SlideShare uma empresa Scribd logo

Heartbleed Bug Flaw in Servers and its reverse

Mohamed Hisham Ache
Mohamed Hisham Ache

My presentation in Control of Energy, Industrial and Ecological systems - International Symposium - IT Industry Section at Bankia, Bulgaria . About The Heartbleed Bug Flaw in Servers and its reverse, Impact on Industry , fixing the problem and Security Best Practices .

TecnologiaEducação
1 de 20
Heartbleed – OpenSSL Client and Server Protocol Vulnerability M.H.Abdel Akher, Vassil Metodiev INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
Authors Mohamed Hisham Abdel Akher Erasmus Student from Helwan University,Egypt Vassil Metodiev chief assist. prof. eng. Department of Industrial Automation, University of Chemical Technology and Metallurgy, SOFIA, Bulgaria INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
Abstract  The Internet has become an important part of everyday personal and business activities - one of human rights in the modern life.  Software bugs significantly hurt software reliability and security causing system failures and security vulnerabilities.  This paper examines one of the more popular attack techniques that can be applied in “heartbleed” vulnerability.  The paper also outlines some best practices and secure techniques for being safe online. INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
Outline Information Security Core Components The need for Encryption TLS/SSL Technical Stuff TLS Heartbeat extension Heartbleed Flaw in Servers OpenSSL Reverse Heartbleed Vulnerability THE HEATBLEED BUG IMPACT Why fixing the problem is not simple ? SECURITY GUIDELINES AND BEST PRACICES Summary INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
Information Security Core Components Confidentiality Integrity Authentication Access Control Availability Nonrepudiation INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
The need for encryption The idea of encryption to make sure the information one sends from his computer to someone else or to another web server is protected and secure. As an Internet using populous, we’re more aware of the importance of keeping private and confidential information “secure“. We can think of Encryption like a secret language between two people. This language works as a set of encryption keys. The users have a copy of the encryption keys on their computer and the client (web application or server) has a set. INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
TLS/SSL Technical Stuff  SSL and TLS are protocols that provide session encryption and integrity for Packets sent from one computer to another.  They can be used to secure client-to-server or server-to- server network traffic.  They also provide authentication of the server to the client and (optionally) of the client to the server through X.509 certificates.  TLS is an enhancement of SSL . INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
TLS Heartbeat extension  Using heartbeat extensions two computers make sure the other is still alive by sending data back and forth to each other. The client (user) sends its heartbeat to the server (website), and the server hands it right back.  If by chance anyone of them goes down during the transaction, the other one will know using heartbeat sync mechanism . INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
Heartbleed Bug &OpenSSL  “Heartbleed” is a critical bug (CVE-2014-0160) in the popular OpenSSL cryptographic software library that actually resides in the OpenSSL's implementation of the TLS and DTLS (Datagram TLS) heartbeat extension (RFC6520).  Heartbleed Bug specifically impacts version 1.0.1 and beta versions of 1.0.2 INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
Heartbleed Flaw in Servers  When The heartbeat is sent, a small amount of the server’s short-term memory of about 64 kilobytes comes in reply from server and an attacker is supposed to grab it that can leak sensitive data such as message contents, user credentials, session keys and server private keys . INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
OpenSSL Reverse Heartbleed Vulnerability  A malicious server can also send bad hearbeat packets to a client that uses OpenSSL and extract data from the client.  In this scenario, the attacker would set up a malicious web server that would be used to send the exploit against the Heartbleed vulnerability to the client . INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
“The real problem is only a dumb coding mistake“ Swati Khandelwal. INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
THE HEATBLEED BUG IMPACT  The Heartbleed vulnerability is operating without detection plus, it is working in such way that with ease of use lots of information could be accessed.  SSL Survey found that the heartbeat extension was enabled on 17.5% of SSL sites, accounting for around half a million certificates issued by trusted certificate authorities.  These certificates are consequently vulnerable to being spoofed through private key disclosure, allowing an attacker to impersonate the affected websites without raising any browser warnings. INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
Fixing the Problem is not that simple (Continued)  Heartbleed Vulnerability represents the movement from “attacks could happen” to “attacks have happened”.  Fixing the problem is not that simple because we were unaware of the bug for over 2 years .  We can’t go back in time and prevent any person or organization who may have taken advantage of this vulnerability to access information not intended for them  A patch that fixes the Heartbleed vulnerability in OpenSSL is already widely available. INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
Fixing the Problem is not that simple  The patch itself isn't that difficult to implement, but the problem is that along with patching the software, some applications need to look at whether or not they need to revoke and reissue various digital certificates.  If someone was able to sneak in an grab a site's digital certificate before the site was patched, it could make changes to the certificate or masquerade another site as having a different identity.  Organizations have to make the determination whether to revoke and reissue all certificates via a CA or wait for current certificates to expire. INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
SECURITY GUIDELINES AND BEST PRACTICES  First of all, we can check whether a server is vulnerable to the OpenSSl Hearbleed bug (CVE-2014-0160) or not.  If we find that the server is vulnerable, we have to patch it and patching a system today is great but that can’t prevent the attacks that may have already happened.  We patch your system, we have to get a new public/private key pair, update your SSL certificate, and then change every password that could potentially be affected. Bruce Schneier INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
Summary There have been and always will be bugs. Anyone who thinks they have privacy on the internet is a fool. Ira Winkler INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
Questions & Answers INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
Thank you! M.H Abdel Akher Erasmus BSc Student Business Information System Department, Helwan University, Cairo, Egypt Email : mhabdelakher@gmail.com INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014

