ECE computer engineering student creates checker to fight Heartbleed Bug
The cyber-world was terrorized last month with the surfacing of the Heartbleed Bug, and though a fix for the bug was released, many people were impacted. Fortunately, a graduate student in the Computer Engineering and Systems Group in the Department of Electrical and Computer Engineering at Texas A&M University developed a checker to help those that were potentially affected.
Allen Webb, who is pursuing a Ph.D. in computer engineering at Texas A&M, created the checker that can successfully unearth the hidden bug.
Many sites with servers using previous versions of OpenSSL cryptographic software were extremely vulnerable to hackers. More than likely, this involved at least one destination for every internet user. There was a serious flaw within the library that allowed for hackers to potentially recover log-in information through vulnerable users. Through the vulnerability a person’s bank account, email or any online information that was sent or received to a particular server would be exposed. People can use Allen’s checker to see if they were infected by the bug before the fix was developed.
While vulnerability doesn’t guarantee a loss of information, “it is more like throwing away poorly shredded sensitive documents,” Webb said. “Someone could collect the shredded paper, put it back together and recover sensitive data from it.”
Webb, who focuses his research in mobile device security, sums up the vulnerability. “This particular vulnerability has the potential to affect a very large number of people,” he said. “It is relatively easy to exploit so there is a need for people to act quickly to update affected machines.”
The bug affected numerous major companies including Google, Yahoo, Facebook, Amazon and Flickr. This put the vast majority of internet users at risk, and damage control was needed. Webb developed this checker with the intentions of aiding system administrators in determining what systems need updating, and to help people who are concerned about this problem understand what is and isn’t vulnerable.
Webb’s checker would verify whether or not particular information was at risk of being seen by hackers.
“My checker allows someone to connect with an HTTPS client such as a web browser to check if that software is vulnerable,” he said. “The vulnerability is seen when processes that use the old OpenSSL shared library are initiated.“
Webb has a Masters degree in computer engineering from the University of Texas at Dallas, and is working on his Ph.D. under the advisement of Dr. Narasimha Reddy. He was awarded the Delbert Whitaker Fellowship in the fall of 2012. Webb works to increase the security of mobile devices and smartphones. He also has worked with Flowgrammable in the 2013 Open Networking Foundation Competition.
The checker can be found here: http://cesg.tamu.edu/openssl-heartbleed-check/.