Heartbleed Explained & LastPass Demo


Published on

As a result of the recent "Heartbleed" security flaw discovered a two part special training was offered to the staff which first explained what heartbleed was and second tried to emphasize the importance of having a good password management plan. in this case "LastPass" was demonstrated.

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Heartbleed Explained & LastPass Demo

  1. 1. Technology Training Special Training - Session #13 Heartbleed Explained Getting Your Digital Security in Order with LastPass May 8, 2014 William Mann, Borough of West Chester - CIO
  2. 2. Securing Your Digital Life
  3. 3. What is Heartbleed? The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs). SSL = Secure Sockets Layer TLS = Transport Layer Security definitions
  4. 4. What is Heartbleed? The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
  5. 5. What is Heartbleed? With a Heartbleed infected server, information like you see here can be captured by an attacker. This may not look like much, but if your logon or account information is exposed in this way are data is at risk.
  6. 6. What is Heartbleed? Why it is called the Heartbleed Bug? The Bug is in the OpenSSL's implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520). When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server.
  7. 7. Explaining Heartbleed First the girl asks the server to indicate whether it’s still online by telling it to say “Potato,” and indicates the length of the word. The server responds with “Potato,” while withholding all of the information surrounding “Potato,” written out in a lighter hue in the server’s speech bubbles. The hacker then asks the server to repeat the same task, but instead replaces “Potato” with “Bird,” and indicates the length of the word. The server complies. Then, the hacker asks the server to say “Hat,” but instead of noting that it’s a three-character word, she states that it’s 500 letters long. The server responds not only by saying “Hat,” but also by leaking out the information around the word. By doing so, it reveals sensitive server information, including a “master key,” which the hacker begins to jot down.
  8. 8. Protecting Your Information Heartbleed is a reminder that securing your information is more important then ever before. And it’s going to get worse. As we continue relying on technology for conducting business, communicating through email, social media and shopping online cybercriminals are going to continue getting smarter and more aggressive in how they try to steal personal information. So we need to be even smarter….
  9. 9. Password Management Password Management is becoming one of the best defenses for security flaws. Passwords today need to be taken very seriously. This means having a good, efficient password management plan for every account you have online. Password Management in days past could be very complicated, time consuming and difficult. However today there are many solutions out there that are easy to use, secure and either free or very inexpensive. Each of your accounts should have a strong and unique password.
  10. 10. Password Management with LastPass Last Pass has both a free account and a paid account. The paid account is $12 / year and provided mobile app support which is alone is well worth the cost. With this password management tool you will be able to organize, manage and use unique secure passwords easily. In fact I use LastPass and I actually do not even know what the majority passwords are. Now – that’s security!
  11. 11. Introducing LastPass What I really like about LastPass is that you actually do not need to know all those passwords and their app is available on every device you may choose to use. You just need to know one password…. Your LastPass password.
  12. 12. Introducing LastPass With this in mind, even before you sign up for LastPass be sure to think about a good, secure password that you will never – ever forget.
  13. 13. Simple Passwords are so Yesterday Passwords as we know them are going to change in a big way very soon. Gone will be the time when simple words like… “password” will be used or accepted. Now I may be getting ahead of myself but… A better password strategy is using key phrases that only you would know and no one else could guess or that a cyber criminal could hack.
  14. 14. Passwords are Changing Here are a couple of examples of using “phrases” for your password. Ex: 1 is “Captain Kirk and Mr. Spock are best friends!” Your typed password would be: Captain_Kirk_&_Mr._Spock_are_best_freinds! Ex: 2 is “My favorite Place on Earth is Disney World!” Your typed password would be: My_Favorite_Place_on_Earth_is_Disney_World! Passwords using phrases can be long, complex and easily remembered!
  15. 15. Embrace Password Management This is important before we continue. Make sure you pick a good password or phrase that you will not forget. It will also be a good idea to print and save this password is a secure location like a safe in your home or another secure location. This will be the only password you will need if you use LastPass (or similar password managers) regularly. If you forget your LastPass password there is NO reset mechanism.
  16. 16. Signing up with LastPass Go to www.lastpass.com to sign up. Either choose “Download Free” or “Go Premium”. Passwords are very important and your security is probably worth $12 / year.
  17. 17. Creating Your LastPass Account I recommend that when you sign up with LastPass you use your primary computer or laptop. When you go to create an account you will be prompted to “Download LastPass”. Do this. You will then enter your email address, a master password (the really – really good one you already decided on) and a Password Reminder that will only help you remember it – just in case.
  18. 18. Getting to Know Your LastPass Vault The LastPass Vault is where you will store, organize and manage all of your passwords. This vault will be also available to you on all of your mobile devices if you sign up for the Premium account ($12/year).
  19. 19. Organizing Your LastPass Vault I recommend organzing all of your accounts into folders. You can see by my example I have all of my accounts in catergorized folders that I created. Within each folder are my specific accounts.
  20. 20. Organizing Your LastPass Vault By creating an organized folder structure for your accounts you quickly realize....
  21. 21. Creating Strong Passwords with LastPass With LastPass installed you will now notice an (*) next to all of you logon fields for websites. If an account has already been setup you can simply select login because all of the fields will be completed for you. You can also setup an account for “autologin” which will of course automatically log you in. I recommend this only a secured PC that is passworded to access you Windows account or one that only you have access to. Make sure that when you install LastPass on your PC that you install the “plug in” for all of the browsers that you use.
  22. 22. Creating Strong Passwords with LastPass Creating secure & unique passwords for each account is the point here so you will want to take the time to change any passwords you have. LastPass makes this very easy with the “password generator”. You can do this by selecting the * and the “Generate” button.
  23. 23. Creating Strong Passwords with LastPass If you use the default settings you will see it will generate for you a strong 12 character password using several types of characters. Select Use Password then “Yes, Use for this Site”.
  24. 24. Going Mobile with LastPass On your mobile device you will open the LastPass app first, copy the password and then paste it into account the that you want to access. Although there is a physical – additional step here – you only need one password to remember – and use. However, and this is important, all of your passwords are complex and unique.
  25. 25. How Does LastPass Work? LastPass uses AES 256-bit encryption. The Advanced Encryption Standard (AES) is a specification for the encryption of electronic data established by the U.S.National Institute of Standards and Technology (NIST) in 2001 All sensitive data is encrypted and decrypted locally before syncing with LastPass. Your key never leaves your device, and is never shared with LastPass. Your data stays accessible only to you. MQ9=5khD<YWZ&+5 This is how each of your passwords should look. With LastPass you can actually do this – and it’s easy.
  26. 26. LastPass Demo Now we will walk through how to use LastPass. Please ask questions as we go along. www.lastpass.com