SlideShare una empresa de Scribd logo
1 de 11
Descargar para leer sin conexión
Heartbleed
• It is a critical bug in the OpenSSL's implementation of
the TLS/DTLS heartbeat extension that allows attackers
to read portions of the affected server’s memory,
potentially revealing users data, that the server did not
intend to reveal.
•
• After the story broke online, websites around the
world flooded with the heartbleed articles, explaining
how it works, how to protect, and exactly what it is. Yet
many didn’t get it right. So based on the queries of
Internet users, we answered some frequently asked
questions about the bug.
1.) IS HEARTBLEED A VIRUS?
• Absolutely NO, It's not a virus. As described in
our previous article, The Heartbleed bug is a
vulnerability resided in TLS heartbeat
mechanism built into certain versions of the
popular open source encryption standard
OpenSSL, a popular version of the Transport
Layer Security (TLS) protocol.
2.) HOW IT WORKS?
• For SSL to work, your computer needs to communicate to the
server via sending 'heartbeats' that keep informing the server that
client (computer) is online (alive).
• Heartbleed attack allows an attacker to retrieve a block of memory
of the server up to 64kb in response directly from the vulnerable
server via sending the malicious heartbeat and there is no limit on
the number of attacks that can be performed. [Technically
Explained by Rahul Sasi on Garage4hackers]
• It opens doors for the cyber criminals to extract sensitive data
directly from the server's memory without leaving any traces.
3.) HEARTBLEED ATTACK RELIES ON
MAN-IN-THE-MIDDLE ATTACK?
• No, it has nothing to deal with a Man-in-the-
Middle (MitM) attack. But using Heartbleed
attack, one can manage to obtain the private
encryption key for an SSL/TLS certificate and
could set up a fake website that passes the
security verification.
• An attacker could also decrypt the traffic passing
between a client and a server i.e. Perfect man-in-
the-middle attack on HTTPS connection.
4.) IS IT A CLIENT SIDE OR SERVER
SIDE VULNERABILITY?
• TLS heartbeats can be sent by either side of a TLS
connection, so it can be used to attack clients as
well as servers. An Attacker can obtain up to 64K
memory from the server or client as well that
uses an OpenSSL implementation vulnerable to
Heartbleed (CVE-2014-0160).
• Researcher estimated two-thirds of the world's
servers i.e. half a million servers are affected by
the Heartbleed Bug, including websites, email,
and instant messaging services.
5.) HOW HEARTBLEED AFFECTS
SMARTPHONES?
• Smartphone is the best practical example of Client side attacks.
• All versions of Android OS include outdated versions of OpenSSL
library, but only Android 4.1.1 Jelly Bean has the vulnerable
heartbeat feature enabled by default. Blackberry also confirmed
that some of its products are vulnerable to Heartbleed bug,
whereas Apple's iOS devices are not affected by OpenSSL flaw.
•
• Google had patched the affected version Android 4.1.1, but it will
take long time to deliver updated Android version to the end
Smartphone users as updates to majority handsets are controlled
by phone manufacturers and wireless carriers. Until users running
the affected versions are vulnerable to the attacks, and hackers will
definitely take advantage of this public disclosure.
6.) WHAT ELSE COULD BE
VULNERABLE TO HEARTBLEED?
• IP phones, Routers, Medical devices, Smart TV sets,
embedded devices and millions of other devices that rely
on the OpenSSL to provide secure communications could
also be vulnerable to Heartbleed bug, as it is not expected
for these devices to get the updates soon from Google’s
Android partners.
• Yesterday, Industrial Control Systems-CERT also warned the
critical infrastructure organizations (like energy, utilities or
financial services companies) to beef-up their systems in
order to defend against the Heartbleed attacks.
7.) WHO IS RESPONSIBLE FOR
HEARTBLEED?
• We actually can't blame anyone developer, specially who
are contributing to Open Source projects without money
motivations.
• Dr. Robin Seggelmann, a 31-year-old German developer
who actually introduced the Heartbeat concept to OpenSSL
on New Year's Eve, 2011, says it was just a programming
error in the code that unintentionally created the
“Heartbleed” vulnerability.
• "In one of the new features, unfortunately, I missed
validating a variable containing a length", went undetected
by the code reviewers and everyone else for over two
years. He claimed 'I did so unintentionally'.
8.) WHO HAS EXPLOITED THIS BUG
YET?
• Bloomberg accused the National Security Agency (NSA) of knowing
the Heartbleed bug for the last two years. Not even this, the report
says the agency was using it continuously to gain information
instead of disclosing it to the OpenSSL developers. But if it is so,
then this would be one of the biggest developments in the history
of wiretapping ever. However, the agency denied it saying NSA was
not aware of Heartbleed until it was made public.
• But when it comes to exploit any known vulnerability, then Hackers
are most likely to be top on the list. As the flaw was so widely
spread that it affected half a million websites worldwide, so after
the public disclosure, the cybercriminals could reach the sites to
steal credentials, passwords and other data, before the site
operators apply the freely available patch.
• Extracted from:
• http://thehackernews.com/2014/04/heartble
ed-bug-explained-10-most.html

