Please Listen Carefully
Heartbleed:
Over 66% of websites are believed to be
affected
Web users, beware.
There's a new security
bug that has been
discovered and is
described to be "one
of the greatest
threats...
The bug, nicknamed
Heart Bleed, was
discovered on April 8,
2014 by Google and
Codenomicon
engineers, but has
allegedly bee...
Heart Bleed poses a huge threat to
consumers as it compromises sensitive
personal consumer information and its
attackers a...
If you're buying
something online and
enter something as
significant as your
credit card number…
Or if you are applying
for a job online and
enter personal
information such as
your address and
social security
number…
Heart Bleed can gain
access to all of that
information.
How does Heartbleed Work?
It begins with the
popular encryption
software OpenSSL.
OpenSSL is used all
over the Internet to...
At the time of the
discovery, Yahoo.com
was the only major
Internet Company to
be affected by
Heartbleed.
FAQ
What makes the Heartbleed Bug
unique?
This bug has left large amount of private keys and
other secrets exposed to the Inte...
What does Heartbleed allow to leak?
Encryption is used to
protect secrets that may
harm your privacy or
security if they l...
What is leaked
primary key material?
These are the crown jewels: the encryption keys themselves.
Leaked secret keys allow ...
Primary key material
Recovery
Recovery from this
leak requires patching
the vulnerability,
revocation of the
compromised k...
What is leaked secondary
key material?
These are for
example the user
credentials (user
names and
passwords) used
in the v...
Secondary key material
Recovery
Recovery from this leak
requires owners of the
service first to restore trust
to the servi...
What is leaked
protected content?
This is the actual
content handled by
the vulnerable
services.
It may be personal or
fin...
Protected content
Recovery
Only owners of the services
will be able to estimate the
likelihood what has been
leaked and th...
What is leaked
collateral?
Leaked collateral are
other details that have
been exposed to the
attacker in leaked
memory con...
Collateral
Recovery
Collateral has only
contemporary value and
will lose their value to the
attacker when OpenSSL has
been...
Upcoming SlideShare
Loading in...5
×

Heartbleed

230

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
230
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Heartbleed

  1. 1. Please Listen Carefully
  2. 2. Heartbleed: Over 66% of websites are believed to be affected
  3. 3. Web users, beware. There's a new security bug that has been discovered and is described to be "one of the greatest threats to ever surface the World Wide Web," according to The Clock Online.
  4. 4. The bug, nicknamed Heart Bleed, was discovered on April 8, 2014 by Google and Codenomicon engineers, but has allegedly been around the Internet for about two years now.
  5. 5. Heart Bleed poses a huge threat to consumers as it compromises sensitive personal consumer information and its attackers are untraceable.
  6. 6. If you're buying something online and enter something as significant as your credit card number…
  7. 7. Or if you are applying for a job online and enter personal information such as your address and social security number…
  8. 8. Heart Bleed can gain access to all of that information.
  9. 9. How does Heartbleed Work? It begins with the popular encryption software OpenSSL. OpenSSL is used all over the Internet to ensure user information is secured and encrypted. Heartbleed means that that information is now vulnerable.
  10. 10. At the time of the discovery, Yahoo.com was the only major Internet Company to be affected by Heartbleed.
  11. 11. FAQ
  12. 12. What makes the Heartbleed Bug unique? This bug has left large amount of private keys and other secrets exposed to the Internet. Considering the long exposure, ease of exploitation, and attacks leaving no trace this exposure should be taken seriously.
  13. 13. What does Heartbleed allow to leak? Encryption is used to protect secrets that may harm your privacy or security if they leak. In order to coordinate recovery, compromised secrets have been classified to four categories: 1) primary key material 2) secondary key material 3) protected content 4) collateral
  14. 14. What is leaked primary key material? These are the crown jewels: the encryption keys themselves. Leaked secret keys allow the attacker to decrypt any past and future traffic to the protected services and to impersonate the service at will. Any protection given by the encryption and the signatures in the X.509 certificates can be bypassed.
  15. 15. Primary key material Recovery Recovery from this leak requires patching the vulnerability, revocation of the compromised keys and reissuing and redistributing new keys. Even doing all this will still leave any traffic intercepted by the attacker in the past still vulnerable to decryption.
  16. 16. What is leaked secondary key material? These are for example the user credentials (user names and passwords) used in the vulnerable services.
  17. 17. Secondary key material Recovery Recovery from this leak requires owners of the service first to restore trust to the service. After this users can start changing their passwords and possible encryption keys. All session keys and session cookies should be invalidated and considered compromised.
  18. 18. What is leaked protected content? This is the actual content handled by the vulnerable services. It may be personal or financial details, private communication such as emails or instant messages, documents or anything seen worth protecting by encryption.
  19. 19. Protected content Recovery Only owners of the services will be able to estimate the likelihood what has been leaked and they should notify their users accordingly. Most important thing is to restore trust to the primary and secondary key material as described above. Only this enables safe use of the compromised services in the future
  20. 20. What is leaked collateral? Leaked collateral are other details that have been exposed to the attacker in leaked memory content. These may contain technical details such as memory addresses and security measures such as canaries used to protect against overflow attacks.
  21. 21. Collateral Recovery Collateral has only contemporary value and will lose their value to the attacker when OpenSSL has been upgraded to a fixed version.
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×