Open Heart(bleed) Surgery

If you haven’t heard by now of the so-called “Heartbleed” Internet security bug that last week sent the Internet security community into something of a frenzy, then you probably don’t need to worry and almost certainly won’t be reading this!  For those of us who use the Internet and watch the news however you may want to read on.


“Heartbleed” is the name given to a recently discovered flaw in  a specific implementation of one of the world’s most widely used Internet security protocols – SSL/TLS.  Called OpenSSL the software is used to protect sensitive data (such as usernames, passwords, payment details etc.) sent backwards and forwards between your computer and “secure” websites.  Although it is hard to know precisely how many websites are affected by this vulnerability, it is estimated that about two thirds of the world’s websites use OpenSSL and that around 17% of sites are vulnerable to this bug.  That is about half a million websites and, since they may have been vulnerable since the bug was introduced into the software (as far back as 2011), it is rightly being treated as a pretty big deal.  As renowned security expert Bruce Schneier put it “On the scale of 1 to 10, this is an 11.”

Unsurprisingly then Heartbleed has attracted a lot of attention, but this has led to confusion amongst many with, for example, conflicting advice on whether and when to change passwords.  Worrying and panicking however, won’t do anyone any good so what are the risks, what should you do and what is the University of Oxford doing in response?

What are the Risks?

Well the good news is that once the problem was noticed the response has been pretty effective with many major service providers having patched the vulnerability already.  The trouble is that implementations of OpenSSL may have been vulnerable for over two years.  How much of a problem this actually is nobody really knows at the moment, but the risk is that cyber-criminals may have been aware of the vulnerability before the good guys were.  So far though, there have been no reports of widespread exploitation (either before or after the bug was announced) and, although an attack against a website you use could have disclosed sensitive information (such as passwords, payment details etc.) it would be more difficult for attackers to target specific information.  In other words, even if vulnerable sites you use were exploited it is far from certain that any of your details will have been exposed.  I’ve no intention of explaining how the exploit works but if you want a decent, non-technical, explanation as to why this is the case then look no further than xkcd.

So what should I do?

Well, as mentioned, first of all don’t panic.  Changing passwords is a good idea (and we’ll come to that in a bit) but apart from that there isn’t much you can do about what has already happened.  What you can do is to take this opportunity to improve your online security practices.  Remember that this vulnerability is not a weakness in the underlying protocols that secure our Internet traffic, but a vulnerability in software that implements them.  In other words human error (you can forget conspiracy theories in this case.  No, really!).  This is, perhaps, a timely reminder that we shouldn’t take security and privacy online for granted and we can all play a part in protecting ourselves from the risks.  Good security happens in layers!  If you don’t use good, unique passwords for different sites and don’t use 2-factor authentication where it is available then now might be good time to start.  Many are advising users to start using a password manager such as LastPass or KeePass when you start to change your passwords.  Similarly, now is the time to start following good standard advice like regularly checking your bank statements.

Keep Calm and Use the ToolkitYou should also be aware that this vulnerability is very likely to lead to an increase in phishing scams.  Since pretty much everyone who uses the Internet is being asked to change their passwords, the bad-guys are likely to want a piece of this action and use the opportunity to send round fake emails asking for passwords and/or linking to fake sites.  Be aware of this threat and, if you are in any doubt as to whether an email (or phone call for that matter!) is legitimate then ask someone technical for help (perhaps your local IT support staff or the IT Services help desk).

If you want advice on good practice when it comes to online security (including how to spot phishing emails) then why not check out our information security website or, better still, book on one of our lunchtime courses which cover what you need to know and do.

So should I change my passwords?

Yes it is probably a good idea but before you change your password for any individual site you might first want to check:

  1. Was the site affected;
  2. Has the organisation patched its systems;
  3. Have they changed their SSL certificates; and
  4. Have they told you it has been fixed?

It can sometimes be hard to get clear information on this but one site has come up with a decent list of well-known organisations and summarised their position.