Más contenido relacionado

La actualidad más candente (20)

Ssl https
Ssl httpsSsl https
Ssl https
 
Network sniffers & injection tools
Network sniffers  & injection toolsNetwork sniffers  & injection tools
Network sniffers & injection tools
 
Digital signature
Digital signatureDigital signature
Digital signature
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)
 
Kali linux
Kali linuxKali linux
Kali linux
 
Metasploit
MetasploitMetasploit
Metasploit
 
Password craking techniques
Password craking techniques Password craking techniques
Password craking techniques
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis
 
Hashing
HashingHashing
Hashing
 
Reconnaissance
ReconnaissanceReconnaissance
Reconnaissance
 
CNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream CiphersCNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream Ciphers
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.ppt
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layer
 
Applied Cryptography
Applied CryptographyApplied Cryptography
Applied Cryptography
 
Brute Forcing
Brute ForcingBrute Forcing
Brute Forcing
 
Web security
Web securityWeb security
Web security
 
CRYPTOGRAPHY AND NETWORK SECURITY- E-Mail Security
CRYPTOGRAPHY AND NETWORK SECURITY- E-Mail SecurityCRYPTOGRAPHY AND NETWORK SECURITY- E-Mail Security
CRYPTOGRAPHY AND NETWORK SECURITY- E-Mail Security
 
Ch08 Authentication
Ch08 AuthenticationCh08 Authentication
Ch08 Authentication
 
Network Security and Cryptography
Network Security and CryptographyNetwork Security and Cryptography
Network Security and Cryptography
 

Similar a Heartbleed

Heartbleed by-danish amber
Heartbleed by-danish amberHeartbleed by-danish amber
Heartbleed by-danish amberRaghunath G
 
Impact of HeartBleed Bug in Android and Counter Measures
Impact of HeartBleed Bug in Android and Counter  Measures Impact of HeartBleed Bug in Android and Counter  Measures
Impact of HeartBleed Bug in Android and Counter Measures ijcsa
 
Security in the News
Security in the NewsSecurity in the News
Security in the NewsJames Sutter
 
Report on Heartbleed
Report on HeartbleedReport on Heartbleed
Report on HeartbleedShiva Sagar
 
Heartbleed Bug Flaw in Servers and its reverse
Heartbleed Bug Flaw in Servers and its reverseHeartbleed Bug Flaw in Servers and its reverse
Heartbleed Bug Flaw in Servers and its reverseMohamed Hisham Ache
 
How to exploit heartbleed vulnerability demonstration
How to exploit heartbleed vulnerability demonstrationHow to exploit heartbleed vulnerability demonstration
How to exploit heartbleed vulnerability demonstrationPankaj Rane
 