Recomendados

Sprint Reflections Presentation
Sprint Reflections PresentationSprint Reflections Presentation
Sprint Reflections PresentationMindy Altiero
 
Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51martinvoelk
 
Fotonovela racismo
Fotonovela racismoFotonovela racismo
Fotonovela racismoMara de Andrade
 
Coursera CNNQD3CGPQM-DMX
Coursera CNNQD3CGPQM-DMXCoursera CNNQD3CGPQM-DMX
Coursera CNNQD3CGPQM-DMXPrakash Prasad ✔
 
01 a biblia sagrada-corrigido
01 a biblia sagrada-corrigido01 a biblia sagrada-corrigido
01 a biblia sagrada-corrigidoFrancisco Do Carmo
 
Verdades Bíblicas - O Caminho Para a Vida Eterna
Verdades Bíblicas - O Caminho Para a Vida EternaVerdades Bíblicas - O Caminho Para a Vida Eterna
Verdades Bíblicas - O Caminho Para a Vida EternaConectadoscomjesusiasd
 
Crowley_Campaign_Priorities_2016
Crowley_Campaign_Priorities_2016Crowley_Campaign_Priorities_2016
Crowley_Campaign_Priorities_2016Patrick Crowley
 
Fernandam
FernandamFernandam
FernandamMara de Andrade
 

Recomendados

Sprint Reflections Presentation
Sprint Reflections PresentationSprint Reflections Presentation
Sprint Reflections PresentationMindy Altiero
 
Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51martinvoelk
 
Fotonovela racismo
Fotonovela racismoFotonovela racismo
Fotonovela racismoMara de Andrade
 
Coursera CNNQD3CGPQM-DMX
Coursera CNNQD3CGPQM-DMXCoursera CNNQD3CGPQM-DMX
Coursera CNNQD3CGPQM-DMXPrakash Prasad ✔
 
01 a biblia sagrada-corrigido
01 a biblia sagrada-corrigido01 a biblia sagrada-corrigido
01 a biblia sagrada-corrigidoFrancisco Do Carmo
 
Verdades Bíblicas - O Caminho Para a Vida Eterna
Verdades Bíblicas - O Caminho Para a Vida EternaVerdades Bíblicas - O Caminho Para a Vida Eterna
Verdades Bíblicas - O Caminho Para a Vida EternaConectadoscomjesusiasd
 
Crowley_Campaign_Priorities_2016
Crowley_Campaign_Priorities_2016Crowley_Campaign_Priorities_2016
Crowley_Campaign_Priorities_2016Patrick Crowley
 
Fernandam
FernandamFernandam
FernandamMara de Andrade
 
Lição 3 - As Diferentes Mudanças Sociais da Família
Lição 3 - As Diferentes Mudanças Sociais da FamíliaLição 3 - As Diferentes Mudanças Sociais da Família
Lição 3 - As Diferentes Mudanças Sociais da FamíliaI.A.D.F.J - SAMAMABAIA SUL
 
Foco na profecia 1
Foco na profecia 1Foco na profecia 1
Foco na profecia 1Zilmar Santos
 
Informing Early Childhood Policy: An Analysis of the Sensitivity of a School ...
Informing Early Childhood Policy: An Analysis of the Sensitivity of a School ...Informing Early Childhood Policy: An Analysis of the Sensitivity of a School ...
Informing Early Childhood Policy: An Analysis of the Sensitivity of a School ...Krista Schumacher, PhD
 
