14
Massive OpenSSL Bug 'Heartbleed ' Threatens Sen sitive Data - Wall Street Journal OpenSSL Heartbleed Bug Leaves Much Of The Internet At Risk - TechCrunch Experts Find a Door Ajar in an Internet Security Method Thought Safe - The New York Times HeartBleed Vulnerability

Heartbleed Bug: What It Is And How To Protect Yourself

Embed Size (px)

DESCRIPTION

On April 7, 2014, the Heartbleed bug was revealed to the Internet community. The Heartbleed bug is not a flaw in the SSL or TLS protocols; rather, it is a flaw in the OpenSSL implementation of the TLS/DTLS heartbeat functionality. The Heartbleed Bug allows an attacker to gain access to sensitive information that is normally protected by the SSL and TLS protocols without leaving a trace.

Citation preview

  • 1.OpenSSL Heartbleed Bug Leaves Much Of The Internet At Risk - TechCrunch HeartBleed Vulnerability

2. Agenda: 1- Methodology of Heartbleed bug. 2- Risk of HeartBleed. 3- Most popular infected Systems. 4- Most popular infected mobile phones. 5- How to Protect your-self from HeartBleed BUG. 6- How to Protect your Enterprise infrastructure from HeartBleed BUG. 7- Q&A 3. At the root of Heart-bleed is Encryption. Internet has security protocols for securing and encryption commonly known as SSL & TLS. The most common implementation of SSL and TLS is a set of open source tools known as Open SSL Methodology of Heartbleed bug. 4. Open SSL run over 66% percent of the secure internet flow Even if you may not know how it looks like or what even means, Probably you interact with it in daily basis 5. The secret key language you shared with the server it suddenly accessible by somebody else & flow is completely undetectable, Simply That is HeartBleed the biggest and most spread vulnerability threat over the history of modern internet Risk of HeartBleed. 6. MAY 2012 lot of software packages start to use the vulnerable version December 2011 this bug has been around . Conclusion SO for more than 2 years any websites, Apps, banks and private instant massaging that run open-SSL had been vulnerable. 7. Here coming out some of the most popular social, email, banking and e-commerce sites on the web. rounded up with their responses below: Most popular infected Systems. 8. Android 4.1.1 Jelly Bean Devices are Vulnerable to Heartbleed. Reverse Heartbleed is an important vulnerability to know about as it could affect millions of users directly. (If youre wondering about iOS, Apple doesnt ship its mobile operating system with OpenSSL, so everything is OK) Most popular infected mobile phone. 9. 1- Check Site Safety: Test your server for Heartbleed (CVE-2014-0160) Check any site where you enter confidential data that you dont want to share publicly Qualys SSL Labs - Projects / SSL Server Test 10. If the site has implemented the Heartbleed patch, then log in and change your password If you change your password and the site hasnt been patched, then youre giving a hacker a new password Be aware of complexity and length of the password Use a unique password for each site, don't share passwords with multiple sites, and don't reuse old passwords. 2- Update password 11. Would like to make sure that I can detect if someone tries to do a MAN-IN- MIDDLE attack with a stolen certificate, which since has been revoked 3-Configure browser to detect revoked certificate 12. People using the old Android software should update their operating system, People using Android version 4.1.1 should avoid sensitive transactions on their mobile devices The Heartbleed flaw might represent a real risk to 150 million Android users, not because they're using a vulnerable version of Android but rather because they are running a vulnerable app. Heartbleed Puts 150 Million Android App Downloads at Risk free detector appLookout built a that you can download to see if your Android is affected 4-Save your android device from HeartBleed 13. How to Protect your Enterprise infrastructure from HeartBleed BUG: A. Firstly patch every SSL/TLS service. B. Use the latest release of OpenSSL 1.0.1g in every in-house built. C. Revoke digital SSL certificate. E. Patch mobile devices . F. Change login credentials. E. Continuously vulnerability scan. 14. THANK YOU