Heartbleed – What is it?

advertisement
What is Heartbleed?
Heartbleed is a vulnerability in
OpenSSL software.
OpenSSL is encryption software that
accesses websites through a “secure”
connection, HTTPS://.
How does it work?
To communicate, a client computer and the
server send back and forth a short block of
data. The block contains a value for the length
of the block.
The malformed block says its length is 64KB,
the maximum possible. The server copies that
much data from memory into the response.
It may send passwords, encryption keys, etc.
When happened when?
OpenSSL released
March 2012
Publicly reported as vulnerable 1 April 2014
Patch released
21 March 2014
(Some fixes had already been put in place then)
First proven attempted exploit
8 April 2014
Intentional vulnerability test
12 April 2014
How may sites are vulnerable?
(After vulnerability was reported publically)
How may sites are vulnerable?
A list the top 1,000 most popular web domains and mail
servers that remain vulnerable.
https://zmap.io/heartbleed/
What should you do?
Change all passwords as soon as you can.
Find out which sites are vulnerable
On vulnerable sites that have been patched:
Old passwords may be compromised
On sites not yet patched (ask about current status):
New passwords may become
compromised, so change them regularly
On sites not affected:
Was same password used elsewhere?
Which sites are not affected?
Almost all financial service sites are OK.
Amazon
BCPL
Dell
Ebay
Erickson
Gcflearnfree
Haband
MS Live ID
Mychart, (Erickson)
PayPal
US Treasury
Which are common patched sites?
Dropbox
Facebook
Google
Netflix
Norton
Skype
Wikipedia
Yahoo
Site List
http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
Search for site
https://lastpass.com/heartbleed/
How do I manage?
Use a Password Manager, free - LastPass
Use a LastPass account, import your existing
passwords or save newly generated ones.
A good way to manage passwords in Windows,
includes an IE installer.
Supports Internet Explorer 8+, Firefox 2.0+, Chrome
18+, Safari 5+, Opera 11+.
http://www.pcmag.com/article2/0,2817,2407168,00.asp
https://lastpass.com/misc_download2.php
What does your son/daughter
know?
• Keep a separate, up to date record of your
passwords in a safe place.
• Make sure your designated representative
knows where that record is.
Download