SlideShare a Scribd company logo

Heartbleed

Download as PPTX, PDF
S
Shiva Sagar

Day by day as the complexity in the Internet increasing the vulnerabilities about the security is also increasing. So the knowledge about these flaws has to be spread. So this report discuss about the one of the vulnerability that exists for a long time called ‘Heartbleed’. The purpose of this report is to create awareness about the Heartbleed vulnerability in OpenSSL Library, using which attackers can get access to passwords, private keys or any encrypted data. It explains how Heartbleed works, what code causes data leakage and explains the resolution with code fix. It also explains perform how to perform heartbeat attack.

Education
1 of 18
SHIVA SAGAR B 12CO83 HEARTBLEED a review
• It is a critical bug in the OpenSSL's implementation of the TLS/DTLS heartbeat extension that allows attackers to read portions of the affected server’s memory, potentially revealing users data, that the server did not intend to reveal. • That means data leakage in the Heartbeat protocol implementation, specifically the OpenSSL implementation of the protocol. • This bug was independently discovered by a team of security engineers (Riku, Antti and Matti) at Codenomicon and Neel Mehta of Google Security, who first reported it to the OpenSSL team. Heartbleed
• Encryption is the backbone of Internet security. It protects users data, passwords and transaction details from attackers. • To achieve encryption over Internet, one of the famous and widely used protocols is HTTPS. HTTPS is simply HTTP over SSL/TLS. • OpenSSL library provides implementation of cryptographic protocols such as SSL and TLS. It is open source software written in C programming language. Let’s Start with the Internet
Common Internet Layer Protocols
• The Heartbeat protocol runs on top of the TLS Record Layer and maintains the connection between the two peers alive requiring them to exchange a “heartbeat”. • Negotiates and monitors the availability of a resource. • It was introduced in 2012 by RPC 6520. • Platform independent and device scale independent. • Generates a signal that indicates normal operation or to synchronize other parts of a system. The Heartbeat Protocol
• Is the device on the other end Up ? • Device could be server or client. • Used to achieve active login sessions and website security certifications. • Social networks, E-commerce, E-governance, Internet banking. • The heartbeat extension was introduced because the then-current TLS/DTLS renegotiation technique to figure out if a peer is still alive was a costly process. Usage of Heartbeat Protocol
• The Heartbeat extension protocol consists of two message types: HeartbeatRequest message and HeartbeatResponse message. • One side of the peer sends HBrequest message to other peer, who immediately responds with the same message and thus, keeping the connection alive. • If no response is received within a specified timeout, the TLS connection is terminated. • If the response does not contain the same message, the HBRequest message is retransmitted for a specified number of retransmissions. How Heartbeat Protocol Works
• Assigns one bit to specify it is a Hbrequest message, 16 bytes for actual payload and padding and 2 bytes for payload size. ARGUMENTS of Heartbeat Request: • Payload: Contains some text information which is generated on both the ends. • payload length: Gives the size of the payload. Heartbeat Request Message
• Assigns one bit to specify it is a Hbresponse message, 16 bytes for actual payload and padding and 2 bytes for payload size. RESPONSE to the Heartbeat Request: • Finds the Payload in its active memory. • Count the number of characters to be sent using payload length. • Returns the text info. The first device is acknowledged that the other end is online. Heartbeat Response Message
A Simple Example
• No bound check mechanism. • Maliciously crafted Heartbeat request with mismatching Payload and payload length arguments would still work. • For a Hbrequest with small payload value and large payload length, Hbresponse returns with a extra data from the active memory of the replying device. • Provides unauthorised access to data which should have been hidden and abstracted. Flaw in the Heartbeat …
Malicious Heartbeat Request
• By exploiting the Heartbleed vulnerability, an attacker can send a Heartbeat request message and retrieve up to 64 KB of memory from the victim's server. • Could potentially contain usernames, passwords, session IDs or secret private keys or other sensitive information. • This attack can be made multiple times without leaving any trace of it. There is no limit on how many times these 64KB chunks could be retrieved. • This bleeding of confidential data can happen to both sides – the servers as well as the clients. Impact of the Heartbleed…
• require two systems running each one in a Separate Workstation an attacker system (kali linux) and a vulnernable system (ubuntu 12.04). • Then, we have to configure the Apache with SSL support on Ubuntu. Implementation
Client Side Data Leakage
• All Heartbleed-vulnerable systems should immediately upgrade to OpenSSL 1.0.1g. • Implementing the patch by oneself by correcting and re-compiling the source code. • . If you are not sure whether an application you want to access is Heartbleed vulnerable or not, try any one of the Heartbleed detector tools. • Stolen security keys need to be revoked and re-allocated. • An important step is to restart the services that are using OpenSSL (like HTTPS, SMTP etc.). Tackling Heartbleed
• Open Source Projects should be funded well. • Open Source makes flaw discovery and correction a faster process. • Adoption of new piece of code should be accompanied by negative testing of it. • You are never completely safe, even if you follow the best practices. Conclusion
THANK YOU

