SlideShare ist ein Scribd-Unternehmen logo

Heartbleed

•Als PPTX, PDF herunterladen•
•
Punit Goswami
Punit Goswami

An introduction to The Heartbleed Vulnerability. Considered to be the worst horror of the internet age, this flaw and its discovery changed the way people thought about implementing Open source standards.

Technologie
1 von 28
Heartbleed A Review
What is Heartbleed ? Acclimatising with the Heartbeat Protocol
Let’s start with the internet… • A cheap and reliable method to interconnect machines
Let’s start with the internet… • In turn provides a robust and “smart” layer of communication, worldwide
Let’s start with the internet… • But to make this channel “smart”, we need to follow some rules or protocols
How internet works.... • The Internet implements cryptography software named OpenSSL to ensure delivery of messages to legible receivers. • Open Source • Free • Widely adopted and implemented
OpenSSL and Heartbeat Protocol • The OpenSSL consists of a protocol named Heartbeat • Negotiates and monitors the availability of a resource. • Generates a signal that indicates normal operation or to synchronize other parts of a system.
• Is the device on the other end up ? • Is the device on the other end actually who it declares it is ? • Device could be a client or a server. • Platform independent and device scale independent. Usage of Heartbeat Protocol
Practically..... • Active login sessions • Website security certifications • E-Commerce • E-Governance • Internet Banking • Social networking
HEARTBLEED The Flaw in Heartbeat Protocol…
How Heartbeat Protocol Works... • Continuous pinging between devices over network. • Successful reply ping from the other end denotes that, that device is online. • No ping back message indicates that the other end is down. • Both the devices ping each other and reply to each others’ Heartbeat request.
How Heartbeat Protocol Works... ARGUMENTSofaHeartbeatRequest I. Payload: Contains some text information which is generated on both the ends. II. Size: Gives the size of the payload
How Heartbeat Protocol Works... Device on the other end: • Finds the Payload in its active memory • Counts the number of characters to be sent using Size • Returns the text info The first device is acknowledged that the other end is online.
Normal Heartbeat Request
The Flaw... • No bound check mechanism • Inherent from the C language that this software library is written in. • Maliciously crafted Heartbeat request with mismatching Payload and Size arguments would still work.
The Flaw... Heartbeat request with • Small Payload argument • Larger Size argument Returns extra data from the active memory of the replying device . Provides unauthorised access to data which should have been hidden and abstracted
Malicious Heartbeat Request
Aftermath... • Platform independence of OpenSSL makes practically every machine on the internet vulnerable to this flaw. • Not a bug or a virus, but an inherent flaw. Thus security breaches don’t get logged or detected, ever. • This bleeding of confidential data can happen to both sides – the servers as well as the clients.
Aftermath... • Only 64 kB of data can be sent back with a Heartbeat reply. But has no limit on how many times these 64kB chunks could be retrieved. • Not only devices but even services can be exploited.
What's worse...? • Security certifications could be stolen, allowing malicious impersonation of secure services. • Changing your username or password credential doesn’t help if the service is still not patched up against the vulnerability. • Since the breach never gets detected, one can never know if they have been attacked or not.
What's worse...? • The ones who updated got affected, thus breaking the myth of general practice of “keeping it updated”. • With a compromised security certification key, one can easily decrypt previous information transfers, without ever getting detected. • More than 67 percent of servers on Earth use OpenSSL, including Google, Facebook, Yahoo, etc.
TACKLING HEARTBLEED Getting over a Heartbleed…
Tackling Heartbleed Three primary approaches to remove this flaw: • Implementing the updated version 1.0.1g of OpenSSL which has patched this flaw. • Removing the Heartbleed functionality altogether by recompiling the source code without the Heartbleed protocol. • Implementing the patch by oneself by correcting and re-compiling the source code.
Tackling Heartbleed • Stolen security keys need to be revoked and re-allocated. Whatanend-usercando? • Do nothing. Refrain from logging into services until they are patched.
LESSONS LEARNT What the most horrifying breach in Internet history teaches us …
Lessons Learnt • Open Source makes flaw discovery and correction a faster process. • Inclusion of new features needs more scrutinisation. • Open Source projects need to be funded well. • Adoption of new piece of code should be accompanied by negative testing of it.
Lessons Learnt • You are never completely safe, even if you follow the best practices. • There are no “best practices”.
Heartbleed

