310 likes | 798 Views
Heartbleed. What is the Heartbleed bug?. Exploits a vulnerability in OpenSSL software library, used to implement the Transport Layer Security protocol used in web, instant messaging etc. Exposes user’s passwords, cookies and other data to the attacker. Not a virus. Why heartbleed ?.
E N D
What is the Heartbleed bug? • Exploits a vulnerability in OpenSSL software library, used to implement the Transport Layer Security protocol used in web, instant messaging etc. • Exposes user’s passwords, cookies and other data to the attacker. • Not a virus.
Why heartbleed? • The TLS protocol involves establishing a connection (a session) between two entities A and B, like initiating a phone call. • When connection is idle, one entity can ask the other ‘Are you alive? If so, send me the 4-letter word blah.’ • Like checking the heartbeat.
Buffer over-read bug • The extra data that is sent back is fetched from the server’s memory, due to the bug. It could include passwords and private keys. • Like if someone you had called in to fix your plumbing were to look through your closets for information.
When was this bug introduced discovered, and fixed? • Introduced in Dec. 2011, by one of the authors (Seggelmann) of the (open-source) software team. • Discovered on April 1, by Neel Mehta of Google, and Codenomicon. • Fixed right away, but servers have to use the new software.
What data is vulnerable? • Servers carry users’ passwords, cookies, and session keys. • Servers might also yield private SSL keys. Servers have to reissue their SSL certificates.
Which servers are vulnerable? • Anyone using certain versions of OpenSSL • 17% of all servers • Most banks don’t use OpenSSL
What can a user do? • Check websites on tester site to see if vulnerability has been fixed. • Change passwords for those sites.
Did NSA know about this before? April 11, 2014 NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private sector cybersecurity report. Reports that say otherwise are wrong. From http://icontherecord.tumblr.com/post/82416436703/statement-on-bloomberg-news-story-that-nsa-knew
Which is true? • Heartbleed is a kind of virus that spreads through machines. • Heartbleed is a weakness in commonly used software that allows peeking into a server’s memory. • Heartbleed is easily fixed by fixing software on servers such as those owned by Amazon.com. • Heartbleed can be stopped by updating your web browser. A: 1, 2, 3, 4 C: 2, 3, 4 B: 2, 3 D: 1, 2, 4
Your worry? A: I don’t care; we all have to go some day! B: I am worried enough to change my passwords, but doubt if I will lose anything. C: I am very worried -- this could be the beginning of bigger stuff.