Heartbleed, how it works, is it virus, how it check, smartphone hacked, how to protect, password hacked, man in the middle attack, server or client side attack, exploit code available,
2. • It is a critical bug in the OpenSSL's implementation of
the TLS/DTLS heartbeat extension that allows attackers
to read portions of the affected server’s memory,
potentially revealing users data, that the server did not
intend to reveal.
•
• After the story broke online, websites around the
world flooded with the heartbleed articles, explaining
how it works, how to protect, and exactly what it is. Yet
many didn’t get it right. So based on the queries of
Internet users, we answered some frequently asked
questions about the bug.
3. 1.) IS HEARTBLEED A VIRUS?
• Absolutely NO, It's not a virus. As described in
our previous article, The Heartbleed bug is a
vulnerability resided in TLS heartbeat
mechanism built into certain versions of the
popular open source encryption standard
OpenSSL, a popular version of the Transport
Layer Security (TLS) protocol.
4. 2.) HOW IT WORKS?
• For SSL to work, your computer needs to communicate to the
server via sending 'heartbeats' that keep informing the server that
client (computer) is online (alive).
• Heartbleed attack allows an attacker to retrieve a block of memory
of the server up to 64kb in response directly from the vulnerable
server via sending the malicious heartbeat and there is no limit on
the number of attacks that can be performed. [Technically
Explained by Rahul Sasi on Garage4hackers]
• It opens doors for the cyber criminals to extract sensitive data
directly from the server's memory without leaving any traces.
5. 3.) HEARTBLEED ATTACK RELIES ON
MAN-IN-THE-MIDDLE ATTACK?
• No, it has nothing to deal with a Man-in-the-
Middle (MitM) attack. But using Heartbleed
attack, one can manage to obtain the private
encryption key for an SSL/TLS certificate and
could set up a fake website that passes the
security verification.
• An attacker could also decrypt the traffic passing
between a client and a server i.e. Perfect man-in-
the-middle attack on HTTPS connection.
6. 4.) IS IT A CLIENT SIDE OR SERVER
SIDE VULNERABILITY?
• TLS heartbeats can be sent by either side of a TLS
connection, so it can be used to attack clients as
well as servers. An Attacker can obtain up to 64K
memory from the server or client as well that
uses an OpenSSL implementation vulnerable to
Heartbleed (CVE-2014-0160).
• Researcher estimated two-thirds of the world's
servers i.e. half a million servers are affected by
the Heartbleed Bug, including websites, email,
and instant messaging services.
7. 5.) HOW HEARTBLEED AFFECTS
SMARTPHONES?
• Smartphone is the best practical example of Client side attacks.
• All versions of Android OS include outdated versions of OpenSSL
library, but only Android 4.1.1 Jelly Bean has the vulnerable
heartbeat feature enabled by default. Blackberry also confirmed
that some of its products are vulnerable to Heartbleed bug,
whereas Apple's iOS devices are not affected by OpenSSL flaw.
•
• Google had patched the affected version Android 4.1.1, but it will
take long time to deliver updated Android version to the end
Smartphone users as updates to majority handsets are controlled
by phone manufacturers and wireless carriers. Until users running
the affected versions are vulnerable to the attacks, and hackers will
definitely take advantage of this public disclosure.
8. 6.) WHAT ELSE COULD BE
VULNERABLE TO HEARTBLEED?
• IP phones, Routers, Medical devices, Smart TV sets,
embedded devices and millions of other devices that rely
on the OpenSSL to provide secure communications could
also be vulnerable to Heartbleed bug, as it is not expected
for these devices to get the updates soon from Google’s
Android partners.
• Yesterday, Industrial Control Systems-CERT also warned the
critical infrastructure organizations (like energy, utilities or
financial services companies) to beef-up their systems in
order to defend against the Heartbleed attacks.
9. 7.) WHO IS RESPONSIBLE FOR
HEARTBLEED?
• We actually can't blame anyone developer, specially who
are contributing to Open Source projects without money
motivations.
• Dr. Robin Seggelmann, a 31-year-old German developer
who actually introduced the Heartbeat concept to OpenSSL
on New Year's Eve, 2011, says it was just a programming
error in the code that unintentionally created the
“Heartbleed” vulnerability.
• "In one of the new features, unfortunately, I missed
validating a variable containing a length", went undetected
by the code reviewers and everyone else for over two
years. He claimed 'I did so unintentionally'.
10. 8.) WHO HAS EXPLOITED THIS BUG
YET?
• Bloomberg accused the National Security Agency (NSA) of knowing
the Heartbleed bug for the last two years. Not even this, the report
says the agency was using it continuously to gain information
instead of disclosing it to the OpenSSL developers. But if it is so,
then this would be one of the biggest developments in the history
of wiretapping ever. However, the agency denied it saying NSA was
not aware of Heartbleed until it was made public.
• But when it comes to exploit any known vulnerability, then Hackers
are most likely to be top on the list. As the flaw was so widely
spread that it affected half a million websites worldwide, so after
the public disclosure, the cybercriminals could reach the sites to
steal credentials, passwords and other data, before the site
operators apply the freely available patch.