SlideShare une entreprise Scribd logo

Heartbleed Bug Flaw in Servers and its reverse

Mohamed Hisham Ache
Mohamed Hisham Ache

My presentation in Control of Energy, Industrial and Ecological systems - International Symposium - IT Industry Section at Bankia, Bulgaria . About The Heartbleed Bug Flaw in Servers and its reverse, Impact on Industry , fixing the problem and Security Best Practices .

TechnologieFormation
1  sur  20
Heartbleed – OpenSSL Client and Server Protocol Vulnerability M.H.Abdel Akher, Vassil Metodiev INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
Authors Mohamed Hisham Abdel Akher Erasmus Student from Helwan University,Egypt Vassil Metodiev chief assist. prof. eng. Department of Industrial Automation, University of Chemical Technology and Metallurgy, SOFIA, Bulgaria INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
Abstract  The Internet has become an important part of everyday personal and business activities - one of human rights in the modern life.  Software bugs significantly hurt software reliability and security causing system failures and security vulnerabilities.  This paper examines one of the more popular attack techniques that can be applied in “heartbleed” vulnerability.  The paper also outlines some best practices and secure techniques for being safe online. INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
Outline Information Security Core Components The need for Encryption TLS/SSL Technical Stuff TLS Heartbeat extension Heartbleed Flaw in Servers OpenSSL Reverse Heartbleed Vulnerability THE HEATBLEED BUG IMPACT Why fixing the problem is not simple ? SECURITY GUIDELINES AND BEST PRACICES Summary INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
Information Security Core Components Confidentiality Integrity Authentication Access Control Availability Nonrepudiation INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
The need for encryption The idea of encryption to make sure the information one sends from his computer to someone else or to another web server is protected and secure. As an Internet using populous, we’re more aware of the importance of keeping private and confidential information “secure“. We can think of Encryption like a secret language between two people. This language works as a set of encryption keys. The users have a copy of the encryption keys on their computer and the client (web application or server) has a set. INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
TLS/SSL Technical Stuff  SSL and TLS are protocols that provide session encryption and integrity for Packets sent from one computer to another.  They can be used to secure client-to-server or server-to- server network traffic.  They also provide authentication of the server to the client and (optionally) of the client to the server through X.509 certificates.  TLS is an enhancement of SSL . INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
TLS Heartbeat extension  Using heartbeat extensions two computers make sure the other is still alive by sending data back and forth to each other. The client (user) sends its heartbeat to the server (website), and the server hands it right back.  If by chance anyone of them goes down during the transaction, the other one will know using heartbeat sync mechanism . INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
Heartbleed Bug &OpenSSL  “Heartbleed” is a critical bug (CVE-2014-0160) in the popular OpenSSL cryptographic software library that actually resides in the OpenSSL's implementation of the TLS and DTLS (Datagram TLS) heartbeat extension (RFC6520).  Heartbleed Bug specifically impacts version 1.0.1 and beta versions of 1.0.2 INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
Heartbleed Flaw in Servers  When The heartbeat is sent, a small amount of the server’s short-term memory of about 64 kilobytes comes in reply from server and an attacker is supposed to grab it that can leak sensitive data such as message contents, user credentials, session keys and server private keys . INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
OpenSSL Reverse Heartbleed Vulnerability  A malicious server can also send bad hearbeat packets to a client that uses OpenSSL and extract data from the client.  In this scenario, the attacker would set up a malicious web server that would be used to send the exploit against the Heartbleed vulnerability to the client . INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
“The real problem is only a dumb coding mistake“ Swati Khandelwal. INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
THE HEATBLEED BUG IMPACT  The Heartbleed vulnerability is operating without detection plus, it is working in such way that with ease of use lots of information could be accessed.  SSL Survey found that the heartbeat extension was enabled on 17.5% of SSL sites, accounting for around half a million certificates issued by trusted certificate authorities.  These certificates are consequently vulnerable to being spoofed through private key disclosure, allowing an attacker to impersonate the affected websites without raising any browser warnings. INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
Fixing the Problem is not that simple (Continued)  Heartbleed Vulnerability represents the movement from “attacks could happen” to “attacks have happened”.  Fixing the problem is not that simple because we were unaware of the bug for over 2 years .  We can’t go back in time and prevent any person or organization who may have taken advantage of this vulnerability to access information not intended for them  A patch that fixes the Heartbleed vulnerability in OpenSSL is already widely available. INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
Fixing the Problem is not that simple  The patch itself isn't that difficult to implement, but the problem is that along with patching the software, some applications need to look at whether or not they need to revoke and reissue various digital certificates.  If someone was able to sneak in an grab a site's digital certificate before the site was patched, it could make changes to the certificate or masquerade another site as having a different identity.  Organizations have to make the determination whether to revoke and reissue all certificates via a CA or wait for current certificates to expire. INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
SECURITY GUIDELINES AND BEST PRACTICES  First of all, we can check whether a server is vulnerable to the OpenSSl Hearbleed bug (CVE-2014-0160) or not.  If we find that the server is vulnerable, we have to patch it and patching a system today is great but that can’t prevent the attacks that may have already happened.  We patch your system, we have to get a new public/private key pair, update your SSL certificate, and then change every password that could potentially be affected. Bruce Schneier INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
Summary There have been and always will be bugs. Anyone who thinks they have privacy on the internet is a fool. Ira Winkler INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
Questions & Answers INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
Thank you! M.H Abdel Akher Erasmus BSc Student Business Information System Department, Helwan University, Cairo, Egypt Email : mhabdelakher@gmail.com INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014