Empfohlen

Heartbleed
Heartbleed Heartbleed
Heartbleed Shyam Bahadur Sunari Magar
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionCASCouncil
 
The Heartbleed Attack
The Heartbleed AttackThe Heartbleed Attack
The Heartbleed AttackShreyas Kothari
 
Heartbleed by-danish amber
Heartbleed by-danish amberHeartbleed by-danish amber
Heartbleed by-danish amberRaghunath G
 
Heartbleed && Wireless
Heartbleed && WirelessHeartbleed && Wireless
Heartbleed && WirelessLuis Grangeia
 
Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22SensePost
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeLancope, Inc.
 
Hack Proof: Software Design for a Hostile Internet
Hack Proof: Software Design for a Hostile InternetHack Proof: Software Design for a Hostile Internet
Hack Proof: Software Design for a Hostile InternetRob Bogue
 

Empfohlen

Heartbleed
Heartbleed Heartbleed
Heartbleed Shyam Bahadur Sunari Magar
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionCASCouncil
 
The Heartbleed Attack
The Heartbleed AttackThe Heartbleed Attack
The Heartbleed AttackShreyas Kothari
 
Heartbleed by-danish amber
Heartbleed by-danish amberHeartbleed by-danish amber
Heartbleed by-danish amberRaghunath G
 
Heartbleed && Wireless
Heartbleed && WirelessHeartbleed && Wireless
Heartbleed && WirelessLuis Grangeia
 
Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22SensePost
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeLancope, Inc.
 
Hack Proof: Software Design for a Hostile Internet
Hack Proof: Software Design for a Hostile InternetHack Proof: Software Design for a Hostile Internet
Hack Proof: Software Design for a Hostile InternetRob Bogue
 
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionAPNIC
 
Email Security
Email SecurityEmail Security
Email Securityselvakumar_b1985
 
Email security
Email securityEmail security
Email securityIndrajit Sreemany
 
DDosMon A Global DDoS Monitoring Project
DDosMon A Global DDoS Monitoring ProjectDDosMon A Global DDoS Monitoring Project
DDosMon A Global DDoS Monitoring ProjectAPNIC
 
Secure Communication with an Insecure Internet Infrastructure
Secure Communication with an Insecure Internet InfrastructureSecure Communication with an Insecure Internet Infrastructure
Secure Communication with an Insecure Internet Infrastructurewebhostingguy
 
Ciso platform-annual-summit-2014-antti-karjalainen-dicoverer-of-heartbleed
Ciso platform-annual-summit-2014-antti-karjalainen-dicoverer-of-heartbleedCiso platform-annual-summit-2014-antti-karjalainen-dicoverer-of-heartbleed
Ciso platform-annual-summit-2014-antti-karjalainen-dicoverer-of-heartbleedPriyanka Aash
 
Network Forensics and Practical Packet Analysis
Network Forensics and Practical Packet AnalysisNetwork Forensics and Practical Packet Analysis
Network Forensics and Practical Packet AnalysisPriyanka Aash
 
Digital Certified Mail (PPT)
Digital Certified Mail (PPT)Digital Certified Mail (PPT)
Digital Certified Mail (PPT)Matthew Chang
 
Digital Certified Mail
Digital Certified MailDigital Certified Mail
Digital Certified MailMatthew Chang
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacksFrank Victory
 
Normalizing Empire's Traffic to Evade Anomaly-Based IDS
Normalizing Empire's Traffic to Evade Anomaly-Based IDSNormalizing Empire's Traffic to Evade Anomaly-Based IDS
Normalizing Empire's Traffic to Evade Anomaly-Based IDSUtku Sen
 
BlueHat v17 || 28 Registrations Later: Measuring the Exploitation of Residual...
BlueHat v17 || 28 Registrations Later: Measuring the Exploitation of Residual...BlueHat v17 || 28 Registrations Later: Measuring the Exploitation of Residual...
BlueHat v17 || 28 Registrations Later: Measuring the Exploitation of Residual...BlueHat Security Conference
 
Network And Application Layer Attacks
Network And Application Layer AttacksNetwork And Application Layer Attacks
Network And Application Layer AttacksArun Modi
 
