University of Wisconsin Busy With 'Heartbleed' Patch Jobs; State System Not Vulnerable

Staff at UW-Madison’s Division of Information Technology were busy exposing, tracking and marking potential vulnerability, and that effort has just begun.

by George Hesselberg, McClatchy News Service / April 11, 2014

Heartbleed has caused headaches in the Internet security world, private and public, and the fix is in at UW-Madison, the host of many potential targets.

State computer officials said their systems were not vulnerable, and the security of online filing of income tax forms is not threatened, either.

Staff at UW-Madison’s Division of Information Technology were busy exposing, tracking and marking potential vulnerability Tuesday and Wednesday, and that effort has just begun, said spokesman Brian Rust.

The Heartbleed bug can allow remote attackers to obtain sensitive information from memory, exploiting a security hole to reveal secret keys, usernames and passwords and other data.

The threat means that “anyplace you expect there to be a secure connection” may in fact not be secure, Rust said.

“They were applying patch software to systems campuswide,” he said of the DoIT technicians. Once the patch is applied to open secure socket layer (OpenSSL) software, the systems must be rebooted, then the vulnerability is assessed.

The bug did not affect any of UW-Madison’s major systems, such as course management, personnel and student registration.

“There were a number of servers we determined last night had this vulnerability, so we addressed them this morning and rebooted,” he said.

This was a check for vulnerability, not for the evidence an attack had occurred, he stressed.

“I suppose it is more the equivalent of leaving a door unlocked that someone with malicious intent could enter and take advantage of,” he said, adding that “there is also the mystery in that you may not even know if that had happened.”

A “couple dozen” servers were found to be vulnerable in the central system, he said, but that may be misleading, because there may be more than one potentially vulnerable site on each server. There are numerous servers managed by a variety of departments on campus.

The average user at this time does not need to be concerned about the software patch, but that may change, he said.

“I would maybe wait to make any online purchases,” he advised.

Students, faculty and staff have not been advised to change passwords, he said. “Until or unless there is a known intrusion, the vulnerability is just that.”

The city of Madison was doing similar patching of its systems Wednesday. It notified city employees that email and other systems were expected to be down for about an hour around midday.

At the state Department of Revenue, which is experiencing crunch time from people filing income tax returns online, a department spokeswoman said servers that offer online tax filing were not affected by this vulnerability.

“The Wisconsin Department of Revenue advises taxpayers that they can continue to file their tax returns as they normally would through Wisconsin e-file,” said Jennifer Western, assistant deputy secretary.

Stephanie Marquis, communications director at the Department of Administration, said that statewide “we have not identified any issues related to the Heartbleed bug. ... The version of security software that we are running is not susceptible to this bug. As a precaution, all of the IT security professionals at the agencies are continually monitoring for this bug.”

©2014 The Wisconsin State Journal (Madison, Wis.)