Recommandé

Sprint Reflections Presentation
Sprint Reflections PresentationSprint Reflections Presentation
Sprint Reflections Presentation
Mindy Altiero
 
Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51
martinvoelk
 
Fotonovela racismo
Fotonovela racismoFotonovela racismo
Fotonovela racismo
Mara de Andrade
 
Coursera CNNQD3CGPQM-DMX
Coursera CNNQD3CGPQM-DMXCoursera CNNQD3CGPQM-DMX
Coursera CNNQD3CGPQM-DMX
Prakash Prasad ✔
 
01 a biblia sagrada-corrigido
01 a biblia sagrada-corrigido01 a biblia sagrada-corrigido
01 a biblia sagrada-corrigido
Francisco Do Carmo
 
Verdades Bíblicas - O Caminho Para a Vida Eterna
Verdades Bíblicas - O Caminho Para a Vida EternaVerdades Bíblicas - O Caminho Para a Vida Eterna
Verdades Bíblicas - O Caminho Para a Vida Eterna
Conectadoscomjesusiasd
 
Crowley_Campaign_Priorities_2016
Crowley_Campaign_Priorities_2016Crowley_Campaign_Priorities_2016
Crowley_Campaign_Priorities_2016
Patrick Crowley
 
Fernandam
FernandamFernandam
Fernandam
Mara de Andrade
 

Recommandé

Sprint Reflections Presentation
Sprint Reflections PresentationSprint Reflections Presentation
Sprint Reflections Presentation
Mindy Altiero
 
Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51
martinvoelk
 
Fotonovela racismo
Fotonovela racismoFotonovela racismo
Fotonovela racismo
Mara de Andrade
 
Coursera CNNQD3CGPQM-DMX
Coursera CNNQD3CGPQM-DMXCoursera CNNQD3CGPQM-DMX
Coursera CNNQD3CGPQM-DMX
Prakash Prasad ✔
 
01 a biblia sagrada-corrigido
01 a biblia sagrada-corrigido01 a biblia sagrada-corrigido
01 a biblia sagrada-corrigido
Francisco Do Carmo
 
Verdades Bíblicas - O Caminho Para a Vida Eterna
Verdades Bíblicas - O Caminho Para a Vida EternaVerdades Bíblicas - O Caminho Para a Vida Eterna
Verdades Bíblicas - O Caminho Para a Vida Eterna
Conectadoscomjesusiasd
 
Crowley_Campaign_Priorities_2016
Crowley_Campaign_Priorities_2016Crowley_Campaign_Priorities_2016
Crowley_Campaign_Priorities_2016
Patrick Crowley
 
