2. Heartbleed-What you need to know
• Massive openSSL bug which allows attackers to
read the memory of the systems. Allows access
to sensitive info such as private keys of cert and
login credentials or other personal data
• You should change your passwords unless you
KNOW the site in question was not vulnerable
• Even if you change your passwords, you should
work with your business partners to ensure that
vulnerable servers had certificates reissued
– Otherwise you’re not much more secure
3. Heartbeats
• SSL heartbeats are defined in RFC6520
– Used for keep alive messages without the need for
renegotiating the SSL session
• Heatbeat messages can be sent without
authenticating with the server
4. HeartBleed – What is it?
• CVE-2014-0160 describes a flaw the
heartbeat extension to the SSL protocol
• OpenSSL code accepts a user supplied length
value for memory to read without proper
validation
–Never trust user supplied input
• Bug was introduced in March 2012
–OpenSSL 1.0.1
–Good news: OpenSSL 1.0.0 is not
vulnerable.
5. HeartBleed – What Sites are affected?
• Affects any sites running specific versions of
OpenSSL (1.0.1 through 1.0.1f)
• 66% of the web users openSSL
• Sites running older versions of OpenSSL that
are not vulnerable
6. How to Minimize your Risk
• Check your version of OpenSSL and either:
– 1. Recompile OpenSSL without heatbeat ext
– 2. Update to latest fixed version (1.0.1g)
• Contact CA to reissue certificate replacement
• Finally, as a best practice, businesses should reset
end user passwords that potentially may have been
visible in a compromised server memory
7. Resources
• What the Heartbleed Security bug mean for you
http://lifehacker.com/what-the-
heartbleed-security-bug-means-for-you-
1560801201
• Heartbleed FAQ
– http://heartbleed.com
• How Heartbleed Works
http://gizmodo.com/how-heartbleed-works-the-
code-behind-the-internets-se-1561341209
This template can be used as a starter file for presenting training materials in a group setting.
Sections
Right-click on a slide to add sections. Sections can help to organize your slides or facilitate collaboration between multiple authors.
Notes
Use the Notes section for delivery notes or to provide additional details for the audience. View these notes in Presentation View during your presentation.
Keep in mind the font size (important for accessibility, visibility, videotaping, and online production)
Coordinated colors
Pay particular attention to the graphs, charts, and text boxes.
Consider that attendees will print in black and white or grayscale. Run a test print to make sure your colors work when printed in pure black and white and grayscale.
Graphics, tables, and graphs
Keep it simple: If possible, use consistent, non-distracting styles and colors.
Label all graphs and tables.
Give a brief overview of the presentation. Describe the major focus of the presentation and why it is important.
Introduce each of the major topics.
To provide a road map for the audience, you can repeat this Overview slide throughout the presentation, highlighting the particular topic you will discuss next.
What will the audience be able to do after this training is complete? Briefly describe each objective how the audience will benefit from this presentation.
What will the audience be able to do after this training is complete? Briefly describe each objective how the audience will benefit from this presentation.
What will the audience be able to do after this training is complete? Briefly describe each objective how the audience will benefit from this presentation.
What will the audience be able to do after this training is complete? Briefly describe each objective how the audience will benefit from this presentation.