SlideShare a Scribd company logo

The Heartbleed Bug

n|u - The Open Security Community
n|u - The Open Security Community

null Bangalore Chapter - June 2014 Meet

EducationTechnology
1 of 17
Download to read offline
by Sharath Unni HEARTBLEED Bug
Contents Introduction to HTTP Why HTTP over SSL? Discovery of heartbleed OpenSSL heartbeat extension What exactly is bleeding? Protecting against heartbleed attacks A quick demo
A typical HTTP communication • I would like to open a connection • GET <file location> • Display response • Close connection • OK • Send page or error message • OK Client Server
Clear-text protocols When packages of data are sent out over the internet – a lot more can happen than you think!
Need for encryption SSL/TLS Provides authentication, confidentiality and integrity. Asymmetric encryption for key exchange (Public and Private keys) Pre-shared secret key between the client and server SHARED secret key – ensures that the message is private even if it is intercepted. OpenSSL - open source implementation of SSL and TLS protocols
Discovery of Heartbleed The bug was independently discovered by a team of security engineers (Riku,Antti and Matti) at Codenomicon and Neel Mehta of Google Security, who first reported it to the OpenSSL team on April 1, 2014 Massive SSL bug impacts Internet and its users According to Netcraft’s survey about 17.5% of SSL sites had heartbeat extension enabled (half a million) Affected versions - 1.0.1 and 1.0.2-beta including 1.0.1f and 1.0.2- beta1 (since March 2012) Apache and nginx servers typically run OpenSSL implementations
SSL heartbeat SSL heartbeats are defined in RFC6520 Similar to Connection Keep-alive in HTTP They can be sent without authenticating with the server A heartbeat is a message that is sent to the server just so the server can send it back.This lets a client know that the server is still connected and listening.
OpenSSL HeartBeat
Heartbleed (CVE-2014-0160) The vulnerability lies in the implementation of Heartbeat The memory is allocated from the payload + padding which is a user controlled value. (Buffer over-read)
OpenSSL heartbeat
So what if we can read the memory?
Metasploit extract of memory dump
Metasploit extract of memory dump
Protecting Private keys
What can we do about it? Remove the HeartBeat extension Upgrade to OpenSSL 1.0.1g Revocation of the old key pairs Force users to change their passwords User awareness
Thank you! @sharath_unni h4xorhead@gmail.com

Recommended

The Heartbleed Attack
The Heartbleed AttackThe Heartbleed Attack
The Heartbleed AttackShreyas Kothari
 
Heartbleed
Heartbleed Heartbleed
Heartbleed Shyam Bahadur Sunari Magar
 
Heartbleed
HeartbleedHeartbleed
Heartbleedn|u - The Open Security Community
 
Block Ciphers Modes of Operation
Block Ciphers Modes of OperationBlock Ciphers Modes of Operation
Block Ciphers Modes of OperationShafaan Khaliq Bhatti
 
Heartbleed Explained
Heartbleed ExplainedHeartbleed Explained
Heartbleed ExplainedMike Chapple
 
Cryptanalysis and Attacks
Cryptanalysis and AttacksCryptanalysis and Attacks
Cryptanalysis and AttacksShahbaz Anjam
 
Ceh v5 module 07 sniffers
Ceh v5 module 07 sniffersCeh v5 module 07 sniffers
Ceh v5 module 07 sniffersVi Tính Hoàng Nam
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 

Recommended

The Heartbleed Attack
The Heartbleed AttackThe Heartbleed Attack
The Heartbleed AttackShreyas Kothari
 
Heartbleed
Heartbleed Heartbleed
Heartbleed Shyam Bahadur Sunari Magar
 
Heartbleed
HeartbleedHeartbleed
Heartbleedn|u - The Open Security Community
 
Block Ciphers Modes of Operation
Block Ciphers Modes of OperationBlock Ciphers Modes of Operation
Block Ciphers Modes of OperationShafaan Khaliq Bhatti
 
Heartbleed Explained
Heartbleed ExplainedHeartbleed Explained
Heartbleed ExplainedMike Chapple
 
Cryptanalysis and Attacks
Cryptanalysis and AttacksCryptanalysis and Attacks
Cryptanalysis and AttacksShahbaz Anjam
 
Ceh v5 module 07 sniffers
Ceh v5 module 07 sniffersCeh v5 module 07 sniffers
Ceh v5 module 07 sniffersVi Tính Hoàng Nam
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 
TOR NETWORK
TOR NETWORKTOR NETWORK
TOR NETWORKRishikese MR
 