Fernandam
FernandamFernandam
Fernandam
Mara de Andrade
 
Lição 3 - As Diferentes Mudanças Sociais da Família
Lição 3 - As Diferentes Mudanças Sociais da FamíliaLição 3 - As Diferentes Mudanças Sociais da Família
Lição 3 - As Diferentes Mudanças Sociais da Família
I.A.D.F.J - SAMAMABAIA SUL
 
Foco na profecia 1
Foco na profecia 1Foco na profecia 1
Foco na profecia 1
Zilmar Santos
 
Informing Early Childhood Policy: An Analysis of the Sensitivity of a School ...
Informing Early Childhood Policy: An Analysis of the Sensitivity of a School ...Informing Early Childhood Policy: An Analysis of the Sensitivity of a School ...
Informing Early Childhood Policy: An Analysis of the Sensitivity of a School ...
Krista Schumacher, PhD
 
Apache Spark Introduction - CloudxLab
Apache Spark Introduction - CloudxLabApache Spark Introduction - CloudxLab
Apache Spark Introduction - CloudxLab
Abhinav Singh
 
Negotiation and Influencing Skills
Negotiation and Influencing SkillsNegotiation and Influencing Skills
Negotiation and Influencing Skills
Emily Robinson
 
Projeto de Pequenos Grupos - IBS
Projeto de Pequenos Grupos - IBSProjeto de Pequenos Grupos - IBS
Projeto de Pequenos Grupos - IBS
Rodrigo Branco
 
¿Soy bautizado? v2 10 8-16
¿Soy bautizado? v2 10 8-16¿Soy bautizado? v2 10 8-16
¿Soy bautizado? v2 10 8-16
Andrés Cisterna
 
ECONOMÍA POLÍTICA CAPÍTULO 1. PRINCIPIOS BÁSICOS DE LA CIENCIA ECONÓMICA
ECONOMÍA POLÍTICA CAPÍTULO 1. PRINCIPIOS BÁSICOS DE LA CIENCIA ECONÓMICAECONOMÍA POLÍTICA CAPÍTULO 1. PRINCIPIOS BÁSICOS DE LA CIENCIA ECONÓMICA
ECONOMÍA POLÍTICA CAPÍTULO 1. PRINCIPIOS BÁSICOS DE LA CIENCIA ECONÓMICA
Manuel Salas-Velasco, University of Granada, Spain
 
Lição 10 Discipulado, a missão educadora da igreja
Lição 10 Discipulado, a missão educadora da igrejaLição 10 Discipulado, a missão educadora da igreja
Lição 10 Discipulado, a missão educadora da igreja
Wander Sousa
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
Ahmed Banafa
 
Debunking the Myths of SSL VPN Security
Debunking the Myths of SSL VPN SecurityDebunking the Myths of SSL VPN Security
Debunking the Myths of SSL VPN Security
inside-BigData.com
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
sudip pudasaini
 
Heartbleed
Heartbleed Heartbleed
Heartbleed
Shyam Bahadur Sunari Magar
 
Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security
Lancope, Inc.
 
Banking and Modern Payments System Security Analysis
Banking and Modern Payments System Security AnalysisBanking and Modern Payments System Security Analysis
Banking and Modern Payments System Security Analysis
CSCJournals
 
The Network as a Sensor, Cisco and Lancope
The Network as a Sensor, Cisco and LancopeThe Network as a Sensor, Cisco and Lancope
The Network as a Sensor, Cisco and Lancope
Cisco Enterprise Networks
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ON
OWASP EEE
 
Cybersecurity Presentation at WVONGA spring meeting 2018
Cybersecurity Presentation at WVONGA spring meeting 2018Cybersecurity Presentation at WVONGA spring meeting 2018
Cybersecurity Presentation at WVONGA spring meeting 2018
Jack Shaffer
 
Network and cyber security module(15ec835, 17ec835)
Network and cyber security module(15ec835, 17ec835)Network and cyber security module(15ec835, 17ec835)
Network and cyber security module(15ec835, 17ec835)
Jayanth Dwijesh H P
 
Heartbleed
HeartbleedHeartbleed
Heartbleed
Mohammed Danish Amber
 
Research challenges and issues in web security
Research challenges and issues in web securityResearch challenges and issues in web security
Research challenges and issues in web security
IAEME Publication
 
