What is Heartbleed? Heartbleed is a vulnerability in OpenSSL software. OpenSSL is encryption...

10
What is Heartbleed? Heartbleed is a vulnerability in OpenSSL software. OpenSSL is encryption software that accesses websites through a “secure” connection, HTTPS://.

Transcript of What is Heartbleed? Heartbleed is a vulnerability in OpenSSL software. OpenSSL is encryption...

Page 1: What is Heartbleed? Heartbleed is a vulnerability in OpenSSL software. OpenSSL is encryption software that accesses websites through a “secure” connection,

What is Heartbleed?

Heartbleed is a vulnerability in OpenSSL software.

OpenSSL is encryption software that accesses websites through a “secure”

connection, HTTPS://.

Page 2: What is Heartbleed? Heartbleed is a vulnerability in OpenSSL software. OpenSSL is encryption software that accesses websites through a “secure” connection,

How does it work?To communicate, a client computer and the server send back and forth a short block of data. The block contains a value for the length of the block.

The malformed block says its length is 64KB, the maximum possible. The server copies that much data from memory into the response. It may send passwords, encryption keys, etc.

Page 3: What is Heartbleed? Heartbleed is a vulnerability in OpenSSL software. OpenSSL is encryption software that accesses websites through a “secure” connection,

When happened when?OpenSSL released March 2012

Publicly reported as vulnerable 1 April 2014Patch released 21 March 2014 (Some fixes had already been put in place then)

First proven attempted exploit 8 April 2014

Intentional vulnerability test 12 April 2014

Page 4: What is Heartbleed? Heartbleed is a vulnerability in OpenSSL software. OpenSSL is encryption software that accesses websites through a “secure” connection,

How may sites are vulnerable?(After vulnerability was reported publically)

Page 5: What is Heartbleed? Heartbleed is a vulnerability in OpenSSL software. OpenSSL is encryption software that accesses websites through a “secure” connection,

How may sites are vulnerable?

A list the top 1,000 most popular web domains and mail servers that remain vulnerable.https://zmap.io/heartbleed/

Page 6: What is Heartbleed? Heartbleed is a vulnerability in OpenSSL software. OpenSSL is encryption software that accesses websites through a “secure” connection,

What should you do?Change all passwords as soon as you can.

Find out which sites are vulnerable

On vulnerable sites that have been patched:Old passwords may be compromised

On sites not yet patched (ask about current status):New passwords may become

compromised, so change them regularlyOn sites not affected:

Was same password used elsewhere?

Page 7: What is Heartbleed? Heartbleed is a vulnerability in OpenSSL software. OpenSSL is encryption software that accesses websites through a “secure” connection,

Which sites are not affected?

Almost all financial service sites are OK.

Page 8: What is Heartbleed? Heartbleed is a vulnerability in OpenSSL software. OpenSSL is encryption software that accesses websites through a “secure” connection,

Which are common patched sites?

http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

Site List

Search for sitehttps://lastpass.com/heartbleed/

Page 9: What is Heartbleed? Heartbleed is a vulnerability in OpenSSL software. OpenSSL is encryption software that accesses websites through a “secure” connection,

How do I manage?Use a Password Manager, free - LastPassUse a LastPass account, import your existing passwords or save newly generated ones.

A good way to manage passwords in Windows, includes an IE installer.

Supports Internet Explorer 8+, Firefox 2.0+, Chrome 18+, Safari 5+, Opera 11+.

http://www.pcmag.com/article2/0,2817,2407168,00.asp

https://lastpass.com/misc_download2.php

Page 10: What is Heartbleed? Heartbleed is a vulnerability in OpenSSL software. OpenSSL is encryption software that accesses websites through a “secure” connection,

What does your son/daughter know?

• Keep a separate, up to date record of your passwords in a safe place.

• Make sure your designated representative knows where that record is.


