The Heartbleed Bug


Published on

Heartbleed is a newly discovered very widespread vulnerability in the OpenSSL implementation of the SSL/TLS protocol. The flaw allows attackers to steal passwords and confidential data that you have provided online. Elastica’s CTO Dr. Zulfikar Ramzan walks through the flaw’s mechanics and ramifications.

Published in: Technology, Education
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • and it specifically impacts version 1.0.1 and beta versions of 1.0.2 of OpenSSL.
  • and it specifically impacts version 1.0.1 and beta versions of 1.0.2 of OpenSSL.
  • The Heartbleed Bug

    1. 1. Zulfikar Ramzan, PhD, MIT Chief Technology Officer Elastica The Heartbleed Bug
    2. 2. OpenSSL Heartbleed Bug Leaves Much Of The Internet At Risk - TechCrunch
    3. 3. On 07 April 2014, security experts disclosed that a serious vulnerability had been identified in OpenSSL cryptographic software library that protects many web sites. This problem might have been there for almost 2 years, but just hidden in plain sight..
    4. 4. When you transact online, your information is protected by the SSL/TLS encryption used to secure the Internet. OpenSSL is an open-source implementation of the SSL protocol. The Heartbeat protocol is a sub-part of SSL and is meant to ensure communications are kept alive.
    5. 5. The Heartbleed bug is a devastating vulnerability in the heartbeat extension of the SSL/TLS protocol (CVE-2014-0160). It specifically impacts version 1.0.1 and beta versions of 1.0.2 of OpenSSL. It compromises encryption keys, user credentials and actual content.
    6. 6. The Heartbleed bug allows attackers to • eavesdrop on communications online • get access to sensitive data such as passwords, social security numbers, financial records, etc • impersonate users and services • and, all this can be done multiple times and without a trace!
    7. 7. Watch how the Heartbleed bug works
    8. 8. Up to two-thirds of websites use OpenSSL and could be vulnerable. List of possibly affected sites Tool to test a website
    9. 9. What should you do?  Check if your favorite sites have implemented the Heartbleed patch.  If it has been patched, then log in and change your password. If you change your password and the site hasn’t been patched, then you’re giving a hacker a new password.
    10. 10. When password compromises happen, new machine learning based methods are needed to find the breaches and anomalies. Elastica’s Detect App on CloudSOC uses behavioral analysis to zero-in on threats to your assets in the cloud and gives you protection beyond simple username/password. Is there an alternative? LEARN MORE
    11. 11. Thank you.