Recommended

Smart Columbus Executive Summary Overview
Smart Columbus Executive Summary OverviewSmart Columbus Executive Summary Overview
Smart Columbus Executive Summary OverviewSean Barbeau
 
Web application security
Web application securityWeb application security
Web application securityAkhil Raj
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfMatt Tesauro
 
The Heartbleed Attack
The Heartbleed AttackThe Heartbleed Attack
The Heartbleed AttackShreyas Kothari
 
Web application security I
Web application security IWeb application security I
Web application security IMd Syed Ahamad
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101Jannis Kirschner
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 

Recommended

Smart Columbus Executive Summary Overview
Smart Columbus Executive Summary OverviewSmart Columbus Executive Summary Overview
Smart Columbus Executive Summary OverviewSean Barbeau
 
Web application security
Web application securityWeb application security
Web application securityAkhil Raj
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfMatt Tesauro
 
The Heartbleed Attack
The Heartbleed AttackThe Heartbleed Attack
The Heartbleed AttackShreyas Kothari
 
Web application security I
Web application security IWeb application security I
Web application security IMd Syed Ahamad
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101Jannis Kirschner
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurationsMegha Sahu
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Proxy servers
Proxy serversProxy servers
Proxy serversKumar
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
Chapter 3 Presentation
Chapter 3 PresentationChapter 3 Presentation
Chapter 3 PresentationAmy McMullin
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
Cyber ppt
Cyber pptCyber ppt
Cyber pptkarthik menon
 
Secure Session Management
Secure Session ManagementSecure Session Management
Secure Session ManagementGuidePoint Security, LLC
 
Http response splitting
Http response splittingHttp response splitting
Http response splittingSharath Unni
 
Ceh v5 module 02 footprinting
Ceh v5 module 02 footprintingCeh v5 module 02 footprinting
Ceh v5 module 02 footprintingVi Tính Hoàng Nam
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessmentCAS
 
Classification of vulnerabilities
Classification of vulnerabilitiesClassification of vulnerabilities
Classification of vulnerabilitiesMayur Mehta
 
The fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityThe fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityNowSecure
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android AppsAbdelhamid Limami
 
Network Security Chapter 7
Network Security Chapter 7Network Security Chapter 7
Network Security Chapter 7AfiqEfendy Zaen
 
Hacktivism: Motivations, Tactics and Threats
Hacktivism: Motivations, Tactics and ThreatsHacktivism: Motivations, Tactics and Threats
Hacktivism: Motivations, Tactics and ThreatsEric Vanderburg
 
HTTP Request and Response Structure
HTTP Request and Response StructureHTTP Request and Response Structure
HTTP Request and Response StructureBhagyashreeGajera1
 
Computer Security
Computer SecurityComputer Security
Computer SecurityFrederik Questier
 
Ch 13: Network Protection Systems
Ch 13: Network Protection SystemsCh 13: Network Protection Systems
Ch 13: Network Protection SystemsSam Bowne
 
Report on Heartbleed
Report on HeartbleedReport on Heartbleed
Report on HeartbleedShiva Sagar
 
Heartbleed
Heartbleed Heartbleed
Heartbleed Shyam Bahadur Sunari Magar
 

More Related Content

What's hot

security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurationsMegha Sahu
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Proxy servers
Proxy serversProxy servers
Proxy serversKumar
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
Chapter 3 Presentation
Chapter 3 PresentationChapter 3 Presentation
Chapter 3 PresentationAmy McMullin
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
Http response splitting
Http response splittingHttp response splitting
Http response splittingSharath Unni
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessmentCAS
 
Classification of vulnerabilities
Classification of vulnerabilitiesClassification of vulnerabilities
Classification of vulnerabilitiesMayur Mehta
 
The fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityThe fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityNowSecure
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Network Security Chapter 7
Network Security Chapter 7Network Security Chapter 7
Network Security Chapter 7AfiqEfendy Zaen
 
Hacktivism: Motivations, Tactics and Threats
Hacktivism: Motivations, Tactics and ThreatsHacktivism: Motivations, Tactics and Threats
Hacktivism: Motivations, Tactics and ThreatsEric Vanderburg
 
