Академический Документы
Профессиональный Документы
Культура Документы
Brought to you by
www.sans.org/vlive
www.sans.org/simulcast
Heartbeats
SSL heartbeats are defined in RFC6520
Used for keep alive messages without the need for
renegotiating the SSL session
Also used for path MTU discovery
HeartBleed Visual
Attacker Sends
SSL v3 Record
Length (4 bytes)
Message Data
(variable bytes)
Message Data
1 random byte
Message Data
1 random byte
Almost 64k (-1 byte) of extra memory allocated to the server process
Memory Disclosure!
This should
be a secret!
If ever vulnerable
Communicate this (prominently) to customers
Revoke possibly (probably) compromised certs
Issue new server SSL certs
Change assumed secret data the customer cant
Force change of passwords for customers
HeartBleed What you need to know 2014 Jake Williams (@MalwareJake)
OpenVPN
Huge numbers of companies use OpenVPN
Bad news it was vulnerable
Server Certificates
Ensure that your browser is set to check for
revoked certificates
Chrome on Windows does not do this by default
Firefox does
Chrome Plugin
The ChromeBleed plugin shows whether the
site you are communicating with is vulnerable
https://chrome.google.com/webstore/detail/chromebl
eed/eeoekjnjgppnaegdjbcafdggilajhpic
Forensics Implications
Suppose your friendly law enforcement
captured your SSL encrypted traffic last month
Or your employer
Uh oh!
Snort Detections
Looks for heartbeat codes and checks the size.
Anything larger than 200 bytes is assumed bad
Questions?
Jake Williams
@MalwareJake