Chapter 9 system penetration [compatibility mode]
Chapter 9 system penetration [compatibility mode]Chapter 9 system penetration [compatibility mode]
Chapter 9 system penetration [compatibility mode]Setia Juli Irzal Ismail
 
Heart bleed-OpenSSL crytographic library
Heart bleed-OpenSSL crytographic libraryHeart bleed-OpenSSL crytographic library
Heart bleed-OpenSSL crytographic libraryLorick Jain
 
Security Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxSecurity Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxAmardeepKumar621436
 
The Year the Internet Fell Apart
The Year the Internet Fell ApartThe Year the Internet Fell Apart
The Year the Internet Fell ApartIBM Security
 
Fortinet_FortiDDoS_Introduction
Fortinet_FortiDDoS_IntroductionFortinet_FortiDDoS_Introduction
Fortinet_FortiDDoS_Introductionswang2010
 
Sunrise pc support heart bleed scam alert
Sunrise pc support heart bleed scam alertSunrise pc support heart bleed scam alert
Sunrise pc support heart bleed scam alertjimforner
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing SecurityAhmed Banafa
 
Software Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecuritySoftware Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecurityNicholas Davis
 
Software security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical securitySoftware security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical securityNicholas Davis
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopErnest Staats
 

Similar a Heartbleed (20)

Heartbleed
HeartbleedHeartbleed
Heartbleed
 
Heartbleed by-danish amber
Heartbleed by-danish amberHeartbleed by-danish amber
Heartbleed by-danish amber
 
Heartbleed
HeartbleedHeartbleed
Heartbleed
 
Impact of HeartBleed Bug in Android and Counter Measures
Impact of HeartBleed Bug in Android and Counter  Measures Impact of HeartBleed Bug in Android and Counter  Measures
Impact of HeartBleed Bug in Android and Counter Measures
 
Security in the News
Security in the NewsSecurity in the News
Security in the News
 
Report on Heartbleed
Report on HeartbleedReport on Heartbleed
Report on Heartbleed
 
Heartbleed Bug Flaw in Servers and its reverse
Heartbleed Bug Flaw in Servers and its reverseHeartbleed Bug Flaw in Servers and its reverse
Heartbleed Bug Flaw in Servers and its reverse
 
How to exploit heartbleed vulnerability demonstration
How to exploit heartbleed vulnerability demonstrationHow to exploit heartbleed vulnerability demonstration
How to exploit heartbleed vulnerability demonstration
 
Chapter 9 system penetration [compatibility mode]
Chapter 9 system penetration [compatibility mode]Chapter 9 system penetration [compatibility mode]
Chapter 9 system penetration [compatibility mode]
 
Heart bleed-OpenSSL crytographic library
Heart bleed-OpenSSL crytographic libraryHeart bleed-OpenSSL crytographic library
Heart bleed-OpenSSL crytographic library
 
Security Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxSecurity Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptx
 
Iot Security
Iot SecurityIot Security
Iot Security
 
The Year the Internet Fell Apart
The Year the Internet Fell ApartThe Year the Internet Fell Apart
The Year the Internet Fell Apart
 
Fortinet_FortiDDoS_Introduction
Fortinet_FortiDDoS_IntroductionFortinet_FortiDDoS_Introduction
Fortinet_FortiDDoS_Introduction
 
Sunrise pc support heart bleed scam alert
Sunrise pc support heart bleed scam alertSunrise pc support heart bleed scam alert
Sunrise pc support heart bleed scam alert
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
 
Software Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecuritySoftware Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical Security
 
Software security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical securitySoftware security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical security
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
 

Más de Shyam Bahadur Sunari Magar (6)

Lumbini
LumbiniLumbini
Lumbini
 
Software ecosystem
Software ecosystemSoftware ecosystem
Software ecosystem
 
Dashain and tihar: merits and demerits
Dashain and tihar: merits and demeritsDashain and tihar: merits and demerits
Dashain and tihar: merits and demerits
 
