1 / 13

Heartbleed

Heartbleed. What is the Heartbleed bug?. Exploits a vulnerability in OpenSSL software library, used to implement the Transport Layer Security protocol used in web, instant messaging etc. Exposes user’s passwords, cookies and other data to the attacker. Not a virus. Why heartbleed ?.

todd
Télécharger la présentation

Heartbleed

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Heartbleed

  2. What is the Heartbleed bug? • Exploits a vulnerability in OpenSSL software library, used to implement the Transport Layer Security protocol used in web, instant messaging etc. • Exposes user’s passwords, cookies and other data to the attacker. • Not a virus.

  3. Why heartbleed? • The TLS protocol involves establishing a connection (a session) between two entities A and B, like initiating a phone call. • When connection is idle, one entity can ask the other ‘Are you alive? If so, send me the 4-letter word blah.’ • Like checking the heartbeat.

  4. Buffer over-read bug • The extra data that is sent back is fetched from the server’s memory, due to the bug. It could include passwords and private keys. • Like if someone you had called in to fix your plumbing were to look through your closets for information.

  5. When was this bug introduced discovered, and fixed? • Introduced in Dec. 2011, by one of the authors (Seggelmann) of the (open-source) software team. • Discovered on April 1, by Neel Mehta of Google, and Codenomicon. • Fixed right away, but servers have to use the new software.

  6. What data is vulnerable? • Servers carry users’ passwords, cookies, and session keys. • Servers might also yield private SSL keys. Servers have to reissue their SSL certificates.

  7. Which servers are vulnerable? • Anyone using certain versions of OpenSSL • 17% of all servers • Most banks don’t use OpenSSL

  8. What can a user do? • Check websites on tester site to see if vulnerability has been fixed. • Change passwords for those sites.

  9. Did NSA know about this before? April 11, 2014 NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private sector cybersecurity report. Reports that say otherwise are wrong. From http://icontherecord.tumblr.com/post/82416436703/statement-on-bloomberg-news-story-that-nsa-knew

  10. Which is true? • Heartbleed is a kind of virus that spreads through machines. • Heartbleed is a weakness in commonly used software that allows peeking into a server’s memory. • Heartbleed is easily fixed by fixing software on servers such as those owned by Amazon.com. • Heartbleed can be stopped by updating your web browser. A: 1, 2, 3, 4 C: 2, 3, 4 B: 2, 3 D: 1, 2, 4

  11. Your worry? A: I don’t care; we all have to go some day! B: I am worried enough to change my passwords, but doubt if I will lose anything. C: I am very worried -- this could be the beginning of bigger stuff.

More Related