Apache Spark Introduction - CloudxLab
Apache Spark Introduction - CloudxLabApache Spark Introduction - CloudxLab
Apache Spark Introduction - CloudxLabAbhinav Singh
 
Negotiation and Influencing Skills
Negotiation and Influencing SkillsNegotiation and Influencing Skills
Negotiation and Influencing SkillsEmily Robinson
 
Projeto de Pequenos Grupos - IBS
Projeto de Pequenos Grupos - IBSProjeto de Pequenos Grupos - IBS
Projeto de Pequenos Grupos - IBSRodrigo Branco
 
¿Soy bautizado? v2 10 8-16
¿Soy bautizado? v2 10 8-16¿Soy bautizado? v2 10 8-16
¿Soy bautizado? v2 10 8-16Andrés Cisterna
 
ECONOMÍA POLÍTICA CAPÍTULO 1. PRINCIPIOS BÁSICOS DE LA CIENCIA ECONÓMICA
ECONOMÍA POLÍTICA CAPÍTULO 1. PRINCIPIOS BÁSICOS DE LA CIENCIA ECONÓMICAECONOMÍA POLÍTICA CAPÍTULO 1. PRINCIPIOS BÁSICOS DE LA CIENCIA ECONÓMICA
ECONOMÍA POLÍTICA CAPÍTULO 1. PRINCIPIOS BÁSICOS DE LA CIENCIA ECONÓMICAManuel Salas-Velasco, University of Granada, Spain
 
Lição 10 Discipulado, a missão educadora da igreja
Lição 10 Discipulado, a missão educadora da igrejaLição 10 Discipulado, a missão educadora da igreja
Lição 10 Discipulado, a missão educadora da igrejaWander Sousa
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing SecurityAhmed Banafa
 
Debunking the Myths of SSL VPN Security
Debunking the Myths of SSL VPN SecurityDebunking the Myths of SSL VPN Security
Debunking the Myths of SSL VPN Securityinside-BigData.com
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Securitysudip pudasaini
 
Heartbleed
Heartbleed Heartbleed
Heartbleed Shyam Bahadur Sunari Magar
 
Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Lancope, Inc.
 
Banking and Modern Payments System Security Analysis
Banking and Modern Payments System Security AnalysisBanking and Modern Payments System Security Analysis
Banking and Modern Payments System Security AnalysisCSCJournals
 
The Network as a Sensor, Cisco and Lancope
The Network as a Sensor, Cisco and LancopeThe Network as a Sensor, Cisco and Lancope
The Network as a Sensor, Cisco and LancopeCisco Enterprise Networks
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ONOWASP EEE
 
Cybersecurity Presentation at WVONGA spring meeting 2018
Cybersecurity Presentation at WVONGA spring meeting 2018Cybersecurity Presentation at WVONGA spring meeting 2018
Cybersecurity Presentation at WVONGA spring meeting 2018Jack Shaffer
 
Network and cyber security module(15ec835, 17ec835)
Network and cyber security module(15ec835, 17ec835)Network and cyber security module(15ec835, 17ec835)
Network and cyber security module(15ec835, 17ec835)Jayanth Dwijesh H P
 
Heartbleed
HeartbleedHeartbleed
HeartbleedMohammed Danish Amber
 
Research challenges and issues in web security
Research challenges and issues in web securityResearch challenges and issues in web security
Research challenges and issues in web securityIAEME Publication
 
Impact of HeartBleed Bug in Android and Counter Measures
Impact of HeartBleed Bug in Android and Counter Measures Impact of HeartBleed Bug in Android and Counter Measures
Impact of HeartBleed Bug in Android and Counter Measures ijcsa
 

Mais conteúdo relacionado

Destaque

Lição 3 - As Diferentes Mudanças Sociais da Família
Lição 3 - As Diferentes Mudanças Sociais da FamíliaLição 3 - As Diferentes Mudanças Sociais da Família
Lição 3 - As Diferentes Mudanças Sociais da FamíliaI.A.D.F.J - SAMAMABAIA SUL
 
Informing Early Childhood Policy: An Analysis of the Sensitivity of a School ...
Informing Early Childhood Policy: An Analysis of the Sensitivity of a School ...Informing Early Childhood Policy: An Analysis of the Sensitivity of a School ...
Informing Early Childhood Policy: An Analysis of the Sensitivity of a School ...Krista Schumacher, PhD
 
