Heartbleed bug could leave campus computers open to attack

Software flaw may affect sensitive data held by two-thirds of universities

April 17, 2014

Computer servers holding personal information about staff and students, as well as intellectual property and sensitive research data, have been vulnerable to attack by hackers for two years because of a huge internet safety flaw.

The Heartbleed bug allows anyone with the know-how to access information protected by a piece of software known as OpenSSL – an encryption tool thought to be used by as many as two-thirds of websites.

It is unclear how many university sites worldwide are affected, but the higher education IT consortium Jisc said that most UK institutions used OpenSSL.

Within a week of the flaw’s being exposed, more than 40 institutions had been in touch with Jisc to enquire about acquiring new certificates to verify the security of their sites.

“This is huge news,” said Tim Watson, director of the Cyber Security Centre at the University of Warwick.

“Universities are responsible for managing intellectual property and sensitive information about staff and students, so they need to make sure they are protecting this information effectively.

“You don’t want systems in universities to be open wide for competitors to take the fruits of our hard-fought research efforts.”

In addition to research and intellectual property, universities also store detailed information about staff and students, including names, addresses, bank account details and photographs. Theoretically, hackers could exploit the Heartbleed weakness to extract this data from servers.

“If it is on the server, and somebody chose to attack it, then theoretically it could be taken,” said Tim Kidd, operations director for Janet, which handles university network security issues at Jisc.

He said that Jisc was offering universities free replacement verification certificates, which confirm the authenticity of university websites, once institutions had updated their software to protect against the bug. Certificate renewal usually costs £35.

“The flaw means that people could have taken data from a university, and then used it themselves to set up a web page that looked, to the user, like an official, verified university website,” Mr Kidd said.

The problem was only identified earlier this month, but was introduced to OpenSSL in early 2012. Conspiracy theorists have speculated that the weakness was introduced maliciously, but German computer programmer Robin Seggelmann has claimed that it is the result of an error made while programming updates for the software in late 2011.

Dr Seggelmann, who at the time was a PhD student at the Münster University of Applied Sciences, told the Sydney Morning Herald that both he and a reviewer had failed to notice an oversight in his code that left the programme open to exploitation.

“We should not treat this as a bolt from the blue that won’t happen again,” said Professor Watson.

“It will, and universities need to be properly managing the sensitive information that they hold about staff and students, and make sure they are protecting the intellectual property which is the core of what they do.”

chris.parr@tsleducation.com

Times Higher Education free 30-day trial

You've reached your article limit

Register to continue

Registration is free and only takes a moment. Once registered you can read a total of 6 articles each month, plus:

  • Sign up for the editor's highlights
  • Receive World University Rankings news first
  • Get job alerts, shortlist jobs and save job searches
  • Participate in reader discussions and post comments
Register

Have your say

Log in or register to post comments

Featured Jobs

Head of Visual Arts UNIVERSITY OF HERTFORDSHIRE
Research Officer - Big Data for Better Outcomes LONDON SCHOOL OF ECONOMICS & POLITICAL SCIENCE LSE
Lecturer in Oral Microbiology UNIVERSITY OF BRISTOL

Most Commented

question marks PhD study

Selecting the right doctorate is crucial for success. Robert MacIntosh and Kevin O'Gorman share top 10 tips on how to pick a PhD

India, UK, flag

Sir Keith Burnett reflects on what he learned about international students while in India with the UK prime minister

Pencil lying on open diary

Requesting a log of daily activity means that trust between the institution and the scholar has broken down, says Toby Miller

Application for graduate job
Universities producing the most employable graduates have been ranked by companies around the world in the Global University Employability Ranking 2016
Construction workers erecting barriers

Directly linking non-EU recruitment to award levels in teaching assessment has also been under consideration, sources suggest