Impact of HeartBleed Bug in Android and Counter Measures
Impact of HeartBleed Bug in Android and Counter Measures Impact of HeartBleed Bug in Android and Counter Measures
Impact of HeartBleed Bug in Android and Counter Measures
ijcsa
 

Contenu connexe

En vedette

ECONOMÍA POLÍTICA CAPÍTULO 1. PRINCIPIOS BÁSICOS DE LA CIENCIA ECONÓMICA
ECONOMÍA POLÍTICA CAPÍTULO 1. PRINCIPIOS BÁSICOS DE LA CIENCIA ECONÓMICAECONOMÍA POLÍTICA CAPÍTULO 1. PRINCIPIOS BÁSICOS DE LA CIENCIA ECONÓMICA
ECONOMÍA POLÍTICA CAPÍTULO 1. PRINCIPIOS BÁSICOS DE LA CIENCIA ECONÓMICA
Manuel Salas-Velasco, University of Granada, Spain
 

En vedette (9)

Lição 3 - As Diferentes Mudanças Sociais da Família
Lição 3 - As Diferentes Mudanças Sociais da FamíliaLição 3 - As Diferentes Mudanças Sociais da Família
Lição 3 - As Diferentes Mudanças Sociais da Família
 
Foco na profecia 1
Foco na profecia 1Foco na profecia 1
Foco na profecia 1
 
Informing Early Childhood Policy: An Analysis of the Sensitivity of a School ...
Informing Early Childhood Policy: An Analysis of the Sensitivity of a School ...Informing Early Childhood Policy: An Analysis of the Sensitivity of a School ...
Informing Early Childhood Policy: An Analysis of the Sensitivity of a School ...
 
Apache Spark Introduction - CloudxLab
Apache Spark Introduction - CloudxLabApache Spark Introduction - CloudxLab
Apache Spark Introduction - CloudxLab
 
Negotiation and Influencing Skills
Negotiation and Influencing SkillsNegotiation and Influencing Skills
Negotiation and Influencing Skills
 
Projeto de Pequenos Grupos - IBS
Projeto de Pequenos Grupos - IBSProjeto de Pequenos Grupos - IBS
Projeto de Pequenos Grupos - IBS
 
¿Soy bautizado? v2 10 8-16
¿Soy bautizado? v2 10 8-16¿Soy bautizado? v2 10 8-16
¿Soy bautizado? v2 10 8-16
 
ECONOMÍA POLÍTICA CAPÍTULO 1. PRINCIPIOS BÁSICOS DE LA CIENCIA ECONÓMICA
ECONOMÍA POLÍTICA CAPÍTULO 1. PRINCIPIOS BÁSICOS DE LA CIENCIA ECONÓMICAECONOMÍA POLÍTICA CAPÍTULO 1. PRINCIPIOS BÁSICOS DE LA CIENCIA ECONÓMICA
ECONOMÍA POLÍTICA CAPÍTULO 1. PRINCIPIOS BÁSICOS DE LA CIENCIA ECONÓMICA
 
Lição 10 Discipulado, a missão educadora da igreja
Lição 10 Discipulado, a missão educadora da igrejaLição 10 Discipulado, a missão educadora da igreja
Lição 10 Discipulado, a missão educadora da igreja
 

Similaire à Heartbleed Bug Flaw in Servers and its reverse

Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
sudip pudasaini
 
Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security
Lancope, Inc.
 
Banking and Modern Payments System Security Analysis
Banking and Modern Payments System Security AnalysisBanking and Modern Payments System Security Analysis
Banking and Modern Payments System Security Analysis
CSCJournals
 
Network and cyber security module(15ec835, 17ec835)
Network and cyber security module(15ec835, 17ec835)Network and cyber security module(15ec835, 17ec835)
Network and cyber security module(15ec835, 17ec835)
Jayanth Dwijesh H P
 
Impact of HeartBleed Bug in Android and Counter Measures
Impact of HeartBleed Bug in Android and Counter Measures Impact of HeartBleed Bug in Android and Counter Measures
Impact of HeartBleed Bug in Android and Counter Measures
ijcsa
 
the-most-dangerous-code-in-the-world
the-most-dangerous-code-in-the-worldthe-most-dangerous-code-in-the-world
the-most-dangerous-code-in-the-world
Martin Georgiev
 
the-most-dangerous-code-in-the-world
the-most-dangerous-code-in-the-worldthe-most-dangerous-code-in-the-world
the-most-dangerous-code-in-the-world
Martin Georgiev
 

