Brought to you by
SANS Live Online Training
www.sans.org/vlive www.sans.org/simulcast
Welcome to
OpenSSL "Heartbleed" Vuln...
HeartBleed – Round 3 © 2014 SANS
HeartBleed – what you
need to know (round 3)
James Lyne
Johannes Ullrich
Jake Williams
HeartBleed – Round 3 © 2014 SANS
Should you swap certificates/keys?
• Can someone mess up my server?
• Can someone mess up...
HeartBleed – Round 3 © 2014 SANS
Threat
• Memory leak could reveal secret key
• Possible, but typically the secret key is ...
HeartBleed – Round 3 © 2014 SANS
Mitigating Factors
• You patched fast:
– You MAY be ok if you patched on the 7th.
– You a...
HeartBleed – Round 3 © 2014 SANS
Checking Sites With LastPass
• LastPass link checker:
– https://lastpass.com/heartbleed/
HeartBleed – Round 3 © 2014 SANS
Vulnerable Android Versions
• The only versions of Android that may have
been impacted ar...
HeartBleed – Round 3 © 2014 SANS
Android Versions
HeartBleed – Round 3 © 2014 SANS
Android Versions (2)
• From the Google site, these are the Nexus
builds that show 4.1.1 a...
HeartBleed – Round 3 © 2014 SANS
Back to the bug
• if (1 + 2 + payload + 16 > s->s3-
>rrec.length)
• That’s a relatively e...
HeartBleed – Round 3 © 2014 SANS
Why Do Bad Things Happen?
• Of course, no 100% in security
• OpenSSL = Critical Infrastru...
HeartBleed – Round 3 © 2014 SANS
http://www.openssl.org/support/donations.html
HeartBleed – Round 3 © 2014 SANS
Open Discussion
• Time for open discussion
– FLASH: Should I revoke my certificate? – Ull...
HeartBleed – Round 3 © 2014 SANS
Questions?
James Lyne (@JamesLyne),
Johannes Ulrich (@sans_isc),
Jake Williams (@MalwareJ...
Upcoming SlideShare
Loading in...5
×

Heart Bleed Bug Webcast part2 - SANS Institute for IT Security

783

Published on

Heart Bleed Bug Webcast part2 - SANS Institute for IT Security

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
783
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Heart Bleed Bug Webcast part2 - SANS Institute for IT Security"

  1. 1. Brought to you by SANS Live Online Training www.sans.org/vlive www.sans.org/simulcast Welcome to OpenSSL "Heartbleed" Vulnerability Session 2 Live Online Classrooms Attend a Live SANS Event from Home
  2. 2. HeartBleed – Round 3 © 2014 SANS HeartBleed – what you need to know (round 3) James Lyne Johannes Ullrich Jake Williams
  3. 3. HeartBleed – Round 3 © 2014 SANS Should you swap certificates/keys? • Can someone mess up my server? • Can someone mess up my desktop? • Can someone mess up my customers?
  4. 4. HeartBleed – Round 3 © 2014 SANS Threat • Memory leak could reveal secret key • Possible, but typically the secret key is only in the right spot after reboot • Later on, still possible but not likely • Replacing keys can be a lot of work (cost?)
  5. 5. HeartBleed – Round 3 © 2014 SANS Mitigating Factors • You patched fast: – You MAY be ok if you patched on the 7th. – You are NOT ok if you patched on the 9th • You got DLP: – Is it working? – Does it look on port 443? • You got full packet captures going back 2 years
  6. 6. HeartBleed – Round 3 © 2014 SANS Checking Sites With LastPass • LastPass link checker: – https://lastpass.com/heartbleed/
  7. 7. HeartBleed – Round 3 © 2014 SANS Vulnerable Android Versions • The only versions of Android that may have been impacted are 4.1.0 and 4.1.1 – Some reports indicate that only 4.1.1 is vulnerable • Unfortunately, more than 1/3 of all Androids run a 4.1.x version
  8. 8. HeartBleed – Round 3 © 2014 SANS Android Versions
  9. 9. HeartBleed – Round 3 © 2014 SANS Android Versions (2) • From the Google site, these are the Nexus builds that show 4.1.1 as the latest 4.1 version available
  10. 10. HeartBleed – Round 3 © 2014 SANS Back to the bug • if (1 + 2 + payload + 16 > s->s3- >rrec.length) • That’s a relatively easy find compared to many. This should have been seen. • What happens next time with a bigger change than a heartbeat extension of the protocol? • Others will now be sifting the code with great interest
  11. 11. HeartBleed – Round 3 © 2014 SANS Why Do Bad Things Happen? • Of course, no 100% in security • OpenSSL = Critical Infrastructure (really) • But Neel Mehta shouldn’t have been first here – (though thank you ) • Perception of OSS – Open = Secure. • Reality – <1M$ budget – $841 donations this week – Yet depended on heavily.
  12. 12. HeartBleed – Round 3 © 2014 SANS http://www.openssl.org/support/donations.html
  13. 13. HeartBleed – Round 3 © 2014 SANS Open Discussion • Time for open discussion – FLASH: Should I revoke my certificate? – Ullrich – OSS vs. closed source – Contributions to open source
  14. 14. HeartBleed – Round 3 © 2014 SANS Questions? James Lyne (@JamesLyne), Johannes Ulrich (@sans_isc), Jake Williams (@MalwareJake)

×