Introduction To PKI Technology
Introduction To PKI TechnologyIntroduction To PKI Technology
Introduction To PKI TechnologySylvain Maret
 
Cloud Security Top Threats
Cloud Security Top ThreatsCloud Security Top Threats
Cloud Security Top ThreatsTiago de Almeida
 
Introduction to Tor
Introduction to TorIntroduction to Tor
Introduction to TorJaskaran Narula
 
CNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream CiphersCNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream CiphersSam Bowne
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic EncryptionVictor Pereira
 
Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network securitypatisa
 
Pgp
PgpPgp
Pgpprecy02
 
Cryptography
CryptographyCryptography
CryptographyIGZ Software house
 
Ceh v5 module 03 scanning
Ceh v5 module 03 scanningCeh v5 module 03 scanning
Ceh v5 module 03 scanningVi Tính Hoàng Nam
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLSSirish Kumar
 
cryptography ppt free download
cryptography ppt free downloadcryptography ppt free download
cryptography ppt free downloadTwinkal Harsora
 
SSL TLS Protocol
SSL TLS ProtocolSSL TLS Protocol
SSL TLS ProtocolDevang Badrakiya
 
Symmetric ciphers questions and answers
Symmetric ciphers questions and answersSymmetric ciphers questions and answers
Symmetric ciphers questions and answersprdpgpt
 
Block cipher modes of operation
Block cipher modes of operation Block cipher modes of operation
Block cipher modes of operation harshit chavda
 
Encryption algorithms
Encryption algorithmsEncryption algorithms
Encryption algorithmstrilokchandra prakash
 
Homomorphic encryption
Homomorphic encryptionHomomorphic encryption
Homomorphic encryptionCysinfo Cyber Security Community
 
Intro to modern cryptography
Intro to modern cryptographyIntro to modern cryptography
Intro to modern cryptographyzahid-mian
 
RSA algorithm
RSA algorithmRSA algorithm
RSA algorithmArpana shree
 
Advanced cryptography and implementation
Advanced cryptography and implementationAdvanced cryptography and implementation
Advanced cryptography and implementationAkash Jadhav
 
Condiciones Viaje Riviera Maya
Condiciones Viaje Riviera MayaCondiciones Viaje Riviera Maya
Condiciones Viaje Riviera MayaEventspmfactory
 
Services flyer 2011
Services flyer 2011Services flyer 2011
Services flyer 2011Jodie Andersen
 

More Related Content

What's hot

Introduction To PKI Technology
Introduction To PKI TechnologyIntroduction To PKI Technology
Introduction To PKI TechnologySylvain Maret
 
Cloud Security Top Threats
Cloud Security Top ThreatsCloud Security Top Threats
Cloud Security Top ThreatsTiago de Almeida
 
CNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream CiphersCNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream CiphersSam Bowne
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic EncryptionVictor Pereira
 
Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network securitypatisa
 
cryptography ppt free download
cryptography ppt free downloadcryptography ppt free download
cryptography ppt free downloadTwinkal Harsora
 
Symmetric ciphers questions and answers
Symmetric ciphers questions and answersSymmetric ciphers questions and answers
Symmetric ciphers questions and answersprdpgpt
 
Block cipher modes of operation
Block cipher modes of operation Block cipher modes of operation
Block cipher modes of operation harshit chavda
 
Intro to modern cryptography
Intro to modern cryptographyIntro to modern cryptography
Intro to modern cryptographyzahid-mian
 
Advanced cryptography and implementation
Advanced cryptography and implementationAdvanced cryptography and implementation
Advanced cryptography and implementationAkash Jadhav
 

What's hot (20)

TOR NETWORK
TOR NETWORKTOR NETWORK
TOR NETWORK
 
Introduction To PKI Technology
Introduction To PKI TechnologyIntroduction To PKI Technology
Introduction To PKI Technology
 
Cloud Security Top Threats
Cloud Security Top ThreatsCloud Security Top Threats
Cloud Security Top Threats
 
Introduction to Tor
Introduction to TorIntroduction to Tor
Introduction to Tor
 
CNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream CiphersCNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream Ciphers
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic Encryption
 
Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network security
 
Pgp
PgpPgp
Pgp
 
Cryptography
CryptographyCryptography
Cryptography
 
Ceh v5 module 03 scanning
Ceh v5 module 03 scanningCeh v5 module 03 scanning
Ceh v5 module 03 scanning
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLS
 
cryptography ppt free download
cryptography ppt free downloadcryptography ppt free download
cryptography ppt free download
 
