Wednesday, Chief Information Officer J. Brice Bible sent an email to all students and faculty informing them of "Heartbleed" - an online bug that experts say left up to two-thirds of Internet servers open to potential breach.
Google and cyber-security firm Codenomicon engineers detected the bug this week. Heartbleed is the name given to a particular vulnerability in certain web security software. This gap allows anyone privy to the defect to collect user data that would regularly be inaccessible.
Bible said there is "no evidence" UB sites were compromised. He prompted students and staff members to be wary and "pay close attention to all your sensitive user accounts."
Jeffrey Murphy, the interim information security officer at UB, saidUB passwords and usernames have always been safe from this type of security breach. Some UB websites, like UBLearns, however, were susceptible to the bug gaining access to "snippets" of content without gaining information about the user. As of 5 p.m. yesterday, all central and department systems were reviewed, according to Murphy.
Experts revealed the vulnerability goes back over two years. But it remains unclear how long anyone has been aware of the gap in the most widely used encryption software, OpenSSL.
Most web users know OpenSSL as a closed padlock icon alongside "https" in the address bar of certain websites. The encryption software is used in a wide range of sites, protecting everything from email conversations to credit card numbers. Affected sites include Twitter, Facebook, Gmail and TurboTax, though most major sites are now claiming they have patched the hole in their security.
Despite safety for UB usernames and passwords, Murphy urges students to consistently change passwords and check bank and credit card statements. Both sentiments have been repeated widely in the wake of the breach becoming public as general ways to be safe on the Internet, in which threats like this are always present.
Ken Smith, the manager of computer operations, said before a user changes passwords or security information, he or she should make sure the websites have updated their encryption key - otherwise a breach could still potentially occur.
Conflicting reports have circulated the Internet on the seriousness of the breach. Some experts, like computer security specialist Bruce Schneier, are portraying the security vulnerability as "catastrophic." Others, like Forbes contributor James Lyne, bemoan such claims as hyperbolic. Meanwhile, major sites like Google and Amazon are claiming they have either corrected any security holes or, in the case of the latter, were not impacted.
Likewise, students are split on the seriousness of the bug.
"Internet breaches aren't a very new thing ... so I'm not worried," said Gino Notto, a sophomore computer science major.
Shintaro Matsamoto, a senior computer science major, called this "a serious issue," going on to state he was worried about the breach.
The Heartbleed vulnerability is being corrected by websites patching their security. Websites such as Yahoo! and security experts are urging Internet users to change passwords and remain vigilant of personal data and information, like bank accounts.
Websites like http://filippo.io/Heartbleed/ offer a way to check whether sites are safe.
Sam Fernando, Tress Klassen and Ben Tarhan contributed reporting to this story.
email: news@ubspectrum.com
