Quick And Dirty Introduction to:“Heartbleed”

By: Allen Baranov, CISSP

Who Am I?

Allen Baranov, CISSPInformation Security Professional

SABSA Foundation Certified

Specialist In Security Management, Security Architecture and Risk and Compliance

Looking for new permanent position!… or even some short term work.

See LinkedIn for more details or email me for more information!

au.linkedin.com/in/allenbaranov/

Quick and Dirty Introductions are something that I created at my last employer to describe in simple language a pretty complex Information Security concept.-AB

OK, so….

What is it really?

It is a bug in a piece of software called

OPENSSL

I need “www.example.com.au”

Er, so what is OPENSSL?

OPENSSL is the software that a Web Server uses to do encryption through the Internet.

Sure.. But lets just encrypt that information

so no-one around you can see what you did on Saturday night or what

your banking password is

Ok, I have my browser to do that

Excellent, I have OpenSSL.

OpenSSL is risky software…

Most of the Internet uses it.

Yay OpenSSL!

And it sits in a place that is very risky. It can not be protected by Firewalls and it sits on a webserver.

The same webserver that takes your passwords, has your banking details, etc.

Er….we need to talk.

The thing is that OpenSSL is generally secure. Very secure.

It was written by guys who wear glasses like this:

(And not in an ironic hipster way… they are nerds)

OpenSSL has been running on most of the Internet without an issue since 1998.

In Internet time that is pre-dinosaur.

(Google in 1998… less than 1 year old)

…but… if you are going to go down… go down big.

Heartbleed is a pretty nasty bug and one that is so simple, it should never have happened in the first place…

The discussion takes a technical turn. I will try keep it light as possible but if you have no interest in why this bug happened then jump ahead to the picture of Darth Vader to see what impact this will have on your life.

How does the bug work?Are you still

there?

Yes, are you?

Yes, are you?

Yes, are you?

The Server and your PC are constantly checking that the other one is still around. This is called a HEARTBEAT.

Magnifying to get more detail…

I have a message that

is 64kb big

Cool, send it and I will send

it back!

Yes, are you?

Yes, are you?

Heartbeat successful!

Now…lets mess around a bit…

I have a message that

is 64kb big

Cool, send it and I will send

it back!

(Not actually 64kb as promised

before)

Yes, are you?

Heartbeat successful!But….hang on……

Where did the extra information from the Server

Come from?!

Picture the Server’s memory management like a house on a hoarder’s show on TV. Everything is all muddled and the Server only throws away stuff when it needs to replace it with other stuff.

The difference is that the Server, being a computer, can keep track of everything.

So, when you give it 65kb of stuff to keep for you, it gets rid of exactly 65 kb of stuff .

In fact, it doesn’t even get rid of the stuff. It just copies your stuff over.

In the analogy that I’ve used imagine the mattress by the wall turning into a table lamp and the could-be-fixed-with-some-work table turning into a mostly-unused-mostly clean table cloth. Etc.

This is quite normal and how computers work. However, when you trick the computer and give it only 2 things when it was expecting 64…

It just gives you 62 pieces of junk that it was going to get rid of anyhow.

This is where things get interesting…..

(Picture of Vader, as promised, with kilt and bagpipes… also unicycle.)

So, a malicious attacker can get random pieces of memory from a Server. And it could be anything. Researchers have found passwords, private messages, secrets that can take over machines, etc etc. It could be ANYTHING including passwords.

On the other hand, it is totally random so an attacker would not be able to choose what he wanted or know up front what he is getting. (Or she)

But on the other hand (I think we are up to three) the attacker can run this attack as often as he likes without being detected.

Think of it as a lucky packet but you get as many as you like.

So, what does this mean for the regular man on the street..

Your passwords may have been compromised or not. It is impossible to tell. It is also impossible to know just where this would have happened. OpenSSL is used on almost all websites including the biggest and the smallest.

It is probably a good time now to change all of your passwords. It is also probably a good time to use different passwords for different sites.

Make sure that the Server administrator has patched the bug before changing your password.

The most important take away from this is that all sites have different ways of doing security. So will have rolled out the patch already and some will never roll it out. If you use the same password for your banking service (which is assumed to be the ones that will roll it out first) and some arbitrary website you only logged onto to comment on once then you are at risk.

More important than having strong passwords is having different passwords at different sites.

Attackers will try out your password at other sites just because most people use the same password and it is easy for them.

Oh…and one other thing!

Heartbleed is certainly an interesting bug and has a lovely logo and is scary, for sure but:

If you are still running Windows XP after it has been discontinued by Microsoft, you are at risk.

While attackers will use Heartbleed because the fact that it is widespread and easy to attack, the harvesting of information is not so easy. Most attacks will still be at the client/computer level and it is only a matter of time until someone finds a way to take over Windows XP machines for all of their information. And Microsoft will NOT be releasing a patch.

The End Beginning…

If you want any more information about anything in this slideshow

or to ask a question or want to know more about what I do…

feel free to contact me on LinkedIn

Allen Baranov, CISSPInformation Security Professional

au.linkedin.com/in/allenbaranov/