SSL TLS Protocol
SSL TLS ProtocolSSL TLS Protocol
SSL TLS Protocol
 
Symmetric ciphers questions and answers
Symmetric ciphers questions and answersSymmetric ciphers questions and answers
Symmetric ciphers questions and answers
 
Block cipher modes of operation
Block cipher modes of operation Block cipher modes of operation
Block cipher modes of operation
 
Encryption algorithms
Encryption algorithmsEncryption algorithms
Encryption algorithms
 
Homomorphic encryption
Homomorphic encryptionHomomorphic encryption
Homomorphic encryption
 
Intro to modern cryptography
Intro to modern cryptographyIntro to modern cryptography
Intro to modern cryptography
 
RSA algorithm
RSA algorithmRSA algorithm
RSA algorithm
 
Advanced cryptography and implementation
Advanced cryptography and implementationAdvanced cryptography and implementation
Advanced cryptography and implementation
 

Viewers also liked

Condiciones Viaje Riviera Maya
Condiciones Viaje Riviera MayaCondiciones Viaje Riviera Maya
Condiciones Viaje Riviera MayaEventspmfactory
 
Iyonik bileşkler
Iyonik bileşklerIyonik bileşkler
Iyonik bileşklerTudoshikame
 
Credenciales emagine you agosto 2010
Credenciales emagine you agosto 2010Credenciales emagine you agosto 2010
Credenciales emagine you agosto 2010Gini Rute
 
Memoriaiesdosmarescentropreferenteaacc
MemoriaiesdosmarescentropreferenteaaccMemoriaiesdosmarescentropreferenteaacc
Memoriaiesdosmarescentropreferenteaaccantoniarebollocastejon
 
Study design slides week 3
Study design slides week 3Study design slides week 3
Study design slides week 3stanbridge
 
Storify - amplify the voices that matter
Storify - amplify the voices that matterStorify - amplify the voices that matter
Storify - amplify the voices that matterXavier Damman
 
Programa de gobierno copia2
Programa de gobierno copia2Programa de gobierno copia2
Programa de gobierno copia2somosnarino
 
Reglamento
ReglamentoReglamento
Reglamentojamezali
 
Hard sell v/s Soft Sell
Hard sell v/s Soft SellHard sell v/s Soft Sell
Hard sell v/s Soft SellWish Mrt'xa
 
Investigacion de accidentes (tasc)
Investigacion de accidentes (tasc)Investigacion de accidentes (tasc)
Investigacion de accidentes (tasc)oscarreyesnova
 
The French Revolution of 1789
The French Revolution of 1789The French Revolution of 1789
The French Revolution of 1789Tom Richey
 
Report on Heartbleed
Report on HeartbleedReport on Heartbleed
Report on HeartbleedShiva Sagar
 

Viewers also liked (17)

Condiciones Viaje Riviera Maya
Condiciones Viaje Riviera MayaCondiciones Viaje Riviera Maya
Condiciones Viaje Riviera Maya
 
Services flyer 2011
Services flyer 2011Services flyer 2011
Services flyer 2011
 
801 sub 1
801 sub 1801 sub 1
801 sub 1
 
Iyonik bileşkler
Iyonik bileşklerIyonik bileşkler
Iyonik bileşkler
 
Credenciales emagine you agosto 2010
Credenciales emagine you agosto 2010Credenciales emagine you agosto 2010
Credenciales emagine you agosto 2010
 
Memoriaiesdosmarescentropreferenteaacc
MemoriaiesdosmarescentropreferenteaaccMemoriaiesdosmarescentropreferenteaacc
Memoriaiesdosmarescentropreferenteaacc
 
Study design slides week 3
Study design slides week 3Study design slides week 3
Study design slides week 3
 
Storify - amplify the voices that matter
Storify - amplify the voices that matterStorify - amplify the voices that matter
Storify - amplify the voices that matter
 
Programa de gobierno copia2
Programa de gobierno copia2Programa de gobierno copia2
Programa de gobierno copia2
 
Reglamento
ReglamentoReglamento
Reglamento
 
Hard sell v/s Soft Sell
Hard sell v/s Soft SellHard sell v/s Soft Sell
Hard sell v/s Soft Sell
 
Investigacion de accidentes (tasc)
Investigacion de accidentes (tasc)Investigacion de accidentes (tasc)
Investigacion de accidentes (tasc)
 
B v palabras
B v palabrasB v palabras
B v palabras
 
L’obésité
L’obésitéL’obésité
L’obésité
 
Sikkim ppt
Sikkim ppt Sikkim ppt
Sikkim ppt
 
The French Revolution of 1789
The French Revolution of 1789The French Revolution of 1789
The French Revolution of 1789
 