HTTP Request and Response Structure
HTTP Request and Response StructureHTTP Request and Response Structure
HTTP Request and Response StructureBhagyashreeGajera1
 
Ch 13: Network Protection Systems
Ch 13: Network Protection SystemsCh 13: Network Protection Systems
Ch 13: Network Protection SystemsSam Bowne
 

What's hot (20)

security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurations
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
Proxy servers
Proxy serversProxy servers
Proxy servers
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
Chapter 3 Presentation
Chapter 3 PresentationChapter 3 Presentation
Chapter 3 Presentation
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
Secure Session Management
Secure Session ManagementSecure Session Management
Secure Session Management
 
Http response splitting
Http response splittingHttp response splitting
Http response splitting
 
Ceh v5 module 02 footprinting
Ceh v5 module 02 footprintingCeh v5 module 02 footprinting
Ceh v5 module 02 footprinting
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessment
 
Classification of vulnerabilities
Classification of vulnerabilitiesClassification of vulnerabilities
Classification of vulnerabilities
 
The fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityThe fundamentals of Android and iOS app security
The fundamentals of Android and iOS app security
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android Apps
 
Network Security Chapter 7
Network Security Chapter 7Network Security Chapter 7
Network Security Chapter 7
 
Hacktivism: Motivations, Tactics and Threats
Hacktivism: Motivations, Tactics and ThreatsHacktivism: Motivations, Tactics and Threats
Hacktivism: Motivations, Tactics and Threats
 
HTTP Request and Response Structure
HTTP Request and Response StructureHTTP Request and Response Structure
HTTP Request and Response Structure
 
Computer Security
Computer SecurityComputer Security
Computer Security
 
Ch 13: Network Protection Systems
Ch 13: Network Protection SystemsCh 13: Network Protection Systems
Ch 13: Network Protection Systems
 

Similar to Heartbleed

Report on Heartbleed
Report on HeartbleedReport on Heartbleed
Report on HeartbleedShiva Sagar
 
BAIT1103 Chapter 4
BAIT1103 Chapter 4BAIT1103 Chapter 4
BAIT1103 Chapter 4limsh
 
Web essentials clients, servers and communication – the internet – basic inte...
Web essentials clients, servers and communication – the internet – basic inte...Web essentials clients, servers and communication – the internet – basic inte...
Web essentials clients, servers and communication – the internet – basic inte...smitha273566
 
Ciso platform-annual-summit-2014-antti-karjalainen-dicoverer-of-heartbleed
Ciso platform-annual-summit-2014-antti-karjalainen-dicoverer-of-heartbleedCiso platform-annual-summit-2014-antti-karjalainen-dicoverer-of-heartbleed
Ciso platform-annual-summit-2014-antti-karjalainen-dicoverer-of-heartbleedPriyanka Aash
 
Session for InfoSecGirls - New age threat management vol 1
Session for InfoSecGirls - New age threat management vol 1Session for InfoSecGirls - New age threat management vol 1
Session for InfoSecGirls - New age threat management vol 1InfoSec Girls
 
Transport Layer Security
Transport Layer SecurityTransport Layer Security
Transport Layer SecurityHuda Seyam
 
HyperText Transfer Protocol (HTTP)
HyperText Transfer Protocol (HTTP)HyperText Transfer Protocol (HTTP)
HyperText Transfer Protocol (HTTP)Gurjot Singh
 
Common crypto attacks and secure implementations
Common crypto attacks and secure implementationsCommon crypto attacks and secure implementations
Common crypto attacks and secure implementationsTrupti Shiralkar, CISSP
 
Network protocols
Network protocolsNetwork protocols
Network protocolsAbiud Orina
 
Unit 7 - Internet and Intranet Applications - IT
Unit 7 - Internet and Intranet Applications - ITUnit 7 - Internet and Intranet Applications - IT
Unit 7 - Internet and Intranet Applications - ITDeepraj Bhujel
 
Hypertexttransferprotocolhttp 131012171813-phpapp02
Hypertexttransferprotocolhttp 131012171813-phpapp02Hypertexttransferprotocolhttp 131012171813-phpapp02
Hypertexttransferprotocolhttp 131012171813-phpapp02Nidhitransport
 
Network Security_Module_2_Dr Shivashankar
Network Security_Module_2_Dr ShivashankarNetwork Security_Module_2_Dr Shivashankar
Network Security_Module_2_Dr ShivashankarDr. Shivashankar
 