A guideline to tap the unrealized height
A guideline to tap the unrealized heightA guideline to tap the unrealized height
A guideline to tap the unrealized height
 
Requirement analysis
Requirement analysisRequirement analysis
Requirement analysis
 
Junk food (fast food)
Junk food (fast food)Junk food (fast food)
Junk food (fast food)
 

Último

How to Manage Cross-Selling in Odoo 17 Sales
How to Manage Cross-Selling in Odoo 17 SalesHow to Manage Cross-Selling in Odoo 17 Sales
How to Manage Cross-Selling in Odoo 17 SalesCeline George
 
M-2- General Reactions of amino acids.pptx
M-2- General Reactions of amino acids.pptxM-2- General Reactions of amino acids.pptx
M-2- General Reactions of amino acids.pptxDr. Santhosh Kumar. N
 
DUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRA
DUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRADUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRA
DUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRATanmoy Mishra
 
How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17Celine George
 
Education and training program in the hospital APR.pptx
Education and training program in the hospital APR.pptxEducation and training program in the hospital APR.pptx
Education and training program in the hospital APR.pptxraviapr7
 
Presentation on the Basics of Writing. Writing a Paragraph
Presentation on the Basics of Writing. Writing a ParagraphPresentation on the Basics of Writing. Writing a Paragraph
Presentation on the Basics of Writing. Writing a ParagraphNetziValdelomar1
 
Practical Research 1 Lesson 9 Scope and delimitation.pptx
Practical Research 1 Lesson 9 Scope and delimitation.pptxPractical Research 1 Lesson 9 Scope and delimitation.pptx
Practical Research 1 Lesson 9 Scope and delimitation.pptxKatherine Villaluna
 
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdfMaximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdfTechSoup
 
3.21.24 The Origins of Black Power.pptx
3.21.24  The Origins of Black Power.pptx3.21.24  The Origins of Black Power.pptx
3.21.24 The Origins of Black Power.pptxmary850239
 
Prescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptxPrescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptxraviapr7
 
In - Vivo and In - Vitro Correlation.pptx
In - Vivo and In - Vitro Correlation.pptxIn - Vivo and In - Vitro Correlation.pptx
In - Vivo and In - Vitro Correlation.pptxAditiChauhan701637
 
How to Solve Singleton Error in the Odoo 17
How to Solve Singleton Error in the  Odoo 17How to Solve Singleton Error in the  Odoo 17
How to Solve Singleton Error in the Odoo 17Celine George
 
Clinical Pharmacy Introduction to Clinical Pharmacy, Concept of clinical pptx
Clinical Pharmacy  Introduction to Clinical Pharmacy, Concept of clinical pptxClinical Pharmacy  Introduction to Clinical Pharmacy, Concept of clinical pptx
Clinical Pharmacy Introduction to Clinical Pharmacy, Concept of clinical pptxraviapr7
 
General views of Histopathology and step
General views of Histopathology and stepGeneral views of Histopathology and step
General views of Histopathology and stepobaje godwin sunday
 
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...Nguyen Thanh Tu Collection
 
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptxSandy Millin
 
Philosophy of Education and Educational Philosophy
Philosophy of Education  and Educational PhilosophyPhilosophy of Education  and Educational Philosophy
Philosophy of Education and Educational PhilosophyShuvankar Madhu
 
UKCGE Parental Leave Discussion March 2024
UKCGE Parental Leave Discussion March 2024UKCGE Parental Leave Discussion March 2024
UKCGE Parental Leave Discussion March 2024UKCGE
 
HED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfHED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfMohonDas
 

Último (20)

How to Manage Cross-Selling in Odoo 17 Sales
How to Manage Cross-Selling in Odoo 17 SalesHow to Manage Cross-Selling in Odoo 17 Sales
How to Manage Cross-Selling in Odoo 17 Sales
 