Report on Heartbleed
Report on HeartbleedReport on Heartbleed
Report on Heartbleed
 

Similar to The Heartbleed Bug

How to exploit heartbleed vulnerability demonstration
How to exploit heartbleed vulnerability demonstrationHow to exploit heartbleed vulnerability demonstration
How to exploit heartbleed vulnerability demonstrationPankaj Rane
 
Heart bleed-OpenSSL crytographic library
Heart bleed-OpenSSL crytographic libraryHeart bleed-OpenSSL crytographic library
Heart bleed-OpenSSL crytographic libraryLorick Jain
 
Comparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit Detection
Comparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit DetectionComparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit Detection
Comparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit DetectionCSCJournals
 
Ssl pinning and hsts header
Ssl pinning and hsts headerSsl pinning and hsts header
Ssl pinning and hsts headerSaleem M
 
Basic IT 2 (General IT Knowledge-2)
Basic IT 2 (General IT Knowledge-2)Basic IT 2 (General IT Knowledge-2)
Basic IT 2 (General IT Knowledge-2)kholis_mjd
 
Web technology-guide
Web technology-guideWeb technology-guide
Web technology-guideSrihari
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolMohammed Adam
 
HTTP vs HTTPS Difference
HTTP vs HTTPS Difference HTTP vs HTTPS Difference
HTTP vs HTTPS Difference Real Estate
 
Lesson 1. General Introduction to IT and Cyber Security.pptx
Lesson 1. General Introduction to IT and Cyber Security.pptxLesson 1. General Introduction to IT and Cyber Security.pptx
Lesson 1. General Introduction to IT and Cyber Security.pptxJezer Arces
 
Heartbleed Bug Flaw in Servers and its reverse
Heartbleed Bug Flaw in Servers and its reverseHeartbleed Bug Flaw in Servers and its reverse
Heartbleed Bug Flaw in Servers and its reverseMohamed Hisham Ache
 
Heartbleed Bug
Heartbleed BugHeartbleed Bug
Heartbleed BugNIKHIL P L
 
Differences to Know Between SSL & TLS certificate .pdf
Differences to Know Between SSL & TLS certificate .pdfDifferences to Know Between SSL & TLS certificate .pdf
Differences to Know Between SSL & TLS certificate .pdfHost It Smart
 

Similar to The Heartbleed Bug (20)

How to exploit heartbleed vulnerability demonstration
How to exploit heartbleed vulnerability demonstrationHow to exploit heartbleed vulnerability demonstration
How to exploit heartbleed vulnerability demonstration
 
Ssl https
Ssl httpsSsl https
Ssl https
 
Heartbleed
HeartbleedHeartbleed
Heartbleed
 
Heart bleed-OpenSSL crytographic library
Heart bleed-OpenSSL crytographic libraryHeart bleed-OpenSSL crytographic library
Heart bleed-OpenSSL crytographic library
 
Comparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit Detection
Comparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit DetectionComparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit Detection
Comparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit Detection
 
Http Vs Https .
Http Vs Https . Http Vs Https .
Http Vs Https .
 
Ssl pinning and hsts header
Ssl pinning and hsts headerSsl pinning and hsts header
Ssl pinning and hsts header
 
Basic IT 2 (General IT Knowledge-2)
Basic IT 2 (General IT Knowledge-2)Basic IT 2 (General IT Knowledge-2)
Basic IT 2 (General IT Knowledge-2)
 
Web technology-guide
Web technology-guideWeb technology-guide
Web technology-guide
 
Ssl and tls
Ssl and tlsSsl and tls
Ssl and tls
 
OpenSSL
OpenSSLOpenSSL
OpenSSL
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) Protocol
 
HTTP vs HTTPS Difference
HTTP vs HTTPS Difference HTTP vs HTTPS Difference
HTTP vs HTTPS Difference
 
Web protocol.pptx
Web protocol.pptxWeb protocol.pptx
Web protocol.pptx
 
Lesson 1. General Introduction to IT and Cyber Security.pptx
Lesson 1. General Introduction to IT and Cyber Security.pptxLesson 1. General Introduction to IT and Cyber Security.pptx
Lesson 1. General Introduction to IT and Cyber Security.pptx
 
application layer
application layerapplication layer
application layer
 
Heartbleed Bug Flaw in Servers and its reverse
Heartbleed Bug Flaw in Servers and its reverseHeartbleed Bug Flaw in Servers and its reverse
Heartbleed Bug Flaw in Servers and its reverse
 
