The Heartbleed Bug
-
Upload
elastica-inc -
Category
Technology
-
view
1.034 -
download
2
description
Transcript of The Heartbleed Bug
Zulfikar Ramzan, PhD, MITChief Technology OfficerElastica
The Heartbleed Bug
Massive OpenSSL Bug 'Heartbleed'
Threatens Sensitive Data
- Wall S
treet Journal
OpenSSL Heartbleed Bug Leaves Much Of The Internet At Risk
- TechCrunch
Experts Find a Door Ajar in an
Internet Security Method Thought
Safe
- The New York Times
On 07 April 2014, security experts disclosed that a serious vulnerability had been identified in OpenSSL cryptographic
software library that protects many web sites.
This problem might have been there for almost 2 years, but just hidden in plain
sight..
When you transact online, your information is protected by the SSL/TLS encryption used to secure the Internet.
OpenSSL is an open-source implementation of the SSL protocol.
The Heartbeat protocol is a sub-part of SSL and is meant to ensure communications are kept alive.
The Heartbleed bug is a devastating vulnerability in the heartbeat extension of the SSL/TLS protocol (CVE-2014-0160).
It specifically impacts version 1.0.1 and beta versions of 1.0.2 of OpenSSL.
It compromises encryption keys, user credentials and actual content.
The Heartbleed bug allows attackers to
• eavesdrop on communications online
• get access to sensitive data such as passwords, social security numbers, financial records, etc
• impersonate users and services
• and, all this can be done multiple times and without a trace!
Watch how the Heartbleed bug works
Up to two-thirds of
websites use OpenSSL
and could be vulnerable.
List of possibly affected sites
Tool to test a website
What should you do?
Check if your favorite sites have implemented the Heartbleed patch.
If it has been patched, then log in and change your password.
If you change your password and the site hasn’t been patched, then you’re giving a hacker a new password.
When password compromises happen, new machine learning based methods are needed to find the breaches and anomalies.
Elastica’s Detect App on CloudSOC uses behavioral analysis to zero-in on threats to your assets in the cloud and gives you protection beyond simple username/password.
Is there an alternative? LEARN MORE
Thank you.