Apache Spark Introduction - CloudxLab
Apache Spark Introduction - CloudxLabApache Spark Introduction - CloudxLab
Apache Spark Introduction - CloudxLabAbhinav Singh
 
Negotiation and Influencing Skills
Negotiation and Influencing SkillsNegotiation and Influencing Skills
Negotiation and Influencing SkillsEmily Robinson
 
Projeto de Pequenos Grupos - IBS
Projeto de Pequenos Grupos - IBSProjeto de Pequenos Grupos - IBS
Projeto de Pequenos Grupos - IBSRodrigo Branco
 
¿Soy bautizado? v2 10 8-16
¿Soy bautizado? v2 10 8-16¿Soy bautizado? v2 10 8-16
¿Soy bautizado? v2 10 8-16Andrés Cisterna
 
Lição 10 Discipulado, a missão educadora da igreja
Lição 10 Discipulado, a missão educadora da igrejaLição 10 Discipulado, a missão educadora da igreja
Lição 10 Discipulado, a missão educadora da igrejaWander Sousa
 

Destaque (9)

Lição 3 - As Diferentes Mudanças Sociais da Família
Lição 3 - As Diferentes Mudanças Sociais da FamíliaLição 3 - As Diferentes Mudanças Sociais da Família
Lição 3 - As Diferentes Mudanças Sociais da Família
 
Foco na profecia 1
Foco na profecia 1Foco na profecia 1
Foco na profecia 1
 
Informing Early Childhood Policy: An Analysis of the Sensitivity of a School ...
Informing Early Childhood Policy: An Analysis of the Sensitivity of a School ...Informing Early Childhood Policy: An Analysis of the Sensitivity of a School ...
Informing Early Childhood Policy: An Analysis of the Sensitivity of a School ...
 
Apache Spark Introduction - CloudxLab
Apache Spark Introduction - CloudxLabApache Spark Introduction - CloudxLab
Apache Spark Introduction - CloudxLab
 
Negotiation and Influencing Skills
Negotiation and Influencing SkillsNegotiation and Influencing Skills
Negotiation and Influencing Skills
 
Projeto de Pequenos Grupos - IBS
Projeto de Pequenos Grupos - IBSProjeto de Pequenos Grupos - IBS
Projeto de Pequenos Grupos - IBS
 
¿Soy bautizado? v2 10 8-16
¿Soy bautizado? v2 10 8-16¿Soy bautizado? v2 10 8-16
¿Soy bautizado? v2 10 8-16
 
ECONOMÍA POLÍTICA CAPÍTULO 1. PRINCIPIOS BÁSICOS DE LA CIENCIA ECONÓMICA
ECONOMÍA POLÍTICA CAPÍTULO 1. PRINCIPIOS BÁSICOS DE LA CIENCIA ECONÓMICAECONOMÍA POLÍTICA CAPÍTULO 1. PRINCIPIOS BÁSICOS DE LA CIENCIA ECONÓMICA
ECONOMÍA POLÍTICA CAPÍTULO 1. PRINCIPIOS BÁSICOS DE LA CIENCIA ECONÓMICA
 
Lição 10 Discipulado, a missão educadora da igreja
Lição 10 Discipulado, a missão educadora da igrejaLição 10 Discipulado, a missão educadora da igreja
Lição 10 Discipulado, a missão educadora da igreja
 

Semelhante a Heartbleed Bug Flaw in Servers and its reverse

Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing SecurityAhmed Banafa
 
Debunking the Myths of SSL VPN Security
Debunking the Myths of SSL VPN SecurityDebunking the Myths of SSL VPN Security
Debunking the Myths of SSL VPN Securityinside-BigData.com
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Securitysudip pudasaini
 
Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Lancope, Inc.
 
Banking and Modern Payments System Security Analysis
Banking and Modern Payments System Security AnalysisBanking and Modern Payments System Security Analysis
Banking and Modern Payments System Security AnalysisCSCJournals
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ONOWASP EEE
 
Cybersecurity Presentation at WVONGA spring meeting 2018
Cybersecurity Presentation at WVONGA spring meeting 2018Cybersecurity Presentation at WVONGA spring meeting 2018
Cybersecurity Presentation at WVONGA spring meeting 2018Jack Shaffer
 
Network and cyber security module(15ec835, 17ec835)
Network and cyber security module(15ec835, 17ec835)Network and cyber security module(15ec835, 17ec835)
Network and cyber security module(15ec835, 17ec835)Jayanth Dwijesh H P
 
Research challenges and issues in web security
Research challenges and issues in web securityResearch challenges and issues in web security
Research challenges and issues in web securityIAEME Publication
 
