Wired Campus

The latest on tech and education.

The ‘Heartbleed’ Bug and How Internet Users Can Protect Themselves

By Megan O’Neil April 11, 2014

Security professionals working in higher education are updating servers, reissuing certificates used to guarantee secure Internet transactions, and encouraging students and faculty and staff members to take a break from the commercial Internet following the discovery of a

To continue reading for FREE, please sign in.

Or subscribe now to read with unlimited access for as low as $10/month.

Don’t have an account? Sign up now.

A free account provides you access to a limited number of free articles each month, plus newsletters, job postings, salary data, and exclusive store discounts.

Dubbed “Heartbleed,” the Internet-security breakdown cuts across industries and has raised anew questions about the vulnerability of proprietary data and personal information shared online.

In an email interview with The Chronicle, Steven Lovaas, information-technology-security manager at Colorado State University, laid out the basics and described what Internet users can do to protect themselves.

Q. What’s all this about Heartbleed?

A. On April 7, researchers found a flaw in one of the tools used to secure Internet traffic. That tool, called OpenSSL, is responsible for providing security on the Internet. The bug allows an attacker to capture usernames, passwords, and pretty much any other information.

Q. Why does this matter?

A. This is a big deal. Much of the Internet relies on OpenSSL to protect secure traffic. At least 500,000 servers worldwide appear to be affected by the bug, and some personal computers and mobile devices are also affected. Until the bulk of affected computers are fixed, or patched, any secure site on the Internet is potentially dangerous to visit.

Q. What are colleges doing to respond?

A. The higher-ed community has been pretty impressive in its willingness to work together and share information to get this solved. So far, I don’t see nearly as much of that in the private sector. CSU has patched all our vulnerable servers that are exposed to the Internet. We’re also working on hunting down all internal servers that are still vulnerable, and will be getting those all patched very soon. We’re monitoring the situation, and we’ll notify owners of any additional affected computers we find. [See here, here, and here for some other universities’ responses to the situation.]

Q. What should I do?

A. First off, don’t panic. While this is a serious vulnerability, security folks at CSU and around the world are working around the clock to reduce the risk. Nevertheless, there are some things you can do while the world catches up:

Avoid online banking and shopping for a few days, if you possibly can.
Don’t change your online banking password until your bank tells you that it’s OK; otherwise you may just be giving attackers your new password.
Be very suspicious of any emails asking you to change passwords.
Remember that legitimate college emails will never ask you to respond with sensitive information such as password, Social Security number, or bank-account number.
Apply the latest security updates to your home and work computers, as well as to your mobile devices.

For more information about Heartbleed, this piece on public radio’s Marketplace is a good place to start.

We welcome your thoughts and questions about this article. Please email the editors or submit a letter for publication.

About the Author

Megan O’Neil

Megan reported on foundations, leadership and management, and digital fundraising for The Chronicle of Philanthropy. She also led a small reporting team and helped shape daily news coverage.