Similar to Heartbleed (20)

Report on Heartbleed
Report on HeartbleedReport on Heartbleed
Report on Heartbleed
 
Heartbleed
Heartbleed Heartbleed
Heartbleed
 
Heartbleed
HeartbleedHeartbleed
Heartbleed
 
BAIT1103 Chapter 4
BAIT1103 Chapter 4BAIT1103 Chapter 4
BAIT1103 Chapter 4
 
Web server for cbse 10 FIT
Web server for cbse 10 FITWeb server for cbse 10 FIT
Web server for cbse 10 FIT
 
The Heartbleed Bug
The Heartbleed BugThe Heartbleed Bug
The Heartbleed Bug
 
Web essentials clients, servers and communication – the internet – basic inte...
Web essentials clients, servers and communication – the internet – basic inte...Web essentials clients, servers and communication – the internet – basic inte...
Web essentials clients, servers and communication – the internet – basic inte...
 
Web Security
Web SecurityWeb Security
Web Security
 
ssl
sslssl
ssl
 
Ciso platform-annual-summit-2014-antti-karjalainen-dicoverer-of-heartbleed
Ciso platform-annual-summit-2014-antti-karjalainen-dicoverer-of-heartbleedCiso platform-annual-summit-2014-antti-karjalainen-dicoverer-of-heartbleed
Ciso platform-annual-summit-2014-antti-karjalainen-dicoverer-of-heartbleed
 
SSL And TLS
SSL And TLS SSL And TLS
SSL And TLS
 
Session for InfoSecGirls - New age threat management vol 1
Session for InfoSecGirls - New age threat management vol 1Session for InfoSecGirls - New age threat management vol 1
Session for InfoSecGirls - New age threat management vol 1
 
Transport Layer Security
Transport Layer SecurityTransport Layer Security
Transport Layer Security
 
HyperText Transfer Protocol (HTTP)
HyperText Transfer Protocol (HTTP)HyperText Transfer Protocol (HTTP)
HyperText Transfer Protocol (HTTP)
 
Common crypto attacks and secure implementations
Common crypto attacks and secure implementationsCommon crypto attacks and secure implementations
Common crypto attacks and secure implementations
 
Network protocols
Network protocolsNetwork protocols
Network protocols
 
Unit 7 - Internet and Intranet Applications - IT
Unit 7 - Internet and Intranet Applications - ITUnit 7 - Internet and Intranet Applications - IT
Unit 7 - Internet and Intranet Applications - IT
 
Hypertexttransferprotocolhttp 131012171813-phpapp02
Hypertexttransferprotocolhttp 131012171813-phpapp02Hypertexttransferprotocolhttp 131012171813-phpapp02
Hypertexttransferprotocolhttp 131012171813-phpapp02
 
Secure socket later
Secure socket laterSecure socket later
Secure socket later
 
Network Security_Module_2_Dr Shivashankar
Network Security_Module_2_Dr ShivashankarNetwork Security_Module_2_Dr Shivashankar
Network Security_Module_2_Dr Shivashankar
 

Recently uploaded

_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting DataJhengPantaleon
 
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Celine George
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Educationpboyjonauth
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxpboyjonauth
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAssociation for Project Management
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...Marc Dusseiller Dusjagr
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
Concept of Vouching. B.Com(Hons) /B.Compdf
Concept of Vouching. B.Com(Hons) /B.CompdfConcept of Vouching. B.Com(Hons) /B.Compdf
Concept of Vouching. B.Com(Hons) /B.CompdfUmakantAnnand
 
PSYCHIATRIC History collection FORMAT.pptx
PSYCHIATRIC History collection FORMAT.pptxPSYCHIATRIC History collection FORMAT.pptx
PSYCHIATRIC History collection FORMAT.pptxPoojaSen20
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxmanuelaromero2013
 
Science 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsScience 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsKarinaGenton
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docxPoojaSen20
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxNirmalaLoungPoorunde1
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxContemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxRoyAbrique
 
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991RKavithamani
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 

Recently uploaded (20)

_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
 
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Education
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Concept of Vouching. B.Com(Hons) /B.Compdf
Concept of Vouching. B.Com(Hons) /B.CompdfConcept of Vouching. B.Com(Hons) /B.Compdf
Concept of Vouching. B.Com(Hons) /B.Compdf
 
PSYCHIATRIC History collection FORMAT.pptx
PSYCHIATRIC History collection FORMAT.pptxPSYCHIATRIC History collection FORMAT.pptx
PSYCHIATRIC History collection FORMAT.pptx
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptx
 
