RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.

Slides:

Advertisements

Similar presentations

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Advertisements

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

By Hiranmayi Pai Neeraj Jain

SSL Protocol By Oana Dini. Overview Introduction to SSL SSL Architecture SSL Limitations.

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),

7 Effective Habits when using the Internet Philip O’Kane 1.

Windows 7 Project and Heartbleed Update Sian Shumway Director, IT Customer Service.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

Web server security Dr Jim Briggs WEBP security1.

K. Salah1 Security Protocols in the Internet IPSec.

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

Phish your victims in 5 quick steps. Phish yourself today In less than 5 minutes What is Phish5? Phish5 is a Security Awareness service With Phish5, a.

Drupal Security Securing your Configuration Justin C. Klein Keane University of Pennsylvania School of Arts and Sciences Information Security and Unix.

Web Server Administration Chapter 10 Securing the Web Environment.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

Serge Borso The Heartbleed Bug Serge Borso

Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)

3-Protecting Systems Dr. John P. Abraham Professor UTPA.

Software Security Testing Vinay Srinivasan cell:

What is Heartbleed? Heartbleed is a vulnerability in OpenSSL software. OpenSSL is encryption software that accesses websites through a “secure” connection,

What’s New in Fireware v11.9.5

1 CHAPTER 2 LAWS OF SECURITY. 2 What Are the Laws of Security Client side security doesn’t work Client side security doesn’t work You can’t exchange encryption.

Security at NCAR David Mitchell February 20th, 2007.

Zakir Durumeric, James Kasten,David Adrian, J. Alex Halderman, Michael Bailey, Frank Li, Nicholas Weaver, Johanna Amann, Jethro Beekman, Mathias Payer,

Lecture 20 Hacking. Over the Internet Over LAN Locally Offline Theft Deception Modes of Hacker Attack.

Sudarshan Yadav Sr. Program Manager, Microsoft

Module 8: Designing Security for Authentication. Overview Creating a Security Plan for Authentication Creating a Design for Security of Authentication.

Computer Networking From LANs to WANs: Hardware, Software, and Security Chapter 13 FTP and Telnet.

Security. Security Flaws Errors that can be exploited by attackers Constantly exploited.

Presented by Teererai Marange. Background Open SSL Hearbeat extension Heartbleed vulnerability Description of work Methodology Summary of results Vulnerable.

Integrating and Troubleshooting Citrix Access Gateway.

Module 2 – User Safety Privacy Attacks on end users Browser vulnerabilities.

Yair Grindlinger, CEO and Co-Founder Do you know who your employees are sharing their credentials with? Do they?

Saphe surfing! 1 SAPHE Secure Anti-Phishing Environment Presented by Uri Sternfeld.

Retina Network Security Scanner

Can SSL and TOR be intercepted? Secure Socket Layer.

Wireless and Mobile Security

Web Security Firewalls, Buffer overflows and proxy servers.

SSL(HandShake) Protocol By J.STEPHY GRAFF IIM.SC(C.S)

SSH/SSL Attacks not on tests, just for fun. SSH/SSL Should Be Secure Cryptographic operations are secure SSL uses certificates to authenticate servers.

Vulnerabilities in Operating Systems Michael Gaydeski COSC December 2008.

Kali Linux BY BLAZE STERLING. Roadmap  What is Kali Linux  Installing Kali Linux  Included Tools  In depth included tools  Conclusion.

Penetration Testing By Blaze Sterling. Roadmap What is Penetration Testing How is it done? Penetration Testing Tools Kali Linux In depth included tools.

@Yuan Xue Worm Attack Yuan Xue Fall 2012.

Srinivas Balivada USC CSCE548 07/22/2016.  Cookies are generally set server-side using the ‘Set-Cookie’ HTTP header and sent to the client  In PHP to.

Microsoft OS Vulnerabilities April 1, 2010 MIS 4600 – MBA © Abdou Illia.

Nessus Vulnerability Scan

HEARTBLEED: Technical Description and Fixes

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

Working at a Small-to-Medium Business or ISP – Chapter 8

Boots Cassel Villanova University

Backdoor Attacks.

