Heartbleed bug could leave campus computers open to attack

Software flaw may affect sensitive data held by two-thirds of universities

April 17, 2014

Computer servers holding personal information about staff and students, as well as intellectual property and sensitive research data, have been vulnerable to attack by hackers for two years because of a huge internet safety flaw.

The Heartbleed bug allows anyone with the know-how to access information protected by a piece of software known as OpenSSL – an encryption tool thought to be used by as many as two-thirds of websites.

It is unclear how many university sites worldwide are affected, but the higher education IT consortium Jisc said that most UK institutions used OpenSSL.

Within a week of the flaw’s being exposed, more than 40 institutions had been in touch with Jisc to enquire about acquiring new certificates to verify the security of their sites.

“This is huge news,” said Tim Watson, director of the Cyber Security Centre at the University of Warwick.

“Universities are responsible for managing intellectual property and sensitive information about staff and students, so they need to make sure they are protecting this information effectively.

“You don’t want systems in universities to be open wide for competitors to take the fruits of our hard-fought research efforts.”

In addition to research and intellectual property, universities also store detailed information about staff and students, including names, addresses, bank account details and photographs. Theoretically, hackers could exploit the Heartbleed weakness to extract this data from servers.

“If it is on the server, and somebody chose to attack it, then theoretically it could be taken,” said Tim Kidd, operations director for Janet, which handles university network security issues at Jisc.

He said that Jisc was offering universities free replacement verification certificates, which confirm the authenticity of university websites, once institutions had updated their software to protect against the bug. Certificate renewal usually costs £35.

“The flaw means that people could have taken data from a university, and then used it themselves to set up a web page that looked, to the user, like an official, verified university website,” Mr Kidd said.

The problem was only identified earlier this month, but was introduced to OpenSSL in early 2012. Conspiracy theorists have speculated that the weakness was introduced maliciously, but German computer programmer Robin Seggelmann has claimed that it is the result of an error made while programming updates for the software in late 2011.

Dr Seggelmann, who at the time was a PhD student at the Münster University of Applied Sciences, told the Sydney Morning Herald that both he and a reviewer had failed to notice an oversight in his code that left the programme open to exploitation.

“We should not treat this as a bolt from the blue that won’t happen again,” said Professor Watson.

“It will, and universities need to be properly managing the sensitive information that they hold about staff and students, and make sure they are protecting the intellectual property which is the core of what they do.”

chris.parr@tsleducation.com

Times Higher Education free 30-day trial

You've reached your article limit.

Register to continue

Registration is free and only takes a moment. Once registered you can read a total of 3 articles each month, plus:

  • Sign up for the editor's highlights
  • Receive World University Rankings news first
  • Get job alerts, shortlist jobs and save job searches
  • Participate in reader discussions and post comments
Register

Have your say

Log in or register to post comments

Featured Jobs

Assistant Recruitment - Human Resources Office

University Of Nottingham Ningbo China

Outreach Officer

Gsm London

Professorship in Geomatics

Norwegian University Of Science & Technology -ntnu

Professor of European History

Newcastle University

Head of Department

University Of Chichester
See all jobs

Most Commented

men in office with feet on desk. Vintage

Three-quarters of respondents are dissatisfied with the people running their institutions

Mitch Blunt illustration (23 March 2017)

Without more conservative perspectives in the academy, lawmakers will increasingly ignore and potentially defund social science, says Musa al-Gharbi

students use laptops

Researchers say students who use computers score half a grade lower than those who write notes

Canal houses, Amsterdam, Netherlands

All three of England’s for-profit universities owned in Netherlands

sitting by statue

Institutions told they have a ‘culture of excluding postgraduates’ in wake of damning study