SlideShare uma empresa Scribd logo

Heartbleed

Transferir como PPTX, PDF
Ibrahim Mosaad
Ibrahim Mosaad

Heartbleed is a critical bug in OpenSSL that allows attackers to read portions of an affected server's memory. It impacts OpenSSL versions 1.0.1 and 1.0.2. The bug is in the OpenSSL implementation of the TLS/DTLS heartbeat extension, which is supposed to keep connections alive but can be exploited to read server memory. This allows attackers to eavesdrop on encrypted communications, access sensitive server data like passwords, and impersonate users and services. The fix is to upgrade OpenSSL and change passwords for affected websites and services.

Tecnologia
1 de 17
Heartbleed Ibrahim M. El-Sayed
“Catastrophic is the right word. On the scale of 1 to 10, this is an 11.” --Bruce Shneier
What is Heartbleed? O What is Hearbleed? O It is a critical bug in the OpenSSL’s implementation of the TLS/DTLS heartbeat extension that allows attackers to read portions of the affected server’s memory. O What is OpenSSL?! O It is open source software that is used by Apache and Nginx webservers, 66% Market share to do encryption through the Internet O Affected Versions: OpenSSL 1.0.1 and 1.0.2
How SSL works?
What is Heartbleed O What is Heartbeat ?? 1- Used to keep connection Alive 2- Client Sends data to the Server, server echoes it back 3-Similar to ICMP ping but within HTTP Web Server Running OpenSSL Client Heartbeat “Hello” 6 Heartbeat “Hello” 6
HeartBleed Explained Non Technical
Heartbleed Explained O Non Technical O Ask for 100-photo box O Seller doesn’t know how to count O Two scenarios O Actual 100-photos O Only 1 photo
Heartbleed Explained O Technical: “memcpy(bp, p1, payload);”  Actual BUG :( void * memcpy ( void * destination, const void * source, size_t num ); O The function does not check for any terminating null character in source - it always copies exactly num bytes. O To avoid overflows, the size of the arrays pointed by both the destination and source parameters, shall be at least num bytes, and should not overlap (for overlapping memory blocks, memmove is a safer approach).
Heart bleed - explanation 11
Heart bleed - explanation 12
Heartbleed - Attack
Heartbleed Impact O Eavesdrop on encrypted communication O Get access to sensitive data in the memory O Impersonate users and services
Heartbleed fix O Server-Side • Quick fix: Disable heartbeats • Real fix: Upgrade OpenSSL • User Actions: • Change your passwords !! • Test Sites yourself
Heartbleed - PoC O https://blog.bugcrowd.com/heartbleed- exploit-yet/
Heartbleed

Recomendados

The Heartbleed Bug
The Heartbleed BugThe Heartbleed Bug
The Heartbleed Bugn|u - The Open Security Community
 
Heartbleed Explained
Heartbleed ExplainedHeartbleed Explained
Heartbleed ExplainedMike Chapple
 
HTTP/2 and SAP Fiori
HTTP/2 and SAP FioriHTTP/2 and SAP Fiori
HTTP/2 and SAP FioriSascha Wenninger
 
Let's use modern protocols everywhere!
Let's use modern protocols everywhere!Let's use modern protocols everywhere!
Let's use modern protocols everywhere!jcak77
 
Mutiny + quarkus
Mutiny + quarkusMutiny + quarkus
Mutiny + quarkusEdgar Domingues
 
[QA Night Recife] Heartbleed SecInf
[QA Night Recife] Heartbleed SecInf[QA Night Recife] Heartbleed SecInf
[QA Night Recife] Heartbleed SecInfGuilherme Motta
 
Melbourne Infracoders: Compliance as Code with InSpec
Melbourne Infracoders: Compliance as Code with InSpecMelbourne Infracoders: Compliance as Code with InSpec
Melbourne Infracoders: Compliance as Code with InSpecMatt Ray
 
How to Protect Yourself From Heartbleed Security Flaw
How to Protect Yourself From Heartbleed Security FlawHow to Protect Yourself From Heartbleed Security Flaw
How to Protect Yourself From Heartbleed Security FlawConnectSafely
 

Recomendados

The Heartbleed Bug
The Heartbleed BugThe Heartbleed Bug
The Heartbleed Bugn|u - The Open Security Community
 
Heartbleed Explained
Heartbleed ExplainedHeartbleed Explained
Heartbleed ExplainedMike Chapple
 
HTTP/2 and SAP Fiori
HTTP/2 and SAP FioriHTTP/2 and SAP Fiori
HTTP/2 and SAP FioriSascha Wenninger
 
