Heartbleed bug could leave campus computers open to attack

Software flaw may affect sensitive data held by two-thirds of universities

April 17, 2014

Computer servers holding personal information about staff and students, as well as intellectual property and sensitive research data, have been vulnerable to attack by hackers for two years because of a huge internet safety flaw.

The Heartbleed bug allows anyone with the know-how to access information protected by a piece of software known as OpenSSL – an encryption tool thought to be used by as many as two-thirds of websites.

It is unclear how many university sites worldwide are affected, but the higher education IT consortium Jisc said that most UK institutions used OpenSSL.

Within a week of the flaw’s being exposed, more than 40 institutions had been in touch with Jisc to enquire about acquiring new certificates to verify the security of their sites.

“This is huge news,” said Tim Watson, director of the Cyber Security Centre at the University of Warwick.

“Universities are responsible for managing intellectual property and sensitive information about staff and students, so they need to make sure they are protecting this information effectively.

“You don’t want systems in universities to be open wide for competitors to take the fruits of our hard-fought research efforts.”

In addition to research and intellectual property, universities also store detailed information about staff and students, including names, addresses, bank account details and photographs. Theoretically, hackers could exploit the Heartbleed weakness to extract this data from servers.

“If it is on the server, and somebody chose to attack it, then theoretically it could be taken,” said Tim Kidd, operations director for Janet, which handles university network security issues at Jisc.

He said that Jisc was offering universities free replacement verification certificates, which confirm the authenticity of university websites, once institutions had updated their software to protect against the bug. Certificate renewal usually costs £35.

“The flaw means that people could have taken data from a university, and then used it themselves to set up a web page that looked, to the user, like an official, verified university website,” Mr Kidd said.

The problem was only identified earlier this month, but was introduced to OpenSSL in early 2012. Conspiracy theorists have speculated that the weakness was introduced maliciously, but German computer programmer Robin Seggelmann has claimed that it is the result of an error made while programming updates for the software in late 2011.

Dr Seggelmann, who at the time was a PhD student at the Münster University of Applied Sciences, told the Sydney Morning Herald that both he and a reviewer had failed to notice an oversight in his code that left the programme open to exploitation.

“We should not treat this as a bolt from the blue that won’t happen again,” said Professor Watson.

“It will, and universities need to be properly managing the sensitive information that they hold about staff and students, and make sure they are protecting the intellectual property which is the core of what they do.”

chris.parr@tsleducation.com

Times Higher Education free 30-day trial

You've reached your article limit

Register to continue

Registration is free and only takes a moment. Once registered you can read a total of 3 articles each month, plus:

  • Sign up for the editor's highlights
  • Receive World University Rankings news first
  • Get job alerts, shortlist jobs and save job searches
  • Participate in reader discussions and post comments
Register

Have your say

Log in or register to post comments

Most Commented

Laurel and Hardy sawing a plank of wood

Working with other academics can be tricky so follow some key rules, say Kevin O'Gorman and Robert MacIntosh

Lady Margaret Hall, Oxford will host a homeopathy conference next month

Charity says Lady Margaret Hall, Oxford is ‘naive’ to hire out its premises for event

Woman pulling blind down over an eye
Liz Morrish reflects on why she chose to tackle the failings of the neoliberal academy from the outside
White cliffs of Dover

From Australia to Singapore, David Matthews and John Elmes weigh the pros and cons of likely destinations

women leapfrog. Vintage

Robert MacIntosh and Kevin O’Gorman offer advice on climbing the career ladder