The News Site of University of Tennessee

The Daily Beacon
The News Site of University of Tennessee

The Daily Beacon
The News Site of University of Tennessee

The Daily Beacon
Categories:

Undetected computer virus potential headache for students

Hayley Brundige
April 25, 2014

heartbleed

What happens when someone has access to all of your online accounts – Twitter, Gmail, Facebook, your personal bank – and could access your most private messages and information.

On April 1, a serious vulnerability was found in the OpenSSL cryptographic software library. The Heartbleed Bug, a flaw discovered by a member of the Google security team, had the potential to allow hackers access to a vast amount of sensitive data on vulnerable servers without leaving any suspicious footprints in their wake.

OpenSSL has been the standard for secure communication since its creation in 1998, ensuring privacy for exchanges over email, instant messages and the rest of the Internet.

“OpenSSL is popular because it is an open source software and people don’t have to pay for it,” Jinyuan Stella Sun, assistant professor in computer science and electrical engineering and expert on the Heartbleed Bug said. “A lot of big websites like Amazon and Tumblr, they all used it.”

Communication between machines using OpenSSL is kept alive by a “Heartbeat Extension,” a cryptological call and response that removes the need to constantly reconnect individual machines.

One machine sends out a code, or “heartbeat,” and the receiving machine decrypts the code, reads it and sends back the matching response. The Heartbleed Bug leaves a back door open for hackers to enter and steal data undetected.

“The Heartbleed vulnerability allows a hacker to connect to a webserver and harvest sensitive information, which may include your login and password,” Bob Hillhouse, chief information security officer for the Office of Information Technology said. “If that happens, the hacker could use that information to log into any of your accounts using the same username and password.”

While many programs such as mobile apps and Gmail use OpenSSL software, OIT has been scanning for the vulnerability every day since the announcement, notifying users and patching the devices, Hillhouse said.

The main critical systems like Banner, Blackboard and the MyUTK portal were not at risk of attack during the two-year span the Heartbleed Bug was left undetected, Hillhouse said.

“This thing’s been out there in the wild, so to speak, for two years,” he said. “So the worst case scenario at UT would be a server was effected and was being monitored by a hacker. Your NetID and password would be visible to that hacker, and they could use your password to access your information.”

According to Sun, the Heartbleed Bug was a simple security flaw that could have been prevented if more care had been taken when writing the OpenSSL code. Instead, the vulnerability was left to be exploited.

“This wasn’t a difficult thing to detect if someone had reviewed the OpenSSL library closely,” Sun said. “It’s also not difficult to fix.”

On April 7, managers of the OpenSSL library released “Fixed OpenSSL,” an updated version of the software that patches the Heartbleed vulnerability. Now it is up to servers using OpenSSL to update their systems.

UT’s current security depends on the speed of the network updates, Kevin Nolan, senior in computer science and jazz studies, said.

“It all depends on how proactive UT’s network administrators have been in keeping their software up to date,” Nolan said. “But as with any large-scale system, deploying major updates takes time which is one of the main concerns with the Heartbleed Bug– that networks will be exploited before they have time to update.”

For now, Sun recommends that individual users change their passwords to protect sensitive data that might have been impacted by the Heartbleed Bug.

“Everybody hates passwords and everybody wants to create passwords that can be easily remembered,” Sun said. “But those passwords are typically pretty weak. Changing a password doesn’t take long, and it’s worth it in the end.”

Precautions to take:

Change your password on websites that you know were vulnerable to the Heartbleed Bug that have now patched the vulnerability.

Use strong, hard-to-guess passwords.

Use a separate, unique password for each online account. That way if one website is compromised, all the other accounts are safe.

Using a password manager can help keep track of all of your passwords.

Avoid letting your web browser automatically log you into accounts.

Call the OIT HelpDesk at (865) 974-9900 if you have any questions or problems.

More to Discover
More in News
What Gen Z wants to see: The box office success of May 2026
What Gen Z wants to see: The box office success of May 2026
Randy “Komrade” Bresnik for photographic coverage of Artemis III crew announcement product video shoot. June 3 2026. Courtesy of NASA/Luna Posadas Nava.
NASA names UT alum commander of upcoming Artemis III mission
UT's regional stormwater storage facility outside Robinson Hall. Monday, June 15.
An urban oasis: UT’s stormwater retention pond leads the way in sustainable infrastructure
Mayo Garden Center storefront featuring closing sale sign.
Mayo Garden Centers to close after 148 years, celebrating generations of service
Alex Anastasi and her roommate Willow Veenendaal found an old calendar from the late 1960s behind their closet in their shared dorm in Reese Hall.
Reese Hall closes as UT’s last all-female residence hall
The Lady Vols celebrate beating Georgia in the Super Regionals at Sherri Parker Lee Stadium to send Tennessee to the Women's College World Series. Friday, May 21, 2026.
Photo Gallery: Lady Vols Softball NCAA Super Regionals vs Georgia