Page 182 - Using MIS
P. 182

Security Guide







            anatomy of a heartbleed





            Every once in a while there is a problem so big that it af-  How Does It Work?
            fects nearly everyone. In the past, World Wars I and II were so   Suppose you’re a “client” accessing a secure “server.” A cli-
            far reaching that they affected nearly everyone on the planet.   ent sends a certain amount of random data (say 65Kb) to
            Fast-forward to today. Most people use some form of tech-  a server. The server makes a copy of that random data and
            nology like a cell phone, tablet, or computer on a daily basis.   sends it back to the client. This is called a “heartbeat” (not
            What if there was a technology problem so serious that it af-  Heartbleed). A heartbeat is used to make sure both the cli-
            fected nearly every piece of hardware, software, and system   ent and server are OK.
            on the earth? That problem was named Heartbleed, and it   The “bleed” part comes when the client sends the server
            became known to the public on April 7, 2014.         too little data. The client says it’s sending 65Kb of data, but
               Bruce Schneier, a world-renowned computer security   it’s really only sending 1 byte of data. This is the flaw. It never
            expert, called the Heartbleed vulnerability “catastrophic”   checks to see that there really was 65Kb of data sent. The server
                                            37
            and “on the scale of 1 to 10, this is an 11.”  At the time it was   takes the 1 byte of data received from the client and adds 65Kb
            estimated that at least 17 percent to 25 per-
            cent of all Web sites were vulnerable to at-
            tack. Add in vulnerable software, hardware,
            operating systems, embedded systems,
            cell phones, and networking appliances.
            Heartbleed quickly became one of the most
            widespread and potentially dangerous com-
            puting vulnerabilities ever.


            What Is Heartbleed?
            Heartbleed is a vulnerability that comes
            from a flaw in the code for the open
            source OpenSSL cryptographic library. The
            OpenSSL library is widely used to secure
            Internet traffic. When you access a secure
            Internet site you’ll see a padlock symbol
            and “https” in your Web browser’s address
            bar. An attacker can use the Heartbleed
            vulnerability to extract information being
            held in a computer’s memory that is host-
            ing  a  secure  Web  site.  This  could  include
            usernames, passwords, session cookies,
            cryptographic keys, and so on. Anything
            that’s in memory can be extracted.
                                                                                              Source: Vector_master/Fotolia


            37 Bruce Schneier, “Heartbleed,” Schneier on Security, April 9, 2014, accessed May 9, 2014, www.schneier.com/blog/archives/2014/04/heartbleed.html.
        150
   177   178   179   180   181   182   183   184   185   186   187