Heartbleed

  • 1,394 views
Uploaded on

Heartbleed, how it works, is it virus, how it check, smartphone hacked, how to protect, password hacked, man in the middle attack, server or client side attack, exploit code available,

Heartbleed, how it works, is it virus, how it check, smartphone hacked, how to protect, password hacked, man in the middle attack, server or client side attack, exploit code available,

More in: Education , Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,394
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
87
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. • It is a critical bug in the OpenSSL's implementation of the TLS/DTLS heartbeat extension that allows attackers to read portions of the affected server’s memory, potentially revealing users data, that the server did not intend to reveal. • • After the story broke online, websites around the world flooded with the heartbleed articles, explaining how it works, how to protect, and exactly what it is. Yet many didn’t get it right. So based on the queries of Internet users, we answered some frequently asked questions about the bug.
  • 2. 1.) IS HEARTBLEED A VIRUS? • Absolutely NO, It's not a virus. As described in our previous article, The Heartbleed bug is a vulnerability resided in TLS heartbeat mechanism built into certain versions of the popular open source encryption standard OpenSSL, a popular version of the Transport Layer Security (TLS) protocol.
  • 3. 2.) HOW IT WORKS? • For SSL to work, your computer needs to communicate to the server via sending 'heartbeats' that keep informing the server that client (computer) is online (alive). • Heartbleed attack allows an attacker to retrieve a block of memory of the server up to 64kb in response directly from the vulnerable server via sending the malicious heartbeat and there is no limit on the number of attacks that can be performed. [Technically Explained by Rahul Sasi on Garage4hackers] • It opens doors for the cyber criminals to extract sensitive data directly from the server's memory without leaving any traces.
  • 4. 3.) HEARTBLEED ATTACK RELIES ON MAN-IN-THE-MIDDLE ATTACK? • No, it has nothing to deal with a Man-in-the- Middle (MitM) attack. But using Heartbleed attack, one can manage to obtain the private encryption key for an SSL/TLS certificate and could set up a fake website that passes the security verification. • An attacker could also decrypt the traffic passing between a client and a server i.e. Perfect man-in- the-middle attack on HTTPS connection.
  • 5. 4.) IS IT A CLIENT SIDE OR SERVER SIDE VULNERABILITY? • TLS heartbeats can be sent by either side of a TLS connection, so it can be used to attack clients as well as servers. An Attacker can obtain up to 64K memory from the server or client as well that uses an OpenSSL implementation vulnerable to Heartbleed (CVE-2014-0160). • Researcher estimated two-thirds of the world's servers i.e. half a million servers are affected by the Heartbleed Bug, including websites, email, and instant messaging services.
  • 6. 5.) HOW HEARTBLEED AFFECTS SMARTPHONES? • Smartphone is the best practical example of Client side attacks. • All versions of Android OS include outdated versions of OpenSSL library, but only Android 4.1.1 Jelly Bean has the vulnerable heartbeat feature enabled by default. Blackberry also confirmed that some of its products are vulnerable to Heartbleed bug, whereas Apple's iOS devices are not affected by OpenSSL flaw. • • Google had patched the affected version Android 4.1.1, but it will take long time to deliver updated Android version to the end Smartphone users as updates to majority handsets are controlled by phone manufacturers and wireless carriers. Until users running the affected versions are vulnerable to the attacks, and hackers will definitely take advantage of this public disclosure.
  • 7. 6.) WHAT ELSE COULD BE VULNERABLE TO HEARTBLEED? • IP phones, Routers, Medical devices, Smart TV sets, embedded devices and millions of other devices that rely on the OpenSSL to provide secure communications could also be vulnerable to Heartbleed bug, as it is not expected for these devices to get the updates soon from Google’s Android partners. • Yesterday, Industrial Control Systems-CERT also warned the critical infrastructure organizations (like energy, utilities or financial services companies) to beef-up their systems in order to defend against the Heartbleed attacks.
  • 8. 7.) WHO IS RESPONSIBLE FOR HEARTBLEED? • We actually can't blame anyone developer, specially who are contributing to Open Source projects without money motivations. • Dr. Robin Seggelmann, a 31-year-old German developer who actually introduced the Heartbeat concept to OpenSSL on New Year's Eve, 2011, says it was just a programming error in the code that unintentionally created the “Heartbleed” vulnerability. • "In one of the new features, unfortunately, I missed validating a variable containing a length", went undetected by the code reviewers and everyone else for over two years. He claimed 'I did so unintentionally'.
  • 9. 8.) WHO HAS EXPLOITED THIS BUG YET? • Bloomberg accused the National Security Agency (NSA) of knowing the Heartbleed bug for the last two years. Not even this, the report says the agency was using it continuously to gain information instead of disclosing it to the OpenSSL developers. But if it is so, then this would be one of the biggest developments in the history of wiretapping ever. However, the agency denied it saying NSA was not aware of Heartbleed until it was made public. • But when it comes to exploit any known vulnerability, then Hackers are most likely to be top on the list. As the flaw was so widely spread that it affected half a million websites worldwide, so after the public disclosure, the cybercriminals could reach the sites to steal credentials, passwords and other data, before the site operators apply the freely available patch.
  • 10. • Extracted from: • http://thehackernews.com/2014/04/heartble ed-bug-explained-10-most.html