M-2- General Reactions of amino acids.pptx
M-2- General Reactions of amino acids.pptxM-2- General Reactions of amino acids.pptx
M-2- General Reactions of amino acids.pptx
 
DUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRA
DUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRADUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRA
DUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRA
 
How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17
 
Education and training program in the hospital APR.pptx
Education and training program in the hospital APR.pptxEducation and training program in the hospital APR.pptx
Education and training program in the hospital APR.pptx
 
Presentation on the Basics of Writing. Writing a Paragraph
Presentation on the Basics of Writing. Writing a ParagraphPresentation on the Basics of Writing. Writing a Paragraph
Presentation on the Basics of Writing. Writing a Paragraph
 
Practical Research 1 Lesson 9 Scope and delimitation.pptx
Practical Research 1 Lesson 9 Scope and delimitation.pptxPractical Research 1 Lesson 9 Scope and delimitation.pptx
Practical Research 1 Lesson 9 Scope and delimitation.pptx
 
Finals of Kant get Marx 2.0 : a general politics quiz
Finals of Kant get Marx 2.0 : a general politics quizFinals of Kant get Marx 2.0 : a general politics quiz
Finals of Kant get Marx 2.0 : a general politics quiz
 
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdfMaximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
 
3.21.24 The Origins of Black Power.pptx
3.21.24  The Origins of Black Power.pptx3.21.24  The Origins of Black Power.pptx
3.21.24 The Origins of Black Power.pptx
 
Prescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptxPrescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptx
 
In - Vivo and In - Vitro Correlation.pptx
In - Vivo and In - Vitro Correlation.pptxIn - Vivo and In - Vitro Correlation.pptx
In - Vivo and In - Vitro Correlation.pptx
 
How to Solve Singleton Error in the Odoo 17
How to Solve Singleton Error in the  Odoo 17How to Solve Singleton Error in the  Odoo 17
How to Solve Singleton Error in the Odoo 17
 
Clinical Pharmacy Introduction to Clinical Pharmacy, Concept of clinical pptx
Clinical Pharmacy  Introduction to Clinical Pharmacy, Concept of clinical pptxClinical Pharmacy  Introduction to Clinical Pharmacy, Concept of clinical pptx
Clinical Pharmacy Introduction to Clinical Pharmacy, Concept of clinical pptx
 
General views of Histopathology and step
General views of Histopathology and stepGeneral views of Histopathology and step
General views of Histopathology and step
 
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
 
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
 
Philosophy of Education and Educational Philosophy
Philosophy of Education  and Educational PhilosophyPhilosophy of Education  and Educational Philosophy
Philosophy of Education and Educational Philosophy
 
UKCGE Parental Leave Discussion March 2024
UKCGE Parental Leave Discussion March 2024UKCGE Parental Leave Discussion March 2024
UKCGE Parental Leave Discussion March 2024
 
HED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfHED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdf
 