Secure Software Confidentiality Integrity Data Security Authentication

Secure Sockets Layer (SSL)

Implementing TMG Server Publishing

Security of a Local Area Network

Originally by Yu Yang and Lilly Wang Modified by T. A. Yang

A Distributed DoS in Action

Light-weight Contexts: An OS Abstraction for Safety and Performance

Implementing Client Security on Windows 2000 and Windows XP Level 150

Test 3 review FTP & Cybersecurity

Hush Smart Baby Monitor Exploit

Tyler Technologies presents: What you need to know about upcoming changes to your New World ERP technical environment in Scott Alan Miller MCP,

Scott Miller TSM Team Lead Ray Mah Architect, Foundation

The Heartbleed Bug and Attack

Presentation transcript:

RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL session. 2. Used in MTU path discovery Why is this a problem? Heartbeat requests can be sent WITHOUT authentication to the server. Open SSL Heartbleed bug

CVE describes the SSL Heartbleed bug ● Vulnerable versions of OpenSSL do not validate user input for the memory length value. ● Bug was introduced into OpenSSL version code in March 2012 ● Non affected versions;.99 and forks ● Affected version through 1.0.1f ● Patched in 1.0.1g ● Introduced to the code in Nov 2011, it was committed to the code on Dec 31, 2011 just before midnight.

What exactly is bleeding? ● The bug allows attackers to grab 64K chunks of memory contents near the SSL heartbeat on a vulnerable host. ● It is random chunks of data in this memory space – ASLR helps in this situation ● Attack can be repeated many times to grab different random chunks of data ● 64k does seem like much - but it is!

Memory disclosure: what exactly can an attacker get? ● 1. Private crypto keys - the keys to the kingdom, or at least the server. ● 2. Usernames and Passwords ● 3. Session identifiers ● 4. Private data – data payloads ● 5. Meta data for the SSL session, programming structure pointers - may defeat other exploit protections.

Geeky details, the 4 part heartbeat 1.SSL V3 RECORD LENGTH (should be limited to 4 bytes) 2. Heartbeat Message Type (1Byte) 3.HEARTBEAT MESSAGE (should be limited to 2 bytes BUT IT'S NOT) ● When the victim machine replies there is an extra 64k (-1byte) of memory of the server process returned to the attacker. 4.Message Data (variable bytes)

Untraceable and undetectable = No! ● Many news media sites are saying this attack is untraceable. Not exactly true. ● There is no logging of the session beyond normal SSL negotiation. ● The attack is detectable.

So what can I do? ● Coordinate with vendors to get vulnerable devices patched or replaced. At a minimum, revoke and reissue vulnerable certs. – IT did this late last week for the Juniper VPN concentrator. ● Change passwords - even if a vendor says their product was not vulnerable, they CANNOT guarantee any business partners products were not vulnerable. ● Monitor carefully for any evidence of identity theft. ● Prepare for phishing and social engineering campaigns leveraging Heartbleed into scaring people into divulging credentials.

Server side attacks ● But I'm not running a web server so I'm safe. Yeah right! ● But Windows products are not affected so I'm safe. Not even! ● While Windows servers are not directly affected, many use SSL to link to other servers. ● I checked everything using TCP port 443. I'm safe right? No.

Client side attacks ● A full accounting of vulnerable clients is not yet known. ● An attacker can redirect traffic to a vulnerable server they control and exploit this vulnerability. – this hasn't been seen yet but it's only a matter of time. ● Be wary of "secure" network clients. ● Restrict use of unknown public wireless unless you know your client is safe.

Safe(r) Browsers ● Firefox, Chrome, and IE (on Windows) use the Microsoft implementation of SSL not OpenSSL. ● Internet Informations Server/Services (IIS) are not vulnerable. ● Yeah Microsoft! ● Don't even think about asking about XP.

What else? ● Most Android devices are vulnerable. - No word on Chrome Books yet. ● iOS and Mac OSX are not vulnerable. -but some 3 rd party iOS apps are. ● Most Linux browsers are probably vulnerable. ● 3rd party code using OpenSSL could be vulnerable - this will take time to discover.

What is Information Security doing? ● Continuous monitoring for this vulnerability with both IDS and IPS devices. ● Vulnerability scans. - not as effective since it's a snapshot in time but a good starting point.