Science 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsScience 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its Characteristics
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docx
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptx
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxContemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
 
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
 
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 

Heartbleed

  • 2. • It is a critical bug in the OpenSSL's implementation of the TLS/DTLS heartbeat extension that allows attackers to read portions of the affected server’s memory, potentially revealing users data, that the server did not intend to reveal. • That means data leakage in the Heartbeat protocol implementation, specifically the OpenSSL implementation of the protocol. • This bug was independently discovered by a team of security engineers (Riku, Antti and Matti) at Codenomicon and Neel Mehta of Google Security, who first reported it to the OpenSSL team. Heartbleed
  • 3. • Encryption is the backbone of Internet security. It protects users data, passwords and transaction details from attackers. • To achieve encryption over Internet, one of the famous and widely used protocols is HTTPS. HTTPS is simply HTTP over SSL/TLS. • OpenSSL library provides implementation of cryptographic protocols such as SSL and TLS. It is open source software written in C programming language. Let’s Start with the Internet
  • 5. • The Heartbeat protocol runs on top of the TLS Record Layer and maintains the connection between the two peers alive requiring them to exchange a “heartbeat”. • Negotiates and monitors the availability of a resource. • It was introduced in 2012 by RPC 6520. • Platform independent and device scale independent. • Generates a signal that indicates normal operation or to synchronize other parts of a system. The Heartbeat Protocol
  • 6. • Is the device on the other end Up ? • Device could be server or client. • Used to achieve active login sessions and website security certifications. • Social networks, E-commerce, E-governance, Internet banking. • The heartbeat extension was introduced because the then-current TLS/DTLS renegotiation technique to figure out if a peer is still alive was a costly process. Usage of Heartbeat Protocol
  • 7. • The Heartbeat extension protocol consists of two message types: HeartbeatRequest message and HeartbeatResponse message. • One side of the peer sends HBrequest message to other peer, who immediately responds with the same message and thus, keeping the connection alive. • If no response is received within a specified timeout, the TLS connection is terminated. • If the response does not contain the same message, the HBRequest message is retransmitted for a specified number of retransmissions. How Heartbeat Protocol Works
  • 8. • Assigns one bit to specify it is a Hbrequest message, 16 bytes for actual payload and padding and 2 bytes for payload size. ARGUMENTS of Heartbeat Request: • Payload: Contains some text information which is generated on both the ends. • payload length: Gives the size of the payload. Heartbeat Request Message
  • 9. • Assigns one bit to specify it is a Hbresponse message, 16 bytes for actual payload and padding and 2 bytes for payload size. RESPONSE to the Heartbeat Request: • Finds the Payload in its active memory. • Count the number of characters to be sent using payload length. • Returns the text info. The first device is acknowledged that the other end is online. Heartbeat Response Message
  • 11. • No bound check mechanism. • Maliciously crafted Heartbeat request with mismatching Payload and payload length arguments would still work. • For a Hbrequest with small payload value and large payload length, Hbresponse returns with a extra data from the active memory of the replying device. • Provides unauthorised access to data which should have been hidden and abstracted. Flaw in the Heartbeat …
  • 13. • By exploiting the Heartbleed vulnerability, an attacker can send a Heartbeat request message and retrieve up to 64 KB of memory from the victim's server. • Could potentially contain usernames, passwords, session IDs or secret private keys or other sensitive information. • This attack can be made multiple times without leaving any trace of it. There is no limit on how many times these 64KB chunks could be retrieved. • This bleeding of confidential data can happen to both sides – the servers as well as the clients. Impact of the Heartbleed…
  • 14. • require two systems running each one in a Separate Workstation an attacker system (kali linux) and a vulnernable system (ubuntu 12.04). • Then, we have to configure the Apache with SSL support on Ubuntu. Implementation
  • 15. Client Side Data Leakage
  • 16. • All Heartbleed-vulnerable systems should immediately upgrade to OpenSSL 1.0.1g. • Implementing the patch by oneself by correcting and re-compiling the source code. • . If you are not sure whether an application you want to access is Heartbleed vulnerable or not, try any one of the Heartbleed detector tools. • Stolen security keys need to be revoked and re-allocated. • An important step is to restart the services that are using OpenSSL (like HTTPS, SMTP etc.). Tackling Heartbleed
  • 17. • Open Source Projects should be funded well. • Open Source makes flaw discovery and correction a faster process. • Adoption of new piece of code should be accompanied by negative testing of it. • You are never completely safe, even if you follow the best practices. Conclusion