On April 7, 2014, the Heartbleed bug was revealed to the Internet community. The Heartbleed bug is not a flaw in the SSL or TLS protocols; rather, it is a flaw in the OpenSSL implementation of the TLS/DTLS heartbeat functionality. The Heartbleed Bug allows an attacker to gain access to sensitive information that is normally protected by the SSL and TLS protocols without leaving a trace.
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Heartbleed Bug: What It Is And How To Protect Yourself
1. OpenSSL Heartbleed Bug Leaves Much Of The Internet
At Risk
- TechCrunch
HeartBleed Vulnerability
2. Agenda:
1- Methodology of Heartbleed bug.
2- Risk of “HeartBleed”.
3- Most popular infected Systems.
4- Most popular infected mobile phones.
5- How to Protect your-self from HeartBleed BUG.
6- How to Protect your Enterprise infrastructure from
HeartBleed BUG.
7- Q&A
3. • At the root of Heart-bleed is “Encryption”.
• Internet has security protocols for securing
and encryption commonly known as
“SSL & TLS”.
• The most common implementation of SSL
and TLS is a set of open source tools
known as
“Open SSL”
Methodology of Heartbleed bug.
4. Open SSL run over
66% percent of the
secure internet flow
Even if you may not know how it looks like or what even means,
Probably you interact with it in daily basis
5. • The secret key “language” you
shared with the server it suddenly
accessible by somebody else &
flow is completely undetectable,
Simply That is “HeartBleed” the biggest and most
spread vulnerability threat over the history of
modern internet
Risk of “HeartBleed”.
6. “MAY 2012”
lot of software packages start to use
the vulnerable version
“December 2011”
this bug has been around .
Conclusion
SO for more than 2 years any
websites, Apps, banks and private
instant massaging that run open-SSL
had been vulnerable.
7. Here coming out some of the most popular social, email,
banking and e-commerce sites on the web. rounded up with
their responses below:
Most popular infected Systems.
8. Android 4.1.1 “Jelly Bean” Devices
are Vulnerable to Heartbleed.
Reverse Heartbleed is an important vulnerability to know
about as it could affect millions of users directly.
(If you’re wondering about iOS, Apple doesn’t ship its mobile operating system with OpenSSL, so everything is OK)
Most popular infected mobile phone.
9. 1- Check Site Safety:
Test your server for Heartbleed (CVE-2014-0160)
Check any site where you enter confidential data
that you don’t want to share publicly
Qualys SSL Labs - Projects / SSL Server Test
10. If the site has implemented the Heartbleed
patch, then log in and change your password
If you change your password and the site
hasn’t been patched, then you’re giving a
hacker a new password
Be aware of complexity and length of the password
Use a unique password for each site, don't
share passwords with multiple sites, and
don't reuse old passwords.
2- Update password
11. Would like to make sure that I can detect if someone tries to do a MAN-IN-
MIDDLE attack with a stolen certificate, which since has been revoked
3-Configure browser to detect revoked certificate
12. People using the old Android software should update their operating system,
People using Android version 4.1.1 should avoid sensitive transactions on
their mobile devices
The Heartbleed flaw might represent a real risk to 150 million Android users,
not because they're using a vulnerable version of Android but rather because
they are running a vulnerable app.
Heartbleed Puts 150 Million Android App Downloads at Risk
free detector appLookout built a that you can download to see if your Android is affected
4-Save your android device from HeartBleed
13. How to Protect your Enterprise infrastructure from HeartBleed BUG:
A. Firstly patch every SSL/TLS service.
B. Use the latest release of OpenSSL 1.0.1g in every in-house built.
C. Revoke digital SSL certificate.
E. Patch mobile devices .
F. Change login credentials.
E. Continuously vulnerability scan.