Heartbleed is a newly discovered very widespread vulnerability in the OpenSSL implementation of the SSL/TLS protocol. The flaw allows attackers to steal passwords and confidential data that you have provided online. Elastica’s CTO Dr. Zulfikar Ramzan walks through the flaw’s mechanics and ramifications.

1. Zulfikar Ramzan, PhD, MIT
Chief Technology Officer
Elastica
The Heartbleed Bug

2. OpenSSL Heartbleed Bug Leaves Much Of The Internet
At Risk
- TechCrunch

3. On 07 April 2014, security experts disclosed that a
serious vulnerability had been identified in
OpenSSL cryptographic software library that
protects many web sites.
This problem might have been there for
almost 2 years, but just hidden in plain sight..

4. When you transact online, your information is protected by the SSL/TLS
encryption used to secure the Internet.
OpenSSL is an open-source implementation of the SSL protocol.
The Heartbeat protocol is a
sub-part of SSL and is meant
to ensure communications
are kept alive.

5. The Heartbleed bug is a
devastating vulnerability in the
heartbeat extension of the SSL/TLS
protocol (CVE-2014-0160).
It specifically impacts version 1.0.1
and beta versions of 1.0.2 of
OpenSSL.
It compromises encryption keys,
user credentials and actual
content.

6. The Heartbleed bug allows attackers to
• eavesdrop on communications online
• get access to sensitive data such as passwords, social security
numbers, financial records, etc
• impersonate users and services
• and, all this can be done multiple times and without a trace!

7. Watch how the Heartbleed bug works

8. Up to two-thirds of websites
use OpenSSL and could be
vulnerable.
List of possibly affected sites
Tool to test a website

9. What should you do?
 Check if your favorite sites have
implemented the Heartbleed
patch.
 If it has been patched, then log
in and change your password.
If you change your password and
the site hasn’t been patched, then
you’re giving a hacker a new
password.

10. When password compromises happen,
new machine learning based methods
are needed to find the breaches and
anomalies.
Elastica’s Detect App on CloudSOC uses
behavioral analysis to zero-in on threats
to your assets in the cloud and gives you
protection beyond simple
username/password.
Is there an alternative? LEARN MORE

11. Thank you.