Heartbleed

  • 2. • It is a critical bug in the OpenSSL's implementation of the TLS/DTLS heartbeat extension that allows attackers to read portions of the affected server’s memory, potentially revealing users data, that the server did not intend to reveal. • • After the story broke online, websites around the world flooded with the heartbleed articles, explaining how it works, how to protect, and exactly what it is. Yet many didn’t get it right. So based on the queries of Internet users, we answered some frequently asked questions about the bug.
  • 3. 1.) IS HEARTBLEED A VIRUS? • Absolutely NO, It's not a virus. As described in our previous article, The Heartbleed bug is a vulnerability resided in TLS heartbeat mechanism built into certain versions of the popular open source encryption standard OpenSSL, a popular version of the Transport Layer Security (TLS) protocol.
  • 4. 2.) HOW IT WORKS? • For SSL to work, your computer needs to communicate to the server via sending 'heartbeats' that keep informing the server that client (computer) is online (alive). • Heartbleed attack allows an attacker to retrieve a block of memory of the server up to 64kb in response directly from the vulnerable server via sending the malicious heartbeat and there is no limit on the number of attacks that can be performed. [Technically Explained by Rahul Sasi on Garage4hackers] • It opens doors for the cyber criminals to extract sensitive data directly from the server's memory without leaving any traces.
  • 5. 3.) HEARTBLEED ATTACK RELIES ON MAN-IN-THE-MIDDLE ATTACK? • No, it has nothing to deal with a Man-in-the- Middle (MitM) attack. But using Heartbleed attack, one can manage to obtain the private encryption key for an SSL/TLS certificate and could set up a fake website that passes the security verification. • An attacker could also decrypt the traffic passing between a client and a server i.e. Perfect man-in- the-middle attack on HTTPS connection.
  • 6. 4.) IS IT A CLIENT SIDE OR SERVER SIDE VULNERABILITY? • TLS heartbeats can be sent by either side of a TLS connection, so it can be used to attack clients as well as servers. An Attacker can obtain up to 64K memory from the server or client as well that uses an OpenSSL implementation vulnerable to Heartbleed (CVE-2014-0160). • Researcher estimated two-thirds of the world's servers i.e. half a million servers are affected by the Heartbleed Bug, including websites, email, and instant messaging services.
  • 7. 5.) HOW HEARTBLEED AFFECTS SMARTPHONES? • Smartphone is the best practical example of Client side attacks. • All versions of Android OS include outdated versions of OpenSSL library, but only Android 4.1.1 Jelly Bean has the vulnerable heartbeat feature enabled by default. Blackberry also confirmed that some of its products are vulnerable to Heartbleed bug, whereas Apple's iOS devices are not affected by OpenSSL flaw. • • Google had patched the affected version Android 4.1.1, but it will take long time to deliver updated Android version to the end Smartphone users as updates to majority handsets are controlled by phone manufacturers and wireless carriers. Until users running the affected versions are vulnerable to the attacks, and hackers will definitely take advantage of this public disclosure.
  • 8. 6.) WHAT ELSE COULD BE VULNERABLE TO HEARTBLEED? • IP phones, Routers, Medical devices, Smart TV sets, embedded devices and millions of other devices that rely on the OpenSSL to provide secure communications could also be vulnerable to Heartbleed bug, as it is not expected for these devices to get the updates soon from Google’s Android partners. • Yesterday, Industrial Control Systems-CERT also warned the critical infrastructure organizations (like energy, utilities or financial services companies) to beef-up their systems in order to defend against the Heartbleed attacks.
  • 9. 7.) WHO IS RESPONSIBLE FOR HEARTBLEED? • We actually can't blame anyone developer, specially who are contributing to Open Source projects without money motivations. • Dr. Robin Seggelmann, a 31-year-old German developer who actually introduced the Heartbeat concept to OpenSSL on New Year's Eve, 2011, says it was just a programming error in the code that unintentionally created the “Heartbleed” vulnerability. • "In one of the new features, unfortunately, I missed validating a variable containing a length", went undetected by the code reviewers and everyone else for over two years. He claimed 'I did so unintentionally'.
  • 10. 8.) WHO HAS EXPLOITED THIS BUG YET? • Bloomberg accused the National Security Agency (NSA) of knowing the Heartbleed bug for the last two years. Not even this, the report says the agency was using it continuously to gain information instead of disclosing it to the OpenSSL developers. But if it is so, then this would be one of the biggest developments in the history of wiretapping ever. However, the agency denied it saying NSA was not aware of Heartbleed until it was made public. • But when it comes to exploit any known vulnerability, then Hackers are most likely to be top on the list. As the flaw was so widely spread that it affected half a million websites worldwide, so after the public disclosure, the cybercriminals could reach the sites to steal credentials, passwords and other data, before the site operators apply the freely available patch.
  • 11. • Extracted from: • http://thehackernews.com/2014/04/heartble ed-bug-explained-10-most.html