chief information security officer

Photo Credit: Connor Murphy | Daily Texan Staff

While a flaw in an online security protocol has threatened the safety of passwords and other sensitive information on the Internet, it should not significantly impact the University, according to Cam Beasley, the University’s chief information security officer.

The flaw, nicknamed the “Heartbleed bug,” affects OpenSSL, which is a secure connection many websites use to communicate sensitive information such as passwords and credit card numbers. The flaw is believed to have been written by a German programmer in March 2012 and was discovered by researchers from Finland and from Google.

Dubbed one of the biggest Internet security flaws in history, Bloomberg reported the bug affects over two-thirds of all Internet websites. The bug could also affects smartphones, routers and other systems that employ OpenSSL.

Beasley said Heartbleed’s impact on the University is minimal, though he did confirm OpenSSL is used in UT information systems.

“[There is] no real risk to students using central IT services, but it is possible that various Internet services they use could have experienced some exposure depending on if they were vulnerable and how long they took to patch systems,” Beasley said. “Several systems were patched once the update became available, but no critical services were exposed.” 

Classical archaeology senior Beth Rozacky said, though the flaw is worrying for some people, she feels the information that could be potentially leaked is already more available to hackers than most people realize.

“My personal information is already out there because of the organizations I’m in, so, if someone wanted to find something, it would be pretty easy,” Rozacky said.

On Friday, the Obama administration denied that the National Security Agency, or other parts of the federal government, had known about the Heartbleed bug after Bloomberg reported the NSA had been withholding information about the flaw in order to pool valuable data for themselves.

“[The] NSA was not aware of the recently identified vulnerability in OpenSSL — the so-called Heartbleed vulnerability — until it was made public in a private-sector cybersecurity report,” said NSA spokeswoman Vanee Vines in a statement issued Friday.

Security researchers said the bug allows for data to be accessed in increments of only 64 kilobytes, making it less ideal for wide-scale espionage.

Engineering assistant professor Mohit Tiwari said the harm caused by the bug is apparent but difficult to assess.

“The Heartbleed bug does indeed have very bad consequences for systems that used the buggy version of OpenSSL,” Tiwari said. “There is really no way, however, to measure the extent of the damage since most system logs will have no record of this bug being exploited.”

Tiwari and Beasley both recommended students change their passwords frequently regardless of the risk posed by the bug. According to Tiwari, research into automatically analyzing large systems for such bugs should receive a big boost due to the bug’s discovery. Rozacky said she hopes the research will provide more information for the public.

“I think people should have been aware of the dangers of hacking before things like Heartbleed happened,” Rozacky said.

Photo Credit: Aaron Rodriguez | Daily Texan Staff

The number of cyber attacks targeted at the University’s resources has been steadily increasing over the past few years, in keeping with a national trend, according to Cam Beasley, Information Technology Services’ chief information security officer.

“More targeted attacks against high-value research labs and researchers have likely been one of the biggest growth areas [in terms of attempted security breaches],” Beasley said.

Millions of attempts are directed daily at the campus network, which contains more than 120,000 devices, Beasley said. 

More than 185 ITS units on campus work to keep hackers out of the systems. 

“These teams focus on managing and patching systems, maintaining strong local firewalls, identifying and protecting sensitive data and responding to our incident notifications,” Beasley said.

Beasely said the fight to secure campus defenses against hackers is an ever-evolving arms race.

“The bad guys are constantly modifying their attacks to target information that has financial value,” Beasley said. “They are generally in the business of profiting from their victims one way or another, and the good guys are trying to strengthen and mature their toolsets so that they can proactively defend the campus.”

Matt Dodson, a computer science and mechanical engineering senior, said he sees cyber security playing a bigger role in society. 

“We’re transitioning more and more data to online forms every year: bank payments, job applications, private communications, and we want all of these things to stay safe and secure,” Dodson said.

As cyber security becomes a more prevalent issue, the Information Security Office has worked closely with student organizations, including the Institute of Electrical and Electronics Engineers Communication Society, Beasley said. 

Electrical engineering junior Richard Penshorn, the corporate officer for the society, said members learn hacking techniques and attack mitigation. Penshorn said anyone who uses technology should be aware of risks inherent in cyber security.

“In reality, every day should be a reminder that modern society [relies] on technology,” Penshorn said. “It is that technology which possesses the greatest risk to our privacy, modern living and security.”

With the growing number of privacy concerns, ITS has resources online for students looking to further protect their identity, Beasely said. 

“In an age where individuals freely offer up their personal information to the greater internet community, it is important for folks to understand that there is an intrinsic value to the various forms of one’s online identity,” Beasley said. “Ultimately, vigilance is key to protecting oneself and you can practice it without becoming a conspiracy theorist.”