Though the Heartbleed bug, a vulnerability in a popular encryption software known as OpenSSL, has had little impact on the College, computing services has worked urgently to patch its servers since last week. The College will inform campus once computing staff secures its servers, and community members should not change their Dartmouth passwords until after the systems affected by Heartbleed have been fixed.
As of Monday morning, computing services had not seen any successful hacks of OpenSSL yielding the private encryption key for a server, chief information security officer Steve Nyman said in an email. While there have been reports that some usernames and passwords were successfully harvested, these were of systems in which the credentials were not encrypted, he said.
The Heartbleed bug was discovered earlier this month. When successfully exploited, the bug allows outside users to decipher encrypted data, enabling those with malicious intent to access private information, including passwords, emails, instant messages and other communications.
Given the difficulty of exploiting the coding flaw and various defenses that Dartmouth has in place, the College’s overall exposure to the bug is low, Nyman said in an email. Once the vulnerable servers at the College have been fixed, he said, community members will be encouraged to change passwords as a precaution.
Noting that many large companies are quickly working to resecure their websites, Nyman said that students should check to see which have fixed the leak and then change their passwords to protect personal and financial data.
Nyman compared the vulnerability to a situation in which students pass coded notes in class while an onlooker — the hacker — tries to decipher the code.
A hacker exploiting Heartbleed would only receive “random fragments” of information at any one time, Nyman said. If the hacker succeeded at reassembling the fragments, he or she could plausibly de-scramble the code, creating a key that could then be used to decipher the remainder of the communication. While it is technically possible to crack the code, he said, it is difficult and potentially time-consuming.
“This onlooker student could stumble on the correct info rapidly or could sit forever trying to capture and piece together the code needed to create the key to unlock the coded text,” Nyman said. “Similarly, whether within days or weeks, someone might develop a program to accomplish this efficiently. That’s why this is a serious vulnerability that must be fixed now.”
The Heartbleed bug, computer science professor Sean Smith said, is the most recent and most damaging of several vulnerabilities uncovered in SSL encryption software this year.
“Any data you might have at a vulnerable SSL server — anywhere, not just at Dartmouth — may potentially be compromised,” Smith said, adding that if a laptop has the security flaw and an individual clicks a supposedly secure link to a malicious website, an outside party may gain access to the computer’s contents.
Students can protect their information by ensuring their personal computers’ client software is up to date, Smith said.
Computing departments at peer institutions have also made announcements regarding the Heartbleed vulnerability. Cornell University’s IT department said that the impact on its systems has been small. Harvard University issued a similar statement, saying that while the bug did not significantly affect its systems, users should change their Harvard account passwords if they use the same one across multiple websites.
Computer science professor Sergey Bratus said that the potential fallout from the bug reflects the dangers of society’s dependence on software.
“Software for critical infrastructure must be as simple as possible,” Bratus said. “Instead, we depend on huge code bases that try to cater to all possible uses at once. This approach gives tremendous advantages to attackers.”
