1 / 8

HeartBleed Bug

HeartBleed Bug. By: Kegan Storjohann. What is the HeartBleed ?. HeartBleed is a bug that exposes the vulnerability of the OpenSSL system. It allows attackers to read information, that is otherwise encrypted by the SSL/TSL.

blaze
Download Presentation

HeartBleed Bug

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HeartBleed Bug By: Kegan Storjohann

  2. What is the HeartBleed? • HeartBleed is a bug that exposes the vulnerability of the OpenSSL system. • It allows attackers to read information, that is otherwise encrypted by the SSL/TSL. • It abuses what is known as the Heartbeat, which can read the memory of a system without leaving a trace. • This bug was independently discovered by a team of security engineers at Codenomicon and Neel Mehta of Google Security, who first reported it to the OpenSSLteam in April, 2014.

  3. How OpenSSL Works • This is used to encrypt secure information being transferred from one computer to another. • Also used to verify if you are talking to the correct server. • Websites that begin with “HTTPS” use OpenSSL to encrypt their data.

  4. How OpenSSL Works5 Step Process • Computers agree on how to encrypt data, what codes to use. • Server sends a certificate verifying it’s the proper server and who it belongs too. • User’s computer says “its ready to encrypt” • Server says “its ready to encrypt” • Files/data then encrypted and transferred between the two.

  5. Where the Heartbeat plays a role • During a SSL/TSL session if no data is being passed or there is a pause the session would otherwise terminate, but what the Heartbeat does is it sends a request basically asking if the computer is still there and the computer would respond, keeping the session open. • An attacker using HeartBleed abuses this request by changing the payload return size and instead of the computer returning a 1 byte response, it responses to the newly edited byte size with data stored within their OpenSSL memory. • Your computer thinks this is a friendly Heartbeat so it responds and the attacker gets away without a trace.

  6. What can be taken? • Anything using the vulnerable version of OpenSSL can become victim to this bug. • Security keys for secure websites can be accessed which are used to encrypt traffic throughout the website. • Usernames and passwords • Credit card numbers • Emails • Anything stored within your OpenSSL memory

  7. The Response • A fixed OpenSSL version has been released that verifies the payload and will not respond if it doesn’t match. • Power companies such as: Google, Facebook, and Microsoft are funding a new project that is called the Core Infrastructure Initiative, formed to put money into the critical software infrastructure that needs it. • Each company funding this project has agreed to donating at least $100,000 a year towards fixing current web problems and hope to stop the next “HeartBleed” before it happens. • This exposure of vulnerability opened the eyes of these big technology companies to the overall safety of the Internet and now they are running security checks throughout much more than just OpenSSL.

  8. Internet Safety Precautions • Change passwords regularly, every couple months • Avoid easy words for passwords, try to mix numbers and letters • Update Firewalls and Anti-Virus systems regularly • Avoid using the same password as your social networking sites • Check to see if website is secure, “HTTPS” before the URL indicates its encrypting secure information • Avoid using public computers for private or secure transactions

More Related