Vulnerability and Penetration Testing
Vulnerability and Penetration TestingVulnerability and Penetration Testing
Vulnerability and Penetration TestingJeffery Brown
 
HTTPS
HTTPSHTTPS
HTTPSmaroti164
 
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...BlueHat Security Conference
 
Nachos Theoretical assigment 3
Nachos Theoretical assigment 3Nachos Theoretical assigment 3
Nachos Theoretical assigment 3colli03
 
VPN
VPNVPN
VPNKetan Paithankar
 
Wired equivalent privacy (wep)
Wired equivalent privacy (wep)Wired equivalent privacy (wep)
Wired equivalent privacy (wep)akruthi k
 
Firewall traversals
Firewall traversalsFirewall traversals
Firewall traversalsKirti Ahirrao
 
Security in the News
Security in the NewsSecurity in the News
Security in the NewsJames Sutter
 
1 (20 files merged).ppt
1 (20 files merged).ppt1 (20 files merged).ppt
1 (20 files merged).pptseshas1
 

Weitere ähnliche Inhalte

Was ist angesagt?

KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionAPNIC
 
DDosMon A Global DDoS Monitoring Project
DDosMon A Global DDoS Monitoring ProjectDDosMon A Global DDoS Monitoring Project
DDosMon A Global DDoS Monitoring ProjectAPNIC
 
Secure Communication with an Insecure Internet Infrastructure
Secure Communication with an Insecure Internet InfrastructureSecure Communication with an Insecure Internet Infrastructure
Secure Communication with an Insecure Internet Infrastructurewebhostingguy
 
Ciso platform-annual-summit-2014-antti-karjalainen-dicoverer-of-heartbleed
Ciso platform-annual-summit-2014-antti-karjalainen-dicoverer-of-heartbleedCiso platform-annual-summit-2014-antti-karjalainen-dicoverer-of-heartbleed
Ciso platform-annual-summit-2014-antti-karjalainen-dicoverer-of-heartbleedPriyanka Aash
 
Network Forensics and Practical Packet Analysis
Network Forensics and Practical Packet AnalysisNetwork Forensics and Practical Packet Analysis
Network Forensics and Practical Packet AnalysisPriyanka Aash
 
Digital Certified Mail (PPT)
Digital Certified Mail (PPT)Digital Certified Mail (PPT)
Digital Certified Mail (PPT)Matthew Chang
 
Digital Certified Mail
Digital Certified MailDigital Certified Mail
Digital Certified MailMatthew Chang
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacksFrank Victory
 
Normalizing Empire's Traffic to Evade Anomaly-Based IDS
Normalizing Empire's Traffic to Evade Anomaly-Based IDSNormalizing Empire's Traffic to Evade Anomaly-Based IDS
Normalizing Empire's Traffic to Evade Anomaly-Based IDSUtku Sen
 
BlueHat v17 || 28 Registrations Later: Measuring the Exploitation of Residual...
BlueHat v17 || 28 Registrations Later: Measuring the Exploitation of Residual...BlueHat v17 || 28 Registrations Later: Measuring the Exploitation of Residual...
BlueHat v17 || 28 Registrations Later: Measuring the Exploitation of Residual...BlueHat Security Conference
 
Network And Application Layer Attacks
Network And Application Layer AttacksNetwork And Application Layer Attacks
Network And Application Layer AttacksArun Modi
 
Vulnerability and Penetration Testing
Vulnerability and Penetration TestingVulnerability and Penetration Testing
Vulnerability and Penetration TestingJeffery Brown
 
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...BlueHat Security Conference
 
Nachos Theoretical assigment 3
Nachos Theoretical assigment 3Nachos Theoretical assigment 3
Nachos Theoretical assigment 3colli03
 
Wired equivalent privacy (wep)
Wired equivalent privacy (wep)Wired equivalent privacy (wep)
Wired equivalent privacy (wep)akruthi k
 
Firewall traversals
Firewall traversalsFirewall traversals
Firewall traversalsKirti Ahirrao
 

Was ist angesagt? (20)

KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack Prevention
 
Email Security
Email SecurityEmail Security
Email Security
 
Email security
Email securityEmail security
Email security
 
DDosMon A Global DDoS Monitoring Project
DDosMon A Global DDoS Monitoring ProjectDDosMon A Global DDoS Monitoring Project
DDosMon A Global DDoS Monitoring Project
 
