My presentation in Control of Energy, Industrial and Ecological systems - International Symposium - IT Industry Section at Bankia, Bulgaria .
About The Heartbleed Bug Flaw in Servers and its reverse, Impact on Industry , fixing the problem and Security Best Practices .
1. Heartbleed – OpenSSL Client and
Server Protocol Vulnerability
M.H.Abdel Akher, Vassil Metodiev
INTERNATIONAL SYPOSIUM
Control of Energy, Industrial and Ecological Systems
Bankya, 8 - 9 May 2014
2. Authors
Mohamed Hisham Abdel Akher
Erasmus Student from Helwan University,Egypt
Vassil Metodiev
chief assist. prof. eng.
Department of Industrial Automation,
University of Chemical Technology and Metallurgy,
SOFIA, Bulgaria
INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
3. Abstract
The Internet has become an important part of everyday
personal and business activities - one of human rights in
the modern life.
Software bugs significantly hurt software reliability and
security causing system failures and security
vulnerabilities.
This paper examines one of the more popular attack
techniques that can be applied in “heartbleed”
vulnerability.
The paper also outlines some best practices and secure
techniques for being safe online.
INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
4. Outline
Information Security Core Components
The need for Encryption
TLS/SSL Technical Stuff
TLS Heartbeat extension
Heartbleed Flaw in Servers
OpenSSL Reverse Heartbleed Vulnerability
THE HEATBLEED BUG IMPACT
Why fixing the problem is not simple ?
SECURITY GUIDELINES AND BEST PRACICES
Summary
INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
5. Information Security Core Components
Confidentiality Integrity Authentication
Access Control Availability Nonrepudiation
INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
6. The need for encryption
The idea of encryption to make sure the information one
sends from his computer to someone else or to another
web server is protected and secure.
As an Internet using populous, we’re more aware of the
importance of keeping private and confidential
information “secure“.
We can think of Encryption like a secret language between
two people. This language works as a set of encryption keys.
The users have a copy of the encryption keys on their
computer and the client (web application or server) has a set.
INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
7. TLS/SSL Technical Stuff
SSL and TLS are protocols that provide session encryption
and integrity for Packets sent from one computer to
another.
They can be used to secure client-to-server or server-to-
server network traffic.
They also provide authentication of the server to the
client and (optionally) of the client to the server through
X.509 certificates.
TLS is an enhancement of SSL .
INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
8. TLS Heartbeat extension
Using heartbeat extensions two computers make sure the
other is still alive by sending data back and forth to each
other. The client (user) sends its heartbeat to the server
(website), and the server hands it right back.
If by chance anyone of them goes down during the
transaction, the other one will know using heartbeat sync
mechanism .
INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
9. Heartbleed Bug &OpenSSL
“Heartbleed” is a critical bug (CVE-2014-0160) in the
popular OpenSSL cryptographic software library that
actually resides in the OpenSSL's implementation of the
TLS and DTLS (Datagram TLS) heartbeat extension
(RFC6520).
Heartbleed Bug specifically impacts version 1.0.1 and
beta versions of 1.0.2
INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
10. Heartbleed Flaw in Servers
When The heartbeat is sent, a small amount of the
server’s short-term memory of about 64 kilobytes comes
in reply from server and an attacker is supposed to grab
it that can leak sensitive data such as message
contents, user credentials, session keys and server
private keys .
INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
11. OpenSSL Reverse Heartbleed
Vulnerability
A malicious server can also send bad hearbeat packets to a client
that uses OpenSSL and extract data from the client.
In this scenario, the attacker would set up a malicious web server
that would be used to send the exploit against the Heartbleed
vulnerability to the client .
INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
12. “The real problem is only a
dumb coding mistake“
Swati Khandelwal.
INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
13. THE HEATBLEED BUG IMPACT
The Heartbleed vulnerability is operating without
detection plus, it is working in such way that with ease of
use lots of information could be accessed.
SSL Survey found that the heartbeat extension was
enabled on 17.5% of SSL sites, accounting for around
half a million certificates issued by trusted certificate
authorities.
These certificates are consequently vulnerable to being
spoofed through private key disclosure, allowing an
attacker to impersonate the affected websites without
raising any browser warnings.
INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
15. Fixing the Problem is not that simple
(Continued)
Heartbleed Vulnerability represents the movement from
“attacks could happen” to “attacks have happened”.
Fixing the problem is not that simple because we were
unaware of the bug for over 2 years .
We can’t go back in time and prevent any person or
organization who may have taken advantage of this
vulnerability to access information not intended for them
A patch that fixes the Heartbleed vulnerability in
OpenSSL is already widely available.
INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
16. Fixing the Problem is not that simple
The patch itself isn't that difficult to implement, but the
problem is that along with patching the software, some
applications need to look at whether or not they need
to revoke and reissue various digital certificates.
If someone was able to sneak in an grab a site's digital
certificate before the site was patched, it could make
changes to the certificate or masquerade another site
as having a different identity.
Organizations have to make the determination whether
to revoke and reissue all certificates via a CA or wait for
current certificates to expire.
INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
17. SECURITY GUIDELINES AND BEST
PRACTICES
First of all, we can check whether a server is vulnerable
to the OpenSSl Hearbleed bug (CVE-2014-0160) or not.
If we find that the server is vulnerable, we have to patch
it and patching a system today is great but that can’t
prevent the attacks that may have already happened.
We patch your system, we have to get a new
public/private key pair, update your SSL certificate, and
then change every password that could potentially be
affected.
Bruce Schneier
INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
18. Summary
There have been and always will be bugs.
Anyone who thinks they have privacy on the
internet is a fool.
Ira Winkler
INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
20. Thank you!
M.H Abdel Akher
Erasmus BSc Student
Business Information System Department,
Helwan University, Cairo, Egypt
Email : mhabdelakher@gmail.com
INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014