Heartbleed bug could leave campus computers open to attack

Software flaw may affect sensitive data held by two-thirds of universities

April 17, 2014

Computer servers holding personal information about staff and students, as well as intellectual property and sensitive research data, have been vulnerable to attack by hackers for two years because of a huge internet safety flaw.

The Heartbleed bug allows anyone with the know-how to access information protected by a piece of software known as OpenSSL – an encryption tool thought to be used by as many as two-thirds of websites.

It is unclear how many university sites worldwide are affected, but the higher education IT consortium Jisc said that most UK institutions used OpenSSL.

Within a week of the flaw’s being exposed, more than 40 institutions had been in touch with Jisc to enquire about acquiring new certificates to verify the security of their sites.

“This is huge news,” said Tim Watson, director of the Cyber Security Centre at the University of Warwick.

“Universities are responsible for managing intellectual property and sensitive information about staff and students, so they need to make sure they are protecting this information effectively.

“You don’t want systems in universities to be open wide for competitors to take the fruits of our hard-fought research efforts.”

In addition to research and intellectual property, universities also store detailed information about staff and students, including names, addresses, bank account details and photographs. Theoretically, hackers could exploit the Heartbleed weakness to extract this data from servers.

“If it is on the server, and somebody chose to attack it, then theoretically it could be taken,” said Tim Kidd, operations director for Janet, which handles university network security issues at Jisc.

He said that Jisc was offering universities free replacement verification certificates, which confirm the authenticity of university websites, once institutions had updated their software to protect against the bug. Certificate renewal usually costs £35.

“The flaw means that people could have taken data from a university, and then used it themselves to set up a web page that looked, to the user, like an official, verified university website,” Mr Kidd said.

The problem was only identified earlier this month, but was introduced to OpenSSL in early 2012. Conspiracy theorists have speculated that the weakness was introduced maliciously, but German computer programmer Robin Seggelmann has claimed that it is the result of an error made while programming updates for the software in late 2011.

Dr Seggelmann, who at the time was a PhD student at the Münster University of Applied Sciences, told the Sydney Morning Herald that both he and a reviewer had failed to notice an oversight in his code that left the programme open to exploitation.

“We should not treat this as a bolt from the blue that won’t happen again,” said Professor Watson.

“It will, and universities need to be properly managing the sensitive information that they hold about staff and students, and make sure they are protecting the intellectual property which is the core of what they do.”


Times Higher Education free 30-day trial

You've reached your article limit

Register to continue

Registration is free and only takes a moment. Once registered you can read a total of 6 articles each month, plus:

  • Sign up for the editor's highlights
  • Receive World University Rankings news first
  • Get job alerts, shortlist jobs and save job searches
  • Participate in reader discussions and post comments

Have your say

Log in or register to post comments

Most Commented

United Nations peace keeper

Understanding the unwritten rules of graduate study is vital if you want to get the most from your PhD supervision, say Kevin O'Gorman and Robert MacIntosh

David Parkins Christmas illustration (22 December 2016)

A Dickensian tale, set in today’s university

Eleanor Shakespeare illustration (5 January 2017)

Fixing problems in the academic job market by reducing the number of PhDs would homogenise the sector, argues Tom Cutterham

Houses of Parliament, Westminster, government

There really is no need for the Higher Education and Research Bill, says Anne Sheppard

poi, circus

Kate Riegle van West had to battle to bring her circus life and her academic life together