What about my University passwords and what is the University doing about this problem?

WebauthWell, for the last week we’ve been assessing the scale of the problem within Oxford and, where possible, applying fixes.  The response from both central IT Services and amongst the many IT support staff across the departments and colleges has been swift and impressive.  The University takes your security and privacy online very seriously.  The good news is that most of the central services that deal with passwords (that we’ve assessed so far anyway) weren’t vulnerable to this attack.  This includes Nexus (email and calendaring), Webauth (used for Single Sign On) and VPN.  However Oxford is a very complex organisation when it comes to IT so let’s not break out the champagne and look smug just yet.  Because some of the backend systems that interact with our main services were running vulnerable versions of OpenSSL it is possible that some credentials may have been exposed.  I ought to stress at this point that we believe the actual risk that any passwords have been exposed on a large scale to be very low.  However wherever we perceive that this has been a possibility then we are making users change their passwords.  I’ve tried to summarise the position on a “per credential-type” basis below:

Single Sign On (SSO)/Oxford passwords

These are the passwords you use for Nexus and for SSO protected resources.  Neither Webauth, Nexus or the Shibboleth service are affected by this vulnerability, nor is the production SMTP service that is used by some for sending mail.  However a test SMTP environment was vulnerable and, although this isn’t used directly to handle any live credentials there is a theoretical attack that could have affected those that use the SMTP service.  There is no evidence this has happened and we think the risk is extremely low.  Nonetheless, if you fall into this category we will be expiring your password and contacting you to ask to you change it as a precaution.

For everyone else then you should change your password if you are concerned at all, or it you use it anywhere else.

Remote Access Passwords

These are the passwords used (mostly) for the VPN service which, again, was not directly vulnerable.  However one of the backend systems that deals with credentials was vulnerable for a limited time period and, if you changed or set a remote access password within that period (approximately the last year), then a successful attack is also theoretically possible. Again, we feel the risk is very low but this  does affect a greater number of users than for SSO passwords. So we will also be expiring those potentially affected passwords and contacting users.

For everyone else – change your password if you are at all concerned and/or if you use the same password elsewhere.

HFS passwords

HFS is the backup service offered by IT Services for staff and postgraduate students. Again the primary service is unaffected by the vulnerability but, similarly to remote access passwords, it is possible passwords could have been exposed via a supporting service.  Again there is little risk that this could be used in any meaningful attack and, as it happens, the HFS service already automatically renegotiates passwords with the client software and so we are considering the merits of making sure this happens sooner than usual.

In other words there is nothing you need to do – affected passwords will be changed automatically and you won’t even notice.

What else?

Of course this only covers central services and the University operates in a very devolved way.  Unfortunately we can’t answer questions about all services offered by departments and colleges so if you want to know more you should ask your department and/or college.

What about other sensitive data?

Indeed this vulnerability does not just affect passwords and the University runs many systems that handle personal data, financial data and other confidential information.  We are continuing to investigate all central services to see whether or not they could have been vulnerable to this bug.  We’ll therefore be reporting further when we have all the information we need.  In the meantime there is no evidence that any of your sensitive or personal information has been placed at risk.

To Summarise

This is clearly a very serious security bug and has had a significant and far reaching effect on service providers all over the Internet.  However the bug has a fix which has already been widely deployed and, whilst we don’t yet know the overall impact, the worst case scenario doesn’t seem to be the most likely outcome.  However we should all take this as an opportunity for improvement in our online security practices and ensure that we take responsibility for our own security and privacy as far as is possible.  Within the University we are taking the vulnerability very seriously which is demonstrated by the fact that we are investigating the potential impact as thoroughly as possible and, where we see any risk to end-users, taking appropriate action.  We will continue to do so along with all of the other activities we carry out to protect your security and privacy online.

Posted in Information Security | Comments Off on Open Heart(bleed) Surgery

Comments are closed.