Your SlideShare is downloading. ×
  • Like
Isc2 eastbay chapter_heartbleed_bug
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Isc2 eastbay chapter_heartbleed_bug

  • 165 views
Published

Heartbleed-What you need to know

Heartbleed-What you need to know

Published in Technology , Education
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
165
On SlideShare
0
From Embeds
0
Number of Embeds
2

Actions

Shares
Downloads
3
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • This template can be used as a starter file for presenting training materials in a group setting.

    Sections
    Right-click on a slide to add sections. Sections can help to organize your slides or facilitate collaboration between multiple authors.

    Notes
    Use the Notes section for delivery notes or to provide additional details for the audience. View these notes in Presentation View during your presentation.
    Keep in mind the font size (important for accessibility, visibility, videotaping, and online production)

    Coordinated colors
    Pay particular attention to the graphs, charts, and text boxes.
    Consider that attendees will print in black and white or grayscale. Run a test print to make sure your colors work when printed in pure black and white and grayscale.

    Graphics, tables, and graphs
    Keep it simple: If possible, use consistent, non-distracting styles and colors.
    Label all graphs and tables.


  • Give a brief overview of the presentation. Describe the major focus of the presentation and why it is important.
    Introduce each of the major topics.
    To provide a road map for the audience, you can repeat this Overview slide throughout the presentation, highlighting the particular topic you will discuss next.
  • What will the audience be able to do after this training is complete? Briefly describe each objective how the audience will benefit from this presentation.
  • What will the audience be able to do after this training is complete? Briefly describe each objective how the audience will benefit from this presentation.
  • What will the audience be able to do after this training is complete? Briefly describe each objective how the audience will benefit from this presentation.
  • What will the audience be able to do after this training is complete? Briefly describe each objective how the audience will benefit from this presentation.
  • Microsoft Confidential
  • Microsoft Confidential

Transcript

  • 1. HEARTBLEED VULNERABILITY Raj Nagalingam IT Security Consultant @rajidentityguru 05/07/14
  • 2. Heartbleed-What you need to know • Massive openSSL bug which allows attackers to read the memory of the systems. Allows access to sensitive info such as private keys of cert and login credentials or other personal data • You should change your passwords unless you KNOW the site in question was not vulnerable • Even if you change your passwords, you should work with your business partners to ensure that vulnerable servers had certificates reissued – Otherwise you’re not much more secure
  • 3. Heartbeats • SSL heartbeats are defined in RFC6520 – Used for keep alive messages without the need for renegotiating the SSL session • Heatbeat messages can be sent without authenticating with the server
  • 4. HeartBleed – What is it? • CVE-2014-0160 describes a flaw the heartbeat extension to the SSL protocol • OpenSSL code accepts a user supplied length value for memory to read without proper validation –Never trust user supplied input • Bug was introduced in March 2012 –OpenSSL 1.0.1 –Good news: OpenSSL 1.0.0 is not vulnerable.
  • 5. HeartBleed – What Sites are affected? • Affects any sites running specific versions of OpenSSL (1.0.1 through 1.0.1f) • 66% of the web users openSSL • Sites running older versions of OpenSSL that are not vulnerable
  • 6. How to Minimize your Risk • Check your version of OpenSSL and either: – 1. Recompile OpenSSL without heatbeat ext – 2. Update to latest fixed version (1.0.1g) • Contact CA to reissue certificate replacement • Finally, as a best practice, businesses should reset end user passwords that potentially may have been visible in a compromised server memory
  • 7. Resources • What the Heartbleed Security bug mean for you http://lifehacker.com/what-the- heartbleed-security-bug-means-for-you- 1560801201 • Heartbleed FAQ – http://heartbleed.com • How Heartbleed Works http://gizmodo.com/how-heartbleed-works-the- code-behind-the-internets-se-1561341209
  • 8. QUESTIONS?