Secure Communication with an Insecure Internet Infrastructure
Secure Communication with an Insecure Internet InfrastructureSecure Communication with an Insecure Internet Infrastructure
Secure Communication with an Insecure Internet Infrastructure
 
Ciso platform-annual-summit-2014-antti-karjalainen-dicoverer-of-heartbleed
Ciso platform-annual-summit-2014-antti-karjalainen-dicoverer-of-heartbleedCiso platform-annual-summit-2014-antti-karjalainen-dicoverer-of-heartbleed
Ciso platform-annual-summit-2014-antti-karjalainen-dicoverer-of-heartbleed
 
Network Forensics and Practical Packet Analysis
Network Forensics and Practical Packet AnalysisNetwork Forensics and Practical Packet Analysis
Network Forensics and Practical Packet Analysis
 
Digital Certified Mail (PPT)
Digital Certified Mail (PPT)Digital Certified Mail (PPT)
Digital Certified Mail (PPT)
 
Digital Certified Mail
Digital Certified MailDigital Certified Mail
Digital Certified Mail
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacks
 
Normalizing Empire's Traffic to Evade Anomaly-Based IDS
Normalizing Empire's Traffic to Evade Anomaly-Based IDSNormalizing Empire's Traffic to Evade Anomaly-Based IDS
Normalizing Empire's Traffic to Evade Anomaly-Based IDS
 
BlueHat v17 || 28 Registrations Later: Measuring the Exploitation of Residual...
BlueHat v17 || 28 Registrations Later: Measuring the Exploitation of Residual...BlueHat v17 || 28 Registrations Later: Measuring the Exploitation of Residual...
BlueHat v17 || 28 Registrations Later: Measuring the Exploitation of Residual...
 
Network And Application Layer Attacks
Network And Application Layer AttacksNetwork And Application Layer Attacks
Network And Application Layer Attacks
 
Vulnerability and Penetration Testing
Vulnerability and Penetration TestingVulnerability and Penetration Testing
Vulnerability and Penetration Testing
 
HTTPS
HTTPSHTTPS
HTTPS
 
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
 
Nachos Theoretical assigment 3
Nachos Theoretical assigment 3Nachos Theoretical assigment 3
Nachos Theoretical assigment 3
 
VPN
VPNVPN
VPN
 
Wired equivalent privacy (wep)
Wired equivalent privacy (wep)Wired equivalent privacy (wep)
Wired equivalent privacy (wep)
 
Firewall traversals
Firewall traversalsFirewall traversals
Firewall traversals
 

Ähnlich wie Heartbleed

Security in the News
Security in the NewsSecurity in the News
Security in the NewsJames Sutter
 
1 (20 files merged).ppt
1 (20 files merged).ppt1 (20 files merged).ppt
1 (20 files merged).pptseshas1
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface DevicePositive Hack Days
 
So Your Company Hired A Pentester
So Your Company Hired A PentesterSo Your Company Hired A Pentester
So Your Company Hired A PentesterNorthBayWeb
 
Debugging distributed systems
Debugging distributed systemsDebugging distributed systems
Debugging distributed systemsBert Jan Schrijver
 
Heartbleed
HeartbleedHeartbleed
HeartbleedShiva Sagar
 
From SLO to GOTY
From SLO to GOTYFrom SLO to GOTY
From SLO to GOTYScyllaDB
 
JUG CH September 2021 - Debugging distributed systems
JUG CH September 2021 - Debugging distributed systemsJUG CH September 2021 - Debugging distributed systems
JUG CH September 2021 - Debugging distributed systemsBert Jan Schrijver
 
Chapter 9 system penetration [compatibility mode]
Chapter 9 system penetration [compatibility mode]Chapter 9 system penetration [compatibility mode]
Chapter 9 system penetration [compatibility mode]Setia Juli Irzal Ismail
 
Security Solution - Luckey Application on Crypto-currency and Personal Bankin...
Security Solution - Luckey Application on Crypto-currency and Personal Bankin...Security Solution - Luckey Application on Crypto-currency and Personal Bankin...
Security Solution - Luckey Application on Crypto-currency and Personal Bankin...Wan Leung Wong
 