Let's use modern protocols everywhere!
Let's use modern protocols everywhere!Let's use modern protocols everywhere!
Let's use modern protocols everywhere!jcak77
 
Mutiny + quarkus
Mutiny + quarkusMutiny + quarkus
Mutiny + quarkusEdgar Domingues
 
[QA Night Recife] Heartbleed SecInf
[QA Night Recife] Heartbleed SecInf[QA Night Recife] Heartbleed SecInf
[QA Night Recife] Heartbleed SecInfGuilherme Motta
 
Melbourne Infracoders: Compliance as Code with InSpec
Melbourne Infracoders: Compliance as Code with InSpecMelbourne Infracoders: Compliance as Code with InSpec
Melbourne Infracoders: Compliance as Code with InSpecMatt Ray
 
How to Protect Yourself From Heartbleed Security Flaw
How to Protect Yourself From Heartbleed Security FlawHow to Protect Yourself From Heartbleed Security Flaw
How to Protect Yourself From Heartbleed Security FlawConnectSafely
 
What is Heartbleed?
What is Heartbleed?What is Heartbleed?
What is Heartbleed?Blue Coat
 
Heartbleed
HeartbleedHeartbleed
Heartbleedn|u - The Open Security Community
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionCASCouncil
 
Heartbleed
Heartbleed Heartbleed
Heartbleed Shyam Bahadur Sunari Magar
 
Heartache and Heartbleed - 31c3
Heartache and Heartbleed - 31c3Heartache and Heartbleed - 31c3
Heartache and Heartbleed - 31c3Nick Sullivan
 
Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Luis Grangeia
 
The Heartbleed Attack
The Heartbleed AttackThe Heartbleed Attack
The Heartbleed AttackShreyas Kothari
 
Heartbleed && Wireless
Heartbleed && WirelessHeartbleed && Wireless
Heartbleed && WirelessLuis Grangeia
 
Heart bleed-OpenSSL crytographic library
Heart bleed-OpenSSL crytographic libraryHeart bleed-OpenSSL crytographic library
Heart bleed-OpenSSL crytographic libraryLorick Jain
 
How to exploit heartbleed vulnerability demonstration
How to exploit heartbleed vulnerability demonstrationHow to exploit heartbleed vulnerability demonstration
How to exploit heartbleed vulnerability demonstrationPankaj Rane
 
Heartbleed
HeartbleedHeartbleed
HeartbleedShiva Sagar
 
Sunrise pc support heart bleed scam alert
Sunrise pc support heart bleed scam alertSunrise pc support heart bleed scam alert
Sunrise pc support heart bleed scam alertjimforner
 
Report on Heartbleed
Report on HeartbleedReport on Heartbleed
Report on HeartbleedShiva Sagar
 
Heartbleed
HeartbleedHeartbleed
HeartbleedPunit Goswami
 
PLAYBACK: A TLS 1.3 STORY
PLAYBACK: A TLS 1.3 STORYPLAYBACK: A TLS 1.3 STORY
PLAYBACK: A TLS 1.3 STORYPriyanka Aash
 
Impact of HeartBleed Bug in Android and Counter Measures
Impact of HeartBleed Bug in Android and Counter Measures Impact of HeartBleed Bug in Android and Counter Measures
Impact of HeartBleed Bug in Android and Counter Measures ijcsa
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 

Mais conteúdo relacionado

Destaque

What is Heartbleed?
What is Heartbleed?What is Heartbleed?
What is Heartbleed?Blue Coat
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionCASCouncil
 
Heartache and Heartbleed - 31c3
Heartache and Heartbleed - 31c3Heartache and Heartbleed - 31c3
Heartache and Heartbleed - 31c3Nick Sullivan
 
Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Luis Grangeia
 
Heartbleed && Wireless
Heartbleed && WirelessHeartbleed && Wireless
Heartbleed && WirelessLuis Grangeia
 

Destaque (8)

What is Heartbleed?
What is Heartbleed?What is Heartbleed?
What is Heartbleed?
 
