Heartbleed-What you need to know

1. HEARTBLEED VULNERABILITY
Raj Nagalingam
IT Security Consultant
@rajidentityguru
05/07/14

2. Heartbleed-What you need to know
• Massive openSSL bug which allows attackers to
read the memory of the systems. Allows access
to sensitive info such as private keys of cert and
login credentials or other personal data
• You should change your passwords unless you
KNOW the site in question was not vulnerable
• Even if you change your passwords, you should
work with your business partners to ensure that
vulnerable servers had certificates reissued
– Otherwise you’re not much more secure

3. Heartbeats
• SSL heartbeats are defined in RFC6520
– Used for keep alive messages without the need for
renegotiating the SSL session
• Heatbeat messages can be sent without
authenticating with the server

4. HeartBleed – What is it?
• CVE-2014-0160 describes a flaw the
heartbeat extension to the SSL protocol
• OpenSSL code accepts a user supplied length
value for memory to read without proper
validation
–Never trust user supplied input
• Bug was introduced in March 2012
–OpenSSL 1.0.1
–Good news: OpenSSL 1.0.0 is not
vulnerable.

5. HeartBleed – What Sites are affected?
• Affects any sites running specific versions of
OpenSSL (1.0.1 through 1.0.1f)
• 66% of the web users openSSL
• Sites running older versions of OpenSSL that
are not vulnerable

6. How to Minimize your Risk
• Check your version of OpenSSL and either:
– 1. Recompile OpenSSL without heatbeat ext
– 2. Update to latest fixed version (1.0.1g)
• Contact CA to reissue certificate replacement
• Finally, as a best practice, businesses should reset
end user passwords that potentially may have been
visible in a compromised server memory

7. Resources
• What the Heartbleed Security bug mean for you
http://lifehacker.com/what-the-
heartbleed-security-bug-means-for-you-
1560801201
• Heartbleed FAQ
– http://heartbleed.com
• How Heartbleed Works
http://gizmodo.com/how-heartbleed-works-the-
code-behind-the-internets-se-1561341209

8. QUESTIONS?