Page 183 - Using MIS

P. 183

of data from its own memory containing confidential data. Why Didn’t I Know About This?
Then it sends it back to the client. This process can be done Surprisingly, the reaction to the Heartbleed vulnerabil-
many times and leaves no record that it ever occurred. ity outside the tech industry was tepid. The Pew Research
Center found that during the peak of the Heartbleed
Who’s at Risk? scare about 60 percent of American adults had heard of
The short answer is nearly everyone. Mashable posted a Heartbleed. However, only 40 percent had taken steps to se-
short list of some of the more well-known Web sites that cure their accounts by changing their passwords. 40
38
were vulnerable to the Heartbleed vulnerability. This list Suppose you didn’t change your passwords. What would
included Instagram, Pinterest, Tumblr, Google, Yahoo!, happen if just one company lost your login information? Do
Flickr, Etsy, YouTube, Dropbox, and Wikipedia. This is not a you reuse your passwords at multiple sites or systems? Is it
comprehensive list. If you haven’t changed your passwords possible that hackers know about password reuse? The combi-
after April 7, 2014, you should. nation of a widespread vulnerability like Heartbleed and users
If that sounds bad, hold on, it gets worse. Those are just reusing their password at multiple sites is concerning.
vulnerable Web servers. What about other servers (i.e., email, The Heartbleed vulnerability reminds us just how per-
Web, IM, etc.), software, hardware, and embedded systems? vasive, important, and potentially vulnerable computing
Gmail and Yahoo! Mail made the list. Siemens issued updates has become. We are constantly interacting with hardware
for some of its hardware that controls factory systems. Some and software. Information systems are also becoming in-
cell phones running Android needed to be updated as well terconnected at a dizzying rate. Could a future vulnerability
as Apple’s AirPort Time Capsule and AirPort Extreme appli- similar to Heartbleed cause widespread data loss . . . across
39
ances. The list goes on and on. the globe? Time will tell.

DisCussion Questions

1. Do you use the same password for multiple Web sites? eyes looking at the code for possible errors. Because
How could data loss at one Web site affect the security of OpenSSL is open source, could a shortage of paid
other Web sites? code checkers mean there might be more errors like
2. Is checking a Web site for the Heartbleed vulnerability Heartbleed? Why?
illegal? Why? 5. If a hardware or software maker finds a vulnerability in
3. Do you use any of the Web sites listed by Mashable? Did one of its products, how should it respond? Does it have
you change your passwords on those systems? Why or a legal responsibility to warn its users? Does it have an
why not? ethical responsibility to do so? Why or why not?
4. The person who wrote the portion of OpenSSL code 6. Could state-sponsored organizations exploit vulnerabili-
containing the Heartbleed vulnerability said the er- ties as part of a cyber-war campaign or an information-
ror slipped through because there weren’t enough gathering operation? Would this be ethical?

38 Mashable Team, “The Heartbleed Hit List: The Passwords You Need to Change Right Now,” April 9, 2014, accessed May 9, 2014, http://mashable
.com/2014/04/09/heartbleed-bug-websites-affected.
39 Shaun Nichols, “Apple Stabs Heartbleed Bug in AirPort Extreme, Time Capsule Gear,” The Register, April 24, 2014, accessed May 9, 2014, www
.theregister.co.uk/2014/04/24/apple_posts_updates_for_heartbleed_flaw_in_airport.
40 Pew Research Center, “Heartbleed’s Impact,” April 30, 2014, accessed May 9, 2014, http://www.pewinternet.org/files/2014/04/PIP_Heartbleed-
impact_043014.pdf.
151

178 179 180 181 182 183 184 185 186 187 188