Waterloo-Cedar Falls Courier (Waterloo, Iowa) at www.wcfcourier.com
Distributed by MCT Information Services