Heart Bleed Bug Webcast part2 - SANS Institute for IT Security

  • 685 views
Uploaded on

Heart Bleed Bug Webcast part2 - SANS Institute for IT Security

Heart Bleed Bug Webcast part2 - SANS Institute for IT Security

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
685
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
0
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Brought to you by SANS Live Online Training www.sans.org/vlive www.sans.org/simulcast Welcome to OpenSSL "Heartbleed" Vulnerability Session 2 Live Online Classrooms Attend a Live SANS Event from Home
  • 2. HeartBleed – Round 3 © 2014 SANS HeartBleed – what you need to know (round 3) James Lyne Johannes Ullrich Jake Williams
  • 3. HeartBleed – Round 3 © 2014 SANS Should you swap certificates/keys? • Can someone mess up my server? • Can someone mess up my desktop? • Can someone mess up my customers?
  • 4. HeartBleed – Round 3 © 2014 SANS Threat • Memory leak could reveal secret key • Possible, but typically the secret key is only in the right spot after reboot • Later on, still possible but not likely • Replacing keys can be a lot of work (cost?)
  • 5. HeartBleed – Round 3 © 2014 SANS Mitigating Factors • You patched fast: – You MAY be ok if you patched on the 7th. – You are NOT ok if you patched on the 9th • You got DLP: – Is it working? – Does it look on port 443? • You got full packet captures going back 2 years
  • 6. HeartBleed – Round 3 © 2014 SANS Checking Sites With LastPass • LastPass link checker: – https://lastpass.com/heartbleed/
  • 7. HeartBleed – Round 3 © 2014 SANS Vulnerable Android Versions • The only versions of Android that may have been impacted are 4.1.0 and 4.1.1 – Some reports indicate that only 4.1.1 is vulnerable • Unfortunately, more than 1/3 of all Androids run a 4.1.x version
  • 8. HeartBleed – Round 3 © 2014 SANS Android Versions
  • 9. HeartBleed – Round 3 © 2014 SANS Android Versions (2) • From the Google site, these are the Nexus builds that show 4.1.1 as the latest 4.1 version available
  • 10. HeartBleed – Round 3 © 2014 SANS Back to the bug • if (1 + 2 + payload + 16 > s->s3- >rrec.length) • That’s a relatively easy find compared to many. This should have been seen. • What happens next time with a bigger change than a heartbeat extension of the protocol? • Others will now be sifting the code with great interest
  • 11. HeartBleed – Round 3 © 2014 SANS Why Do Bad Things Happen? • Of course, no 100% in security • OpenSSL = Critical Infrastructure (really) • But Neel Mehta shouldn’t have been first here – (though thank you ) • Perception of OSS – Open = Secure. • Reality – <1M$ budget – $841 donations this week – Yet depended on heavily.
  • 12. HeartBleed – Round 3 © 2014 SANS http://www.openssl.org/support/donations.html
  • 13. HeartBleed – Round 3 © 2014 SANS Open Discussion • Time for open discussion – FLASH: Should I revoke my certificate? – Ullrich – OSS vs. closed source – Contributions to open source
  • 14. HeartBleed – Round 3 © 2014 SANS Questions? James Lyne (@JamesLyne), Johannes Ulrich (@sans_isc), Jake Williams (@MalwareJake)