Heartbleed
HeartbleedHeartbleed
Heartbleed
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
 
Heartbleed
Heartbleed Heartbleed
Heartbleed
 
Heartache and Heartbleed - 31c3
Heartache and Heartbleed - 31c3Heartache and Heartbleed - 31c3
Heartache and Heartbleed - 31c3
 
Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2
 
The Heartbleed Attack
The Heartbleed AttackThe Heartbleed Attack
The Heartbleed Attack
 
Heartbleed && Wireless
Heartbleed && WirelessHeartbleed && Wireless
Heartbleed && Wireless
 

Semelhante a Heartbleed

Heart bleed-OpenSSL crytographic library
Heart bleed-OpenSSL crytographic libraryHeart bleed-OpenSSL crytographic library
Heart bleed-OpenSSL crytographic libraryLorick Jain
 
How to exploit heartbleed vulnerability demonstration
How to exploit heartbleed vulnerability demonstrationHow to exploit heartbleed vulnerability demonstration
How to exploit heartbleed vulnerability demonstrationPankaj Rane
 
Sunrise pc support heart bleed scam alert
Sunrise pc support heart bleed scam alertSunrise pc support heart bleed scam alert
Sunrise pc support heart bleed scam alertjimforner
 
Report on Heartbleed
Report on HeartbleedReport on Heartbleed
Report on HeartbleedShiva Sagar
 
PLAYBACK: A TLS 1.3 STORY
PLAYBACK: A TLS 1.3 STORYPLAYBACK: A TLS 1.3 STORY
PLAYBACK: A TLS 1.3 STORYPriyanka Aash
 
Impact of HeartBleed Bug in Android and Counter Measures
Impact of HeartBleed Bug in Android and Counter Measures Impact of HeartBleed Bug in Android and Counter Measures
Impact of HeartBleed Bug in Android and Counter Measures ijcsa
 

Semelhante a Heartbleed (8)

Heart bleed-OpenSSL crytographic library
Heart bleed-OpenSSL crytographic libraryHeart bleed-OpenSSL crytographic library
Heart bleed-OpenSSL crytographic library
 
How to exploit heartbleed vulnerability demonstration
How to exploit heartbleed vulnerability demonstrationHow to exploit heartbleed vulnerability demonstration
How to exploit heartbleed vulnerability demonstration
 
Heartbleed
HeartbleedHeartbleed
Heartbleed
 
Sunrise pc support heart bleed scam alert
Sunrise pc support heart bleed scam alertSunrise pc support heart bleed scam alert
Sunrise pc support heart bleed scam alert
 
Report on Heartbleed
Report on HeartbleedReport on Heartbleed
Report on Heartbleed
 
Heartbleed
HeartbleedHeartbleed
Heartbleed
 
PLAYBACK: A TLS 1.3 STORY
PLAYBACK: A TLS 1.3 STORYPLAYBACK: A TLS 1.3 STORY
PLAYBACK: A TLS 1.3 STORY
 
Impact of HeartBleed Bug in Android and Counter Measures
Impact of HeartBleed Bug in Android and Counter Measures Impact of HeartBleed Bug in Android and Counter Measures
Impact of HeartBleed Bug in Android and Counter Measures
 

Último

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 

Último (20)

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 

Heartbleed

  • 2. “Catastrophic is the right word. On the scale of 1 to 10, this is an 11.” --Bruce Shneier
  • 3. What is Heartbleed? O What is Hearbleed? O It is a critical bug in the OpenSSL’s implementation of the TLS/DTLS heartbeat extension that allows attackers to read portions of the affected server’s memory. O What is OpenSSL?! O It is open source software that is used by Apache and Nginx webservers, 66% Market share to do encryption through the Internet O Affected Versions: OpenSSL 1.0.1 and 1.0.2
  • 5.
  • 6. What is Heartbleed O What is Heartbeat ?? 1- Used to keep connection Alive 2- Client Sends data to the Server, server echoes it back 3-Similar to ICMP ping but within HTTP Web Server Running OpenSSL Client Heartbeat “Hello” 6 Heartbeat “Hello” 6
  • 8.
  • 9. Heartbleed Explained O Non Technical O Ask for 100-photo box O Seller doesn’t know how to count O Two scenarios O Actual 100-photos O Only 1 photo
  • 10. Heartbleed Explained O Technical: “memcpy(bp, p1, payload);”  Actual BUG :( void * memcpy ( void * destination, const void * source, size_t num ); O The function does not check for any terminating null character in source - it always copies exactly num bytes. O To avoid overflows, the size of the arrays pointed by both the destination and source parameters, shall be at least num bytes, and should not overlap (for overlapping memory blocks, memmove is a safer approach).
  • 11. Heart bleed - explanation 11
  • 12. Heart bleed - explanation 12
  • 14. Heartbleed Impact O Eavesdrop on encrypted communication O Get access to sensitive data in the memory O Impersonate users and services
  • 15. Heartbleed fix O Server-Side • Quick fix: Disable heartbeats • Real fix: Upgrade OpenSSL • User Actions: • Change your passwords !! • Test Sites yourself
  • 16. Heartbleed - PoC O https://blog.bugcrowd.com/heartbleed- exploit-yet/