Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
HEARTBLEED VULNERABILITY
Raj Nagalingam
IT Security Consultant
@rajidentityguru
05/07/14
Heartbleed-What you need to know
• Massive openSSL bug which allows attackers to
read the memory of the systems. Allows ac...
Heartbeats
• SSL heartbeats are defined in RFC6520
– Used for keep alive messages without the need for
renegotiating the S...
HeartBleed – What is it?
• CVE-2014-0160 describes a flaw the
heartbeat extension to the SSL protocol
• OpenSSL code accep...
HeartBleed – What Sites are affected?
• Affects any sites running specific versions of
OpenSSL (1.0.1 through 1.0.1f)
• 66...
How to Minimize your Risk
• Check your version of OpenSSL and either:
– 1. Recompile OpenSSL without heatbeat ext
– 2. Upd...
Resources
• What the Heartbleed Security bug mean for you
http://lifehacker.com/what-the-
heartbleed-security-bug-means-fo...
QUESTIONS?
Upcoming SlideShare
Loading in …5
×

Isc2 eastbay chapter_heartbleed_bug

493 views

Published on

Heartbleed-What you need to know

Published in: Technology, Education
  • Be the first to comment

  • Be the first to like this

Isc2 eastbay chapter_heartbleed_bug

  1. 1. HEARTBLEED VULNERABILITY Raj Nagalingam IT Security Consultant @rajidentityguru 05/07/14
  2. 2. Heartbleed-What you need to know • Massive openSSL bug which allows attackers to read the memory of the systems. Allows access to sensitive info such as private keys of cert and login credentials or other personal data • You should change your passwords unless you KNOW the site in question was not vulnerable • Even if you change your passwords, you should work with your business partners to ensure that vulnerable servers had certificates reissued – Otherwise you’re not much more secure
  3. 3. Heartbeats • SSL heartbeats are defined in RFC6520 – Used for keep alive messages without the need for renegotiating the SSL session • Heatbeat messages can be sent without authenticating with the server
  4. 4. HeartBleed – What is it? • CVE-2014-0160 describes a flaw the heartbeat extension to the SSL protocol • OpenSSL code accepts a user supplied length value for memory to read without proper validation –Never trust user supplied input • Bug was introduced in March 2012 –OpenSSL 1.0.1 –Good news: OpenSSL 1.0.0 is not vulnerable.
  5. 5. HeartBleed – What Sites are affected? • Affects any sites running specific versions of OpenSSL (1.0.1 through 1.0.1f) • 66% of the web users openSSL • Sites running older versions of OpenSSL that are not vulnerable
  6. 6. How to Minimize your Risk • Check your version of OpenSSL and either: – 1. Recompile OpenSSL without heatbeat ext – 2. Update to latest fixed version (1.0.1g) • Contact CA to reissue certificate replacement • Finally, as a best practice, businesses should reset end user passwords that potentially may have been visible in a compromised server memory
  7. 7. Resources • What the Heartbleed Security bug mean for you http://lifehacker.com/what-the- heartbleed-security-bug-means-for-you- 1560801201 • Heartbleed FAQ – http://heartbleed.com • How Heartbleed Works http://gizmodo.com/how-heartbleed-works-the- code-behind-the-internets-se-1561341209
  8. 8. QUESTIONS?

×