Page 185 -
P. 185

Security Guide






                        anaTomy oF a hearTbleed








                    Every once in a while there is a problem so big that it   a “heartbeat” (not Heartbleed). A heartbeat is used to make
                    affects nearly everyone. In the past, World Wars I and II were   sure both the client and server are OK.
                    so far reaching  that  they affected nearly everyone on  the   The “bleed” part comes when the client sends the server
                    planet. Fast-forward to today. Most people use some form of   too little data. The client says it’s sending 65Kb of data, but
                    technology like a cell phone, tablet, or computer on a daily   it’s really only sending 1 byte of data. This is the flaw. It nev-
                    basis. What if there was a technology problem so serious that   er checks to see that there really was 65Kb of data sent. The
                    it affected nearly every piece of hardware, software, and sys-  server takes the 1 byte of data received from the client and adds
                    tem on the earth? That problem was named Heartbleed, and   65Kb of data from its own memory containing confidential
                    it became known to the public on April 7, 2014.     data. Then it sends it back to the client. This process can be
                       Bruce  Schneier, a  world-renowned  computer  security   done many times and leaves no record that it ever occurred.
                      expert, called the Heartbleed vulnerability “catastrophic” and
                                                 41
                    “on the scale of 1 to 10, this is an 11.”  At the time it was esti-  Who’s at Risk?
                    mated that at least 17 percent to 25 percent of all Web sites were   The short answer is nearly everyone. Mashable posted a short
                    vulnerable to attack. Add in vulnerable software, hardware, op-  list of some of the more well-known Web sites that were vul-
                    erating systems, embedded systems, cell phones, and network-  nerable to the Heartbleed vulnerability.  This list included
                                                                                                        42
                    ing appliances. Heartbleed quickly became one
                    of the most widespread and potentially danger-
                    ous computing vulnerabilities ever.

                    What Is Heartbleed?

                    Heartbleed is a vulnerability that comes from
                    a flaw in the code for the open source  OpenSSL
                    cryptographic library. The OpenSSL library is
                    widely used to secure Internet traffic. When
                    you access a secure Internet site, you’ll see
                    a  padlock symbol and “https” in  your Web
                    browser’s address  bar. An attacker can use
                    the Heartbleed vulnerability to extract infor-
                    mation being held  in  a  computer’s  memory
                    that is hosting a secure Web site. This could
                    include usernames, passwords, session cook-
                    ies, cryptographic keys, and so on. Anything
                    that’s in memory can be extracted.

                    How Does It Work?
                    Suppose you’re a “client” accessing a secure
                    “server.” A client sends a certain amount
                    of random data (say, 65Kb) to a server. The
                    server makes a copy of  that random data
                    and sends it back to the client. This is called
                                                                                                      Source: Vector_master/Fotolia
                184
   180   181   182   183   184   185   186   187   188   189   190