Impact of HeartBleed Bug in Android and Counter Measures
Impact of HeartBleed Bug in Android and Counter Measures Impact of HeartBleed Bug in Android and Counter Measures
Impact of HeartBleed Bug in Android and Counter Measures ijcsa
 
Heartbleed by-danish amber
Heartbleed by-danish amberHeartbleed by-danish amber
Heartbleed by-danish amberRaghunath G
 
the-most-dangerous-code-in-the-world
the-most-dangerous-code-in-the-worldthe-most-dangerous-code-in-the-world
the-most-dangerous-code-in-the-worldMartin Georgiev
 
the-most-dangerous-code-in-the-world
the-most-dangerous-code-in-the-worldthe-most-dangerous-code-in-the-world
the-most-dangerous-code-in-the-worldMartin Georgiev
 
Summer internship - Cybersecurity
Summer internship - CybersecuritySummer internship - Cybersecurity
Summer internship - CybersecurityAbhilashYadav14
 

Semelhante a Heartbleed Bug Flaw in Servers and its reverse (20)

Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
 
Debunking the Myths of SSL VPN Security
Debunking the Myths of SSL VPN SecurityDebunking the Myths of SSL VPN Security
Debunking the Myths of SSL VPN Security
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Heartbleed
Heartbleed Heartbleed
Heartbleed
 
Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security
 
Banking and Modern Payments System Security Analysis
Banking and Modern Payments System Security AnalysisBanking and Modern Payments System Security Analysis
Banking and Modern Payments System Security Analysis
 
The Network as a Sensor, Cisco and Lancope
The Network as a Sensor, Cisco and LancopeThe Network as a Sensor, Cisco and Lancope
The Network as a Sensor, Cisco and Lancope
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ON
 
Cybersecurity Presentation at WVONGA spring meeting 2018
Cybersecurity Presentation at WVONGA spring meeting 2018Cybersecurity Presentation at WVONGA spring meeting 2018
Cybersecurity Presentation at WVONGA spring meeting 2018
 
Network and cyber security module(15ec835, 17ec835)
Network and cyber security module(15ec835, 17ec835)Network and cyber security module(15ec835, 17ec835)
Network and cyber security module(15ec835, 17ec835)
 
Heartbleed
HeartbleedHeartbleed
Heartbleed
 
Research challenges and issues in web security
Research challenges and issues in web securityResearch challenges and issues in web security
Research challenges and issues in web security
 
Impact of HeartBleed Bug in Android and Counter Measures
Impact of HeartBleed Bug in Android and Counter Measures Impact of HeartBleed Bug in Android and Counter Measures
Impact of HeartBleed Bug in Android and Counter Measures
 
Heartbleed
HeartbleedHeartbleed
Heartbleed
 
Heartbleed by-danish amber
Heartbleed by-danish amberHeartbleed by-danish amber
Heartbleed by-danish amber
 
the-most-dangerous-code-in-the-world
the-most-dangerous-code-in-the-worldthe-most-dangerous-code-in-the-world
the-most-dangerous-code-in-the-world
 
Shmat ccs12
Shmat ccs12Shmat ccs12
Shmat ccs12
 
the-most-dangerous-code-in-the-world
the-most-dangerous-code-in-the-worldthe-most-dangerous-code-in-the-world
the-most-dangerous-code-in-the-world
 
Shmat ccs12
Shmat ccs12Shmat ccs12
Shmat ccs12
 
Summer internship - Cybersecurity
Summer internship - CybersecuritySummer internship - Cybersecurity
Summer internship - Cybersecurity
 

Último

SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 

Último (20)

SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 

Heartbleed Bug Flaw in Servers and its reverse

  • 1. Heartbleed – OpenSSL Client and Server Protocol Vulnerability M.H.Abdel Akher, Vassil Metodiev INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 2. Authors Mohamed Hisham Abdel Akher Erasmus Student from Helwan University,Egypt Vassil Metodiev chief assist. prof. eng. Department of Industrial Automation, University of Chemical Technology and Metallurgy, SOFIA, Bulgaria INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 3. Abstract  The Internet has become an important part of everyday personal and business activities - one of human rights in the modern life.  Software bugs significantly hurt software reliability and security causing system failures and security vulnerabilities.  This paper examines one of the more popular attack techniques that can be applied in “heartbleed” vulnerability.  The paper also outlines some best practices and secure techniques for being safe online. INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 4. Outline Information Security Core Components The need for Encryption TLS/SSL Technical Stuff TLS Heartbeat extension Heartbleed Flaw in Servers OpenSSL Reverse Heartbleed Vulnerability THE HEATBLEED BUG IMPACT Why fixing the problem is not simple ? SECURITY GUIDELINES AND BEST PRACICES Summary INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 5. Information Security Core Components Confidentiality Integrity Authentication Access Control Availability Nonrepudiation INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 6. The need for encryption The idea of encryption to make sure the information one sends from his computer to someone else or to another web server is protected and secure. As an Internet using populous, we’re more aware of the importance of keeping private and confidential information “secure“. We can think of Encryption like a secret language between two people. This language works as a set of encryption keys. The users have a copy of the encryption keys on their computer and the client (web application or server) has a set. INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 7. TLS/SSL Technical Stuff  SSL and TLS are protocols that provide session encryption and integrity for Packets sent from one computer to another.  They can be used to secure client-to-server or server-to- server network traffic.  They also provide authentication of the server to the client and (optionally) of the client to the server through X.509 certificates.  TLS is an enhancement of SSL . INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 8. TLS Heartbeat extension  Using heartbeat extensions two computers make sure the other is still alive by sending data back and forth to each other. The client (user) sends its heartbeat to the server (website), and the server hands it right back.  If by chance anyone of them goes down during the transaction, the other one will know using heartbeat sync mechanism . INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 9. Heartbleed Bug &OpenSSL  “Heartbleed” is a critical bug (CVE-2014-0160) in the popular OpenSSL cryptographic software library that actually resides in the OpenSSL's implementation of the TLS and DTLS (Datagram TLS) heartbeat extension (RFC6520).  Heartbleed Bug specifically impacts version 1.0.1 and beta versions of 1.0.2 INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 10. Heartbleed Flaw in Servers  When The heartbeat is sent, a small amount of the server’s short-term memory of about 64 kilobytes comes in reply from server and an attacker is supposed to grab it that can leak sensitive data such as message contents, user credentials, session keys and server private keys . INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 11. OpenSSL Reverse Heartbleed Vulnerability  A malicious server can also send bad hearbeat packets to a client that uses OpenSSL and extract data from the client.  In this scenario, the attacker would set up a malicious web server that would be used to send the exploit against the Heartbleed vulnerability to the client . INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 12. “The real problem is only a dumb coding mistake“ Swati Khandelwal. INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 13. THE HEATBLEED BUG IMPACT  The Heartbleed vulnerability is operating without detection plus, it is working in such way that with ease of use lots of information could be accessed.  SSL Survey found that the heartbeat extension was enabled on 17.5% of SSL sites, accounting for around half a million certificates issued by trusted certificate authorities.  These certificates are consequently vulnerable to being spoofed through private key disclosure, allowing an attacker to impersonate the affected websites without raising any browser warnings. INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 14. INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 15. Fixing the Problem is not that simple (Continued)  Heartbleed Vulnerability represents the movement from “attacks could happen” to “attacks have happened”.  Fixing the problem is not that simple because we were unaware of the bug for over 2 years .  We can’t go back in time and prevent any person or organization who may have taken advantage of this vulnerability to access information not intended for them  A patch that fixes the Heartbleed vulnerability in OpenSSL is already widely available. INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 16. Fixing the Problem is not that simple  The patch itself isn't that difficult to implement, but the problem is that along with patching the software, some applications need to look at whether or not they need to revoke and reissue various digital certificates.  If someone was able to sneak in an grab a site's digital certificate before the site was patched, it could make changes to the certificate or masquerade another site as having a different identity.  Organizations have to make the determination whether to revoke and reissue all certificates via a CA or wait for current certificates to expire. INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 17. SECURITY GUIDELINES AND BEST PRACTICES  First of all, we can check whether a server is vulnerable to the OpenSSl Hearbleed bug (CVE-2014-0160) or not.  If we find that the server is vulnerable, we have to patch it and patching a system today is great but that can’t prevent the attacks that may have already happened.  We patch your system, we have to get a new public/private key pair, update your SSL certificate, and then change every password that could potentially be affected. Bruce Schneier INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 18. Summary There have been and always will be bugs. Anyone who thinks they have privacy on the internet is a fool. Ira Winkler INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 19. Questions & Answers INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 20. Thank you! M.H Abdel Akher Erasmus BSc Student Business Information System Department, Helwan University, Cairo, Egypt Email : mhabdelakher@gmail.com INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014