Heartbleed Bug
Heartbleed BugHeartbleed Bug
Heartbleed Bug
 
Differences to Know Between SSL & TLS certificate .pdf
Differences to Know Between SSL & TLS certificate .pdfDifferences to Know Between SSL & TLS certificate .pdf
Differences to Know Between SSL & TLS certificate .pdf
 
Http_Protocol.pptx
Http_Protocol.pptxHttp_Protocol.pptx
Http_Protocol.pptx
 

More from n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

More from n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Recently uploaded

Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatYousafMalik24
 
Romantic Opera MUSIC FOR GRADE NINE pptx
Romantic Opera MUSIC FOR GRADE NINE pptxRomantic Opera MUSIC FOR GRADE NINE pptx
Romantic Opera MUSIC FOR GRADE NINE pptxsqpmdrvczh
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Jisc
 
ENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomnelietumpap1
 
Roles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceRoles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceSamikshaHamane
 
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTiammrhaywood
 
Types of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxTypes of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxEyham Joco
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...JhezDiaz1
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Celine George
 
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfMr Bounab Samir
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersSabitha Banu
 
ROOT CAUSE ANALYSIS PowerPoint Presentation
ROOT CAUSE ANALYSIS PowerPoint PresentationROOT CAUSE ANALYSIS PowerPoint Presentation
ROOT CAUSE ANALYSIS PowerPoint PresentationAadityaSharma884161
 
Gas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxGas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxDr.Ibrahim Hassaan
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon AUnboundStockton
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPCeline George
 

Recently uploaded (20)

OS-operating systems- ch04 (Threads) ...
OS-operating systems- ch04 (Threads) ...OS-operating systems- ch04 (Threads) ...
OS-operating systems- ch04 (Threads) ...
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice great
 
Romantic Opera MUSIC FOR GRADE NINE pptx
Romantic Opera MUSIC FOR GRADE NINE pptxRomantic Opera MUSIC FOR GRADE NINE pptx
Romantic Opera MUSIC FOR GRADE NINE pptx
 
Raw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptxRaw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptx
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...
 
ENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choom
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
Roles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceRoles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in Pharmacovigilance
 
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
 
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
 
Types of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxTypes of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptx
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
 
9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17
 
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for Beginners
 
ROOT CAUSE ANALYSIS PowerPoint Presentation
ROOT CAUSE ANALYSIS PowerPoint PresentationROOT CAUSE ANALYSIS PowerPoint Presentation
ROOT CAUSE ANALYSIS PowerPoint Presentation
 
Gas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxGas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptx
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon A
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERP
 

The Heartbleed Bug

  • 2. Contents Introduction to HTTP Why HTTP over SSL? Discovery of heartbleed OpenSSL heartbeat extension What exactly is bleeding? Protecting against heartbleed attacks A quick demo
  • 3. A typical HTTP communication • I would like to open a connection • GET <file location> • Display response • Close connection • OK • Send page or error message • OK Client Server
  • 4. Clear-text protocols When packages of data are sent out over the internet – a lot more can happen than you think!
  • 5. Need for encryption SSL/TLS Provides authentication, confidentiality and integrity. Asymmetric encryption for key exchange (Public and Private keys) Pre-shared secret key between the client and server SHARED secret key – ensures that the message is private even if it is intercepted. OpenSSL - open source implementation of SSL and TLS protocols
  • 6. Discovery of Heartbleed The bug was independently discovered by a team of security engineers (Riku,Antti and Matti) at Codenomicon and Neel Mehta of Google Security, who first reported it to the OpenSSL team on April 1, 2014 Massive SSL bug impacts Internet and its users According to Netcraft’s survey about 17.5% of SSL sites had heartbeat extension enabled (half a million) Affected versions - 1.0.1 and 1.0.2-beta including 1.0.1f and 1.0.2- beta1 (since March 2012) Apache and nginx servers typically run OpenSSL implementations
  • 7. SSL heartbeat SSL heartbeats are defined in RFC6520 Similar to Connection Keep-alive in HTTP They can be sent without authenticating with the server A heartbeat is a message that is sent to the server just so the server can send it back.This lets a client know that the server is still connected and listening.
  • 9. Heartbleed (CVE-2014-0160) The vulnerability lies in the implementation of Heartbeat The memory is allocated from the payload + padding which is a user controlled value. (Buffer over-read)
  • 11.
  • 12. So what if we can read the memory?
  • 13. Metasploit extract of memory dump
  • 14. Metasploit extract of memory dump
  • 16. What can we do about it? Remove the HeartBeat extension Upgrade to OpenSSL 1.0.1g Revocation of the old key pairs Force users to change their passwords User awareness