Heartbleed Bug Flaw in Servers and its reverse

  • 235 views
Uploaded on

My presentation in Control of Energy, Industrial and Ecological systems - International Symposium - IT Industry Section at Bankia, Bulgaria . …

My presentation in Control of Energy, Industrial and Ecological systems - International Symposium - IT Industry Section at Bankia, Bulgaria .
About The Heartbleed Bug Flaw in Servers and its reverse, Impact on Industry , fixing the problem and Security Best Practices .

More in: Technology , Education
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
235
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
0
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Heartbleed – OpenSSL Client and Server Protocol Vulnerability M.H.Abdel Akher, Vassil Metodiev INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 2. Authors Mohamed Hisham Abdel Akher Erasmus Student from Helwan University,Egypt Vassil Metodiev chief assist. prof. eng. Department of Industrial Automation, University of Chemical Technology and Metallurgy, SOFIA, Bulgaria INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 3. Abstract  The Internet has become an important part of everyday personal and business activities - one of human rights in the modern life.  Software bugs significantly hurt software reliability and security causing system failures and security vulnerabilities.  This paper examines one of the more popular attack techniques that can be applied in “heartbleed” vulnerability.  The paper also outlines some best practices and secure techniques for being safe online. INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 4. Outline Information Security Core Components The need for Encryption TLS/SSL Technical Stuff TLS Heartbeat extension Heartbleed Flaw in Servers OpenSSL Reverse Heartbleed Vulnerability THE HEATBLEED BUG IMPACT Why fixing the problem is not simple ? SECURITY GUIDELINES AND BEST PRACICES Summary INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 5. Information Security Core Components Confidentiality Integrity Authentication Access Control Availability Nonrepudiation INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 6. The need for encryption The idea of encryption to make sure the information one sends from his computer to someone else or to another web server is protected and secure. As an Internet using populous, we’re more aware of the importance of keeping private and confidential information “secure“. We can think of Encryption like a secret language between two people. This language works as a set of encryption keys. The users have a copy of the encryption keys on their computer and the client (web application or server) has a set. INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 7. TLS/SSL Technical Stuff  SSL and TLS are protocols that provide session encryption and integrity for Packets sent from one computer to another.  They can be used to secure client-to-server or server-to- server network traffic.  They also provide authentication of the server to the client and (optionally) of the client to the server through X.509 certificates.  TLS is an enhancement of SSL . INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 8. TLS Heartbeat extension  Using heartbeat extensions two computers make sure the other is still alive by sending data back and forth to each other. The client (user) sends its heartbeat to the server (website), and the server hands it right back.  If by chance anyone of them goes down during the transaction, the other one will know using heartbeat sync mechanism . INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 9. Heartbleed Bug &OpenSSL  “Heartbleed” is a critical bug (CVE-2014-0160) in the popular OpenSSL cryptographic software library that actually resides in the OpenSSL's implementation of the TLS and DTLS (Datagram TLS) heartbeat extension (RFC6520).  Heartbleed Bug specifically impacts version 1.0.1 and beta versions of 1.0.2 INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 10. Heartbleed Flaw in Servers  When The heartbeat is sent, a small amount of the server’s short-term memory of about 64 kilobytes comes in reply from server and an attacker is supposed to grab it that can leak sensitive data such as message contents, user credentials, session keys and server private keys . INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 11. OpenSSL Reverse Heartbleed Vulnerability  A malicious server can also send bad hearbeat packets to a client that uses OpenSSL and extract data from the client.  In this scenario, the attacker would set up a malicious web server that would be used to send the exploit against the Heartbleed vulnerability to the client . INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 12. “The real problem is only a dumb coding mistake“ Swati Khandelwal. INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 13. THE HEATBLEED BUG IMPACT  The Heartbleed vulnerability is operating without detection plus, it is working in such way that with ease of use lots of information could be accessed.  SSL Survey found that the heartbeat extension was enabled on 17.5% of SSL sites, accounting for around half a million certificates issued by trusted certificate authorities.  These certificates are consequently vulnerable to being spoofed through private key disclosure, allowing an attacker to impersonate the affected websites without raising any browser warnings. INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 14. INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 15. Fixing the Problem is not that simple (Continued)  Heartbleed Vulnerability represents the movement from “attacks could happen” to “attacks have happened”.  Fixing the problem is not that simple because we were unaware of the bug for over 2 years .  We can’t go back in time and prevent any person or organization who may have taken advantage of this vulnerability to access information not intended for them  A patch that fixes the Heartbleed vulnerability in OpenSSL is already widely available. INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 16. Fixing the Problem is not that simple  The patch itself isn't that difficult to implement, but the problem is that along with patching the software, some applications need to look at whether or not they need to revoke and reissue various digital certificates.  If someone was able to sneak in an grab a site's digital certificate before the site was patched, it could make changes to the certificate or masquerade another site as having a different identity.  Organizations have to make the determination whether to revoke and reissue all certificates via a CA or wait for current certificates to expire. INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 17. SECURITY GUIDELINES AND BEST PRACTICES  First of all, we can check whether a server is vulnerable to the OpenSSl Hearbleed bug (CVE-2014-0160) or not.  If we find that the server is vulnerable, we have to patch it and patching a system today is great but that can’t prevent the attacks that may have already happened.  We patch your system, we have to get a new public/private key pair, update your SSL certificate, and then change every password that could potentially be affected. Bruce Schneier INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 18. Summary There have been and always will be bugs. Anyone who thinks they have privacy on the internet is a fool. Ira Winkler INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 19. Questions & Answers INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 20. Thank you! M.H Abdel Akher Erasmus BSc Student Business Information System Department, Helwan University, Cairo, Egypt Email : mhabdelakher@gmail.com INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014