Page 186 -
P. 186
seCurity GuiDe Anatomy of a Heartbleed
Instagram, Pinterest, Tumblr, Google, Yahoo!, Flickr, Etsy, only 40 percent had taken steps to secure their accounts by 185
44
YouTube, Dropbox, and Wikipedia. This is not a compre- changing their passwords. Even more worrisome, 74 per-
hensive list. If you haven’t changed your passwords after cent of the world’s largest 2,000 companies were still vulner-
April 7, 2014, you should. able a year after Heartbleed became widely known. 45
If that sounds bad, hold on, it gets worse. Those are Suppose you didn’t change your passwords. What
just vulnerable Web servers. What about other servers (i.e., would happen if just one company lost your login infor-
email, Web, IM, etc.), software, hardware, and embedded mation? Do you reuse your passwords at multiple sites or
systems? Gmail and Yahoo! Mail made the list. Siemens is- systems? Is it possible that hackers know about password
sued updates for some of its hardware that controls factory reuse? The combination of a widespread vulnerability like
systems. Some cell phones running Android needed to be Heartbleed and users reusing their password at multiple
updated as well as Apple’s AirPort Time Capsule and Air- sites is concerning.
43
Port Extreme appliances. The list goes on and on. The Heartbleed vulnerability reminds us just how per-
vasive, important, and potentially vulnerable computing
Why Didn’t I Know About This? has become. We are constantly interacting with hardware
Surprisingly, the reaction to the Heartbleed vulnerability out- and software. Information systems are also becoming inter-
side the tech industry was tepid. The Pew Research Center connected at a dizzying rate. Could a future vulnerability
found that during the peak of the Heartbleed scare about 60 similar to Heartbleed cause widespread data loss . . . across
percent of American adults had heard of Heartbleed. However, the globe? Time will tell.
DisCussion Questions
1. Do you use the same password for multiple Web sites? looking at the code for possible errors. Because OpenSSL
How could data loss at one Web site affect the security is open source, could a shortage of paid code checkers
of other Web sites? mean there might be more errors like Heartbleed? Why?
2. Is checking a Web site for the Heartbleed vulnerability 5. If a hardware or software maker finds a vulnerability in
illegal? Why? one of its products, how should it respond? Does it have
3. Do you use any of the Web sites listed by Mashable? Did a legal responsibility to warn its users? Does it have an
you change your passwords on those systems? Why or ethical responsibility to do so? Why or why not?
why not? 6. Could state-sponsored organizations exploit vulnerabili-
4. The person who wrote the portion of OpenSSL code ties as part of a cyber-war campaign or an information-
containing the Heartbleed vulnerability said the error gathering operation? Would this be ethical?
slipped through because there weren’t enough eyes