Similaire à Heartbleed Bug Flaw in Servers and its reverse (20)

Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
 
Debunking the Myths of SSL VPN Security
Debunking the Myths of SSL VPN SecurityDebunking the Myths of SSL VPN Security
Debunking the Myths of SSL VPN Security
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Heartbleed
Heartbleed Heartbleed
Heartbleed
 
Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security
 
Banking and Modern Payments System Security Analysis
Banking and Modern Payments System Security AnalysisBanking and Modern Payments System Security Analysis
Banking and Modern Payments System Security Analysis
 
The Network as a Sensor, Cisco and Lancope
The Network as a Sensor, Cisco and LancopeThe Network as a Sensor, Cisco and Lancope
The Network as a Sensor, Cisco and Lancope
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ON
 
Cybersecurity Presentation at WVONGA spring meeting 2018
Cybersecurity Presentation at WVONGA spring meeting 2018Cybersecurity Presentation at WVONGA spring meeting 2018
Cybersecurity Presentation at WVONGA spring meeting 2018
 
Network and cyber security module(15ec835, 17ec835)
Network and cyber security module(15ec835, 17ec835)Network and cyber security module(15ec835, 17ec835)
Network and cyber security module(15ec835, 17ec835)
 
Heartbleed
HeartbleedHeartbleed
Heartbleed
 
Research challenges and issues in web security
Research challenges and issues in web securityResearch challenges and issues in web security
Research challenges and issues in web security
 
Impact of HeartBleed Bug in Android and Counter Measures
Impact of HeartBleed Bug in Android and Counter Measures Impact of HeartBleed Bug in Android and Counter Measures
Impact of HeartBleed Bug in Android and Counter Measures
 
Heartbleed
HeartbleedHeartbleed
Heartbleed
 
Heartbleed by-danish amber
Heartbleed by-danish amberHeartbleed by-danish amber
Heartbleed by-danish amber
 
the-most-dangerous-code-in-the-world
the-most-dangerous-code-in-the-worldthe-most-dangerous-code-in-the-world
the-most-dangerous-code-in-the-world
 
the-most-dangerous-code-in-the-world
the-most-dangerous-code-in-the-worldthe-most-dangerous-code-in-the-world
the-most-dangerous-code-in-the-world
 
Shmat ccs12
Shmat ccs12Shmat ccs12
Shmat ccs12
 
Shmat ccs12
Shmat ccs12Shmat ccs12
Shmat ccs12
 
Summer internship - Cybersecurity
Summer internship - CybersecuritySummer internship - Cybersecurity
Summer internship - Cybersecurity
 

Dernier

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Dernier (20)