Devoxx Belgium 2022 - Debugging distributed systems
Devoxx Belgium 2022 - Debugging distributed systemsDevoxx Belgium 2022 - Debugging distributed systems
Devoxx Belgium 2022 - Debugging distributed systemsBert Jan Schrijver
 
Arnhem JUG March 2023 - Debugging distributed systems
Arnhem JUG March 2023 - Debugging distributed systemsArnhem JUG March 2023 - Debugging distributed systems
Arnhem JUG March 2023 - Debugging distributed systemsBert Jan Schrijver
 
Software Security and IDS.pptx
Software Security and IDS.pptxSoftware Security and IDS.pptx
Software Security and IDS.pptxMuhib Ahmad Sherwani
 
Mastering Microservices 2022 - Debugging distributed systems
Mastering Microservices 2022 - Debugging distributed systemsMastering Microservices 2022 - Debugging distributed systems
Mastering Microservices 2022 - Debugging distributed systemsBert Jan Schrijver
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014Anant Shrivastava
 
Security Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxSecurity Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxAmardeepKumar621436
 
Software security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical securitySoftware security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical securityNicholas Davis
 
Software Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecuritySoftware Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecurityNicholas Davis
 
Collecting user-data-socially-responsibly
Collecting user-data-socially-responsiblyCollecting user-data-socially-responsibly
Collecting user-data-socially-responsiblyKonark modi
 
Debugging distributed systems
Debugging distributed systemsDebugging distributed systems
Debugging distributed systemsBert Jan Schrijver
 

Ähnlich wie Heartbleed (20)

Security in the News
Security in the NewsSecurity in the News
Security in the News
 
1 (20 files merged).ppt
1 (20 files merged).ppt1 (20 files merged).ppt
1 (20 files merged).ppt
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
 
So Your Company Hired A Pentester
So Your Company Hired A PentesterSo Your Company Hired A Pentester
So Your Company Hired A Pentester
 
Debugging distributed systems
Debugging distributed systemsDebugging distributed systems
Debugging distributed systems
 
Heartbleed
HeartbleedHeartbleed
Heartbleed
 
From SLO to GOTY
From SLO to GOTYFrom SLO to GOTY
From SLO to GOTY
 
JUG CH September 2021 - Debugging distributed systems
JUG CH September 2021 - Debugging distributed systemsJUG CH September 2021 - Debugging distributed systems
JUG CH September 2021 - Debugging distributed systems
 
Chapter 9 system penetration [compatibility mode]
Chapter 9 system penetration [compatibility mode]Chapter 9 system penetration [compatibility mode]
Chapter 9 system penetration [compatibility mode]
 
Security Solution - Luckey Application on Crypto-currency and Personal Bankin...
Security Solution - Luckey Application on Crypto-currency and Personal Bankin...Security Solution - Luckey Application on Crypto-currency and Personal Bankin...
Security Solution - Luckey Application on Crypto-currency and Personal Bankin...
 
Devoxx Belgium 2022 - Debugging distributed systems
Devoxx Belgium 2022 - Debugging distributed systemsDevoxx Belgium 2022 - Debugging distributed systems
Devoxx Belgium 2022 - Debugging distributed systems
 
Arnhem JUG March 2023 - Debugging distributed systems
Arnhem JUG March 2023 - Debugging distributed systemsArnhem JUG March 2023 - Debugging distributed systems
Arnhem JUG March 2023 - Debugging distributed systems
 
Software Security and IDS.pptx
Software Security and IDS.pptxSoftware Security and IDS.pptx
Software Security and IDS.pptx
 
Mastering Microservices 2022 - Debugging distributed systems
Mastering Microservices 2022 - Debugging distributed systemsMastering Microservices 2022 - Debugging distributed systems
Mastering Microservices 2022 - Debugging distributed systems
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014
 
Security Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxSecurity Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptx
 
Software security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical securitySoftware security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical security
 
Software Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecuritySoftware Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical Security
 
Collecting user-data-socially-responsibly
Collecting user-data-socially-responsiblyCollecting user-data-socially-responsibly
Collecting user-data-socially-responsibly
 
Debugging distributed systems
Debugging distributed systemsDebugging distributed systems
Debugging distributed systems
 