Heartache and Heartbleed - 31c3

Heartache and Heartbleed - 31c3

FairCom Java-Based GUI Tools · the OpenSSL Project for use in the OpenSSL Toolkit ... This software or web site utilizes or contains material ... 3.15 Log Analyzer ...

FairCom Java-Based GUI Tools · the OpenSSL Project for use in the OpenSSL Toolkit ... This software or web site utilizes or contains material ... 3.15 Log Analyzer ...

PowerCenter Advanced Workflow Guide - · PDF filePowerCenter Advanced Workflow Guide ... This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit

PowerCenter Advanced Workflow Guide - · PDF filePowerCenter Advanced Workflow Guide ... This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit

OpenSSL FIPS 140-2 Security Policy - OpenSSL: The Open Source

OpenSSL FIPS 140-2 Security Policy - OpenSSL: The Open Source

Heartbleed Bug Advisory (CVE-2014-0160)accuvantstorage.blob.core.windows.net/web/file/... · Heartbleed Bug Advisory (CVE-2014-0160) 3 Revision: 1.1 Technical Summary The Heartbleed

Heartbleed Bug Advisory (CVE-2014-0160)accuvantstorage.blob.core.windows.net/web/file/... · Heartbleed Bug Advisory (CVE-2014-0160) 3 Revision: 1.1 Technical Summary The Heartbleed

OpenSSL FIPS 1402 Security Policy - NIST Alto, CA 94304 ... 3.1 ROLES AND SERVICES ... administrators installing, the OpenSSL FIPS software, for use in risk assessment reviews by ...

OpenSSL FIPS 1402 Security Policy - NIST Alto, CA 94304 ... 3.1 ROLES AND SERVICES ... administrators installing, the OpenSSL FIPS software, for use in risk assessment reviews by ...

Openssl Man

Openssl Man

Heartbleed TLS Heartbeat Protocol...• Failure of the OpenSSL library to validate the heartbeat packet length field (as compared to the size of the actual message). • Heartbeat

Heartbleed TLS Heartbeat Protocol...• Failure of the OpenSSL library to validate the heartbeat packet length field (as compared to the size of the actual message). • Heartbeat

Programming with OpenSSL and libcrypto in examplessyrinx/presentations/openssl/OpenSSL... · Programming with OpenSSL and libcrypto in examples BurgasLab, Burgas April, 2014 Shteryana

Programming with OpenSSL and libcrypto in examplessyrinx/presentations/openssl/OpenSSL... · Programming with OpenSSL and libcrypto in examples BurgasLab, Burgas April, 2014 Shteryana

Heartbleed Bug Infographic

Heartbleed Bug Infographic

Heartbleed Explained

Heartbleed Explained

The Heartbleed Attack

The Heartbleed Attack

Reverse heartbleed

Reverse heartbleed

Heartbleed && Wireless

Heartbleed && Wireless

Report on Heartbleed

Report on Heartbleed

OpenSSL FIPS Object Module - OpenSSL: The Open Source toolkit for

OpenSSL FIPS Object Module - OpenSSL: The Open Source toolkit for

The Bad-Attitude Guide to Computer Security · Security holes in Mosh’s lifetime TLS: I goto fail (Secure Transport) I GnuTLS verify (GnuTLS) I Heartbleed (OpenSSL) I Lucky Thirteen

The Bad-Attitude Guide to Computer Security · Security holes in Mosh’s lifetime TLS: I goto fail (Secure Transport) I GnuTLS verify (GnuTLS) I Heartbleed (OpenSSL) I Lucky Thirteen

DrupalGov2014 Heartbleed

DrupalGov2014 Heartbleed

HEARTBLEED ATTACK

HEARTBLEED ATTACK

Informatica PowerCenter (Version 9.0.1) - Gerardnico€¦ · Informatica PowerCenter Advanced ... This product includes software developed by the OpenSSL Project for use in the OpenSSL

Informatica PowerCenter (Version 9.0.1) - Gerardnico€¦ · Informatica PowerCenter Advanced ... This product includes software developed by the OpenSSL Project for use in the OpenSSL