Your SlideShare is downloading. ×
0
Heartbleed
Ibrahim M. El-Sayed
“Catastrophic is the right word.
On the scale of 1 to 10, this is
an 11.”
--Bruce Shneier
What is Heartbleed?
O What is Hearbleed?
O It is a critical bug in the OpenSSL’s
implementation of the TLS/DTLS heartbeat
...
How SSL works?
What is Heartbleed
O What is Heartbeat ??
1- Used to keep connection Alive
2- Client Sends data to the Server, server
echo...
HeartBleed Explained
Non Technical
Heartbleed Explained
O Non Technical
O Ask for 100-photo box
O Seller doesn’t know how to count
O Two scenarios
O Actual 1...
Heartbleed Explained
O Technical:
“memcpy(bp, p1, payload);”  Actual BUG :(
void * memcpy ( void * destination, const voi...
Heart bleed - explanation
11
Heart bleed - explanation
12
Heartbleed - Attack
Heartbleed Impact
O Eavesdrop on encrypted communication
O Get access to sensitive data in the
memory
O Impersonate users ...
Heartbleed fix
O Server-Side
• Quick fix: Disable heartbeats
• Real fix: Upgrade OpenSSL
• User Actions:
• Change your pas...
Heartbleed - PoC
O https://blog.bugcrowd.com/heartbleed-
exploit-yet/
Heartbleed
Heartbleed
Heartbleed
Upcoming SlideShare
Loading in...5
×

Heartbleed

648

Published on

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
648
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
51
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Transcript of "Heartbleed"

  1. 1. Heartbleed Ibrahim M. El-Sayed
  2. 2. “Catastrophic is the right word. On the scale of 1 to 10, this is an 11.” --Bruce Shneier
  3. 3. What is Heartbleed? O What is Hearbleed? O It is a critical bug in the OpenSSL’s implementation of the TLS/DTLS heartbeat extension that allows attackers to read portions of the affected server’s memory. O What is OpenSSL?! O It is open source software that is used by Apache and Nginx webservers, 66% Market share to do encryption through the Internet O Affected Versions: OpenSSL 1.0.1 and 1.0.2
  4. 4. How SSL works?
  5. 5. What is Heartbleed O What is Heartbeat ?? 1- Used to keep connection Alive 2- Client Sends data to the Server, server echoes it back 3-Similar to ICMP ping but within HTTP Web Server Running OpenSSL Client Heartbeat “Hello” 6 Heartbeat “Hello” 6
  6. 6. HeartBleed Explained Non Technical
  7. 7. Heartbleed Explained O Non Technical O Ask for 100-photo box O Seller doesn’t know how to count O Two scenarios O Actual 100-photos O Only 1 photo
  8. 8. Heartbleed Explained O Technical: “memcpy(bp, p1, payload);”  Actual BUG :( void * memcpy ( void * destination, const void * source, size_t num ); O The function does not check for any terminating null character in source - it always copies exactly num bytes. O To avoid overflows, the size of the arrays pointed by both the destination and source parameters, shall be at least num bytes, and should not overlap (for overlapping memory blocks, memmove is a safer approach).
  9. 9. Heart bleed - explanation 11
  10. 10. Heart bleed - explanation 12
  11. 11. Heartbleed - Attack
  12. 12. Heartbleed Impact O Eavesdrop on encrypted communication O Get access to sensitive data in the memory O Impersonate users and services
  13. 13. Heartbleed fix O Server-Side • Quick fix: Disable heartbeats • Real fix: Upgrade OpenSSL • User Actions: • Change your passwords !! • Test Sites yourself
  14. 14. Heartbleed - PoC O https://blog.bugcrowd.com/heartbleed- exploit-yet/
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×