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 

Heartbleed Bug Flaw in Servers and its reverse

  • 1. Heartbleed – OpenSSL Client and Server Protocol Vulnerability M.H.Abdel Akher, Vassil Metodiev INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 2. Authors Mohamed Hisham Abdel Akher Erasmus Student from Helwan University,Egypt Vassil Metodiev chief assist. prof. eng. Department of Industrial Automation, University of Chemical Technology and Metallurgy, SOFIA, Bulgaria INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 3. Abstract  The Internet has become an important part of everyday personal and business activities - one of human rights in the modern life.  Software bugs significantly hurt software reliability and security causing system failures and security vulnerabilities.  This paper examines one of the more popular attack techniques that can be applied in “heartbleed” vulnerability.  The paper also outlines some best practices and secure techniques for being safe online. INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 4. Outline Information Security Core Components The need for Encryption TLS/SSL Technical Stuff TLS Heartbeat extension Heartbleed Flaw in Servers OpenSSL Reverse Heartbleed Vulnerability THE HEATBLEED BUG IMPACT Why fixing the problem is not simple ? SECURITY GUIDELINES AND BEST PRACICES Summary INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 5. Information Security Core Components Confidentiality Integrity Authentication Access Control Availability Nonrepudiation INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 6. The need for encryption The idea of encryption to make sure the information one sends from his computer to someone else or to another web server is protected and secure. As an Internet using populous, we’re more aware of the importance of keeping private and confidential information “secure“. We can think of Encryption like a secret language between two people. This language works as a set of encryption keys. The users have a copy of the encryption keys on their computer and the client (web application or server) has a set. INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 7. TLS/SSL Technical Stuff  SSL and TLS are protocols that provide session encryption and integrity for Packets sent from one computer to another.  They can be used to secure client-to-server or server-to- server network traffic.  They also provide authentication of the server to the client and (optionally) of the client to the server through X.509 certificates.  TLS is an enhancement of SSL . INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 8. TLS Heartbeat extension  Using heartbeat extensions two computers make sure the other is still alive by sending data back and forth to each other. The client (user) sends its heartbeat to the server (website), and the server hands it right back.  If by chance anyone of them goes down during the transaction, the other one will know using heartbeat sync mechanism . INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 9. Heartbleed Bug &OpenSSL  “Heartbleed” is a critical bug (CVE-2014-0160) in the popular OpenSSL cryptographic software library that actually resides in the OpenSSL's implementation of the TLS and DTLS (Datagram TLS) heartbeat extension (RFC6520).  Heartbleed Bug specifically impacts version 1.0.1 and beta versions of 1.0.2 INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 10. Heartbleed Flaw in Servers  When The heartbeat is sent, a small amount of the server’s short-term memory of about 64 kilobytes comes in reply from server and an attacker is supposed to grab it that can leak sensitive data such as message contents, user credentials, session keys and server private keys . INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 11. OpenSSL Reverse Heartbleed Vulnerability  A malicious server can also send bad hearbeat packets to a client that uses OpenSSL and extract data from the client.  In this scenario, the attacker would set up a malicious web server that would be used to send the exploit against the Heartbleed vulnerability to the client . INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 12. “The real problem is only a dumb coding mistake“ Swati Khandelwal. INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 13. THE HEATBLEED BUG IMPACT  The Heartbleed vulnerability is operating without detection plus, it is working in such way that with ease of use lots of information could be accessed.  SSL Survey found that the heartbeat extension was enabled on 17.5% of SSL sites, accounting for around half a million certificates issued by trusted certificate authorities.  These certificates are consequently vulnerable to being spoofed through private key disclosure, allowing an attacker to impersonate the affected websites without raising any browser warnings. INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 14. INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 15. Fixing the Problem is not that simple (Continued)  Heartbleed Vulnerability represents the movement from “attacks could happen” to “attacks have happened”.  Fixing the problem is not that simple because we were unaware of the bug for over 2 years .  We can’t go back in time and prevent any person or organization who may have taken advantage of this vulnerability to access information not intended for them  A patch that fixes the Heartbleed vulnerability in OpenSSL is already widely available. INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 16. Fixing the Problem is not that simple  The patch itself isn't that difficult to implement, but the problem is that along with patching the software, some applications need to look at whether or not they need to revoke and reissue various digital certificates.  If someone was able to sneak in an grab a site's digital certificate before the site was patched, it could make changes to the certificate or masquerade another site as having a different identity.  Organizations have to make the determination whether to revoke and reissue all certificates via a CA or wait for current certificates to expire. INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 17. SECURITY GUIDELINES AND BEST PRACTICES  First of all, we can check whether a server is vulnerable to the OpenSSl Hearbleed bug (CVE-2014-0160) or not.  If we find that the server is vulnerable, we have to patch it and patching a system today is great but that can’t prevent the attacks that may have already happened.  We patch your system, we have to get a new public/private key pair, update your SSL certificate, and then change every password that could potentially be affected. Bruce Schneier INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 18. Summary There have been and always will be bugs. Anyone who thinks they have privacy on the internet is a fool. Ira Winkler INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 19. Questions & Answers INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014
  • 20. Thank you! M.H Abdel Akher Erasmus BSc Student Business Information System Department, Helwan University, Cairo, Egypt Email : mhabdelakher@gmail.com INTERNATIONAL SYPOSIUM Control of Energy, Industrial and Ecological Systems Bankya, 8 - 9 May 2014