KĂźrzlich hochgeladen

Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel AraĂşjo
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 

KĂźrzlich hochgeladen (20)

Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 

Heartbleed

  • 2. What is Heartbleed ? Acclimatising with the Heartbeat Protocol
  • 3. Let’s start with the internet… • A cheap and reliable method to interconnect machines
  • 4. Let’s start with the internet… • In turn provides a robust and “smart” layer of communication, worldwide
  • 5. Let’s start with the internet… • But to make this channel “smart”, we need to follow some rules or protocols
  • 6. How internet works.... • The Internet implements cryptography software named OpenSSL to ensure delivery of messages to legible receivers. • Open Source • Free • Widely adopted and implemented
  • 7. OpenSSL and Heartbeat Protocol • The OpenSSL consists of a protocol named Heartbeat • Negotiates and monitors the availability of a resource. • Generates a signal that indicates normal operation or to synchronize other parts of a system.
  • 8. • Is the device on the other end up ? • Is the device on the other end actually who it declares it is ? • Device could be a client or a server. • Platform independent and device scale independent. Usage of Heartbeat Protocol
  • 9. Practically..... • Active login sessions • Website security certifications • E-Commerce • E-Governance • Internet Banking • Social networking
  • 10. HEARTBLEED The Flaw in Heartbeat Protocol…
  • 11. How Heartbeat Protocol Works... • Continuous pinging between devices over network. • Successful reply ping from the other end denotes that, that device is online. • No ping back message indicates that the other end is down. • Both the devices ping each other and reply to each others’ Heartbeat request.
  • 12. How Heartbeat Protocol Works... ARGUMENTSofaHeartbeatRequest I. Payload: Contains some text information which is generated on both the ends. II. Size: Gives the size of the payload
  • 13. How Heartbeat Protocol Works... Device on the other end: • Finds the Payload in its active memory • Counts the number of characters to be sent using Size • Returns the text info The first device is acknowledged that the other end is online.
  • 15. The Flaw... • No bound check mechanism • Inherent from the C language that this software library is written in. • Maliciously crafted Heartbeat request with mismatching Payload and Size arguments would still work.
  • 16. The Flaw... Heartbeat request with • Small Payload argument • Larger Size argument Returns extra data from the active memory of the replying device . Provides unauthorised access to data which should have been hidden and abstracted
  • 18. Aftermath... • Platform independence of OpenSSL makes practically every machine on the internet vulnerable to this flaw. • Not a bug or a virus, but an inherent flaw. Thus security breaches don’t get logged or detected, ever. • This bleeding of confidential data can happen to both sides – the servers as well as the clients.
  • 19. Aftermath... • Only 64 kB of data can be sent back with a Heartbeat reply. But has no limit on how many times these 64kB chunks could be retrieved. • Not only devices but even services can be exploited.
  • 20. What's worse...? • Security certifications could be stolen, allowing malicious impersonation of secure services. • Changing your username or password credential doesn’t help if the service is still not patched up against the vulnerability. • Since the breach never gets detected, one can never know if they have been attacked or not.
  • 21. What's worse...? • The ones who updated got affected, thus breaking the myth of general practice of “keeping it updated”. • With a compromised security certification key, one can easily decrypt previous information transfers, without ever getting detected. • More than 67 percent of servers on Earth use OpenSSL, including Google, Facebook, Yahoo, etc.
  • 23. Tackling Heartbleed Three primary approaches to remove this flaw: • Implementing the updated version 1.0.1g of OpenSSL which has patched this flaw. • Removing the Heartbleed functionality altogether by recompiling the source code without the Heartbleed protocol. • Implementing the patch by oneself by correcting and re-compiling the source code.
  • 24. Tackling Heartbleed • Stolen security keys need to be revoked and re-allocated. Whatanend-usercando? • Do nothing. Refrain from logging into services until they are patched.
  • 25. LESSONS LEARNT What the most horrifying breach in Internet history teaches us …
  • 26. Lessons Learnt • Open Source makes flaw discovery and correction a faster process. • Inclusion of new features needs more scrutinisation. • Open Source projects need to be funded well. • Adoption of new piece of code should be accompanied by negative testing of it.
  • 27. Lessons Learnt • You are never completely safe, even if you follow the best practices. • There are no “best practices”.