Welcome!

By registering with us, you'll be able to discuss, share and private message with other members of our community.

SignUp Now!

Informational HeartBleed attack (HeartBleed bug) PART1

yuno

Corporal
DFM Member
Joined
May 31, 2021
Messages
236
Reaction score
561
DragonCoin
828
Thinkpad x1
Oyen The Arrogant Cat
Eagle
Ok..Hello and good evning For non-muslim and assalammualaikum for Muslim..

umm..Do you have heard abaout HeartBleed bug??
NO!??

OK..Today you are lucky because I will explain about :

The Heartbleed BUG

So..What is Heartbleed BUG actualy??
The Heartbleed bug was a serious flaw in OpenSSL, encryption software that powers a lot of secure communications on the web. It was announced by computer security researchers on April 7, 2014.
Here's how it worked: the SSL standard includes a heartbeat option, which allows a computer at one end of an SSL connection to send a short message to verify that the other computer is still online and get a response back. Researchers found that it's possible to send a cleverly formed, malicious heartbeat message that tricks the computer at the other end into divulging secret information. Specifically, a vulnerable computer can be tricked into transmitting the contents of the server's memory, known as RAM.

Ed Felten, a computer scientist at Princeton (and, disclosure, my former graduate advisor) told me in 2014 that attackers using the technique can "sort through that information by doing pattern matching to try to find secret keys, passwords, and personal information like credit card numbers."

I don't need to explain why exposing passwords and credit card numbers could be harmful. But exposing secret keys can be even worse. This is the information servers use to unscramble encrypted information it receives. If an attacker obtains a server's private keys, it can read any information sent to it. It may even be able to use the secret key to impersonate the server, tricking users into divulging their password and other sensitive information.

Because the Heartbleed attack was generally focused on servers, there was nothing users could do to protect themselves when using a vulnerable website. But once a secure website had fixed the problem, users had to update their software to ensure that previously-captured passwords were not used for malicious purposes.

Which websites were affected?​

Affected companies included Tumblr, Google, Yahoo, Intuit (makers of TurboTax), Dropbox, Netflix, and Facebook. All of these companies have since fixed the problem. Amazon.com was not affected, but Amazon Web Services, which is used by a huge number of smaller websites, was. Apple, Microsoft, PayPal, LinkedIn, eBay, Twitter, and AOL said they weren't affected.

Most banking and investment sites, including Bank of America, Chase, E-Trade, Fidelity, PNC, Schwab, US Bank, and Wells Fargo, were not affected. This might be because these companies used encryption software other than OpenSSL, or it might be because they hadn't upgraded to the latest version. Ironically, companies who were running a version of OpenSSL more than two years old in April 2014 were not affected by the Heartbleed bug.

But What is SSL?​

SSL, short for Secure Sockets Layer, is a family of encryption technologies that allow web users to protect the privacy of information they transmit over the internet.

When you visit a secure website such as Gmail.com, you'll see a lock next to the URL, indicating that your communications with the site are encrypted. Here's what that looks like in Google's Chrome browser:
Screen_Shot_2014-04-08_at_10.55.39_AM.png
That lock is supposed to signal that third parties won't be able to read any information you send or receive. Under the hood, SSL accomplishes that by transforming your data into a coded message that only the recipient knows how to decipher. If a malicious party is listening to the conversation, it will only see a seemingly random string of characters, not the contents of your emails, Facebook posts, credit card numbers, or other private information.

SSL was introduced by Netscape in 1994. In recent years, there has been a trend toward major online services to using encryption by default. Today, Google, Yahoo, and Facebook all use SSL encryption by default for their websites and online services.

When implemented correctly, SSL is believed to be highly secure. But 2014 was a bad year for SSL security; Heartbleed wasn't the only security flaw uncovered that year. In February, a serious flaw was discovered in Apple's implementation of SSL. The next month a flaw was found in another SSL implementation that was popular with open source operating systems.

WHAT ABOUT OPENSSL?

OpenSSL is software that allows computers to communicate using the SSL encryption standards. It's an open source project created and maintained by volunteers. First released in 1998, it has become one of the most popular SSL implementations in the world.

OpenSSL is widely used. One reason for this is that it has been incorporated into various other software products. For example, two of the most popular web servers software packages, known as Apache and nginx, both use OpenSSL to encrypt websites.

At the time of the Heartbleed attack, the OpenSSL website listed just 15 active developers, most of whom contributed to the project on a volunteer basis. But not all changes to the OpenSSL software are written by these 15 people. Rather, these developers help to filter and organize suggested changes from a larger community of people who make occasional contributions.

Considering that high-profile commercial software projects often have dozens or even hundreds of people working on them, it's not surprising that the OpenSSL team didn't notice the subtle Heartbleed bug when they introduced a new version of the software in 2012.

After the Heartbleed bug was discovered, several large tech companies pooled their resources to fund greater efforts to secure OpenSSL and other open source software that forms the internet's core infrastructure.

How does the Heartbleed attack work?​

The SSL standard includes a "heartbeat" option, which provides a way for a computer at one end of the SSL connection to double-check that there's still someone at the other end of the line. This feature is useful because some internet routers will drop a connection if it's idle for too long. In a nutshell, the heartbeat protocol works like this:

heartbleed_good.png
The heartbeat message has three parts: a request for acknowledgement, a short, randomly-chosen message (in this case, "banana"), and the number of characters in that message. The server is simply supposed to acknowledge having received the request and parrot back the message.

The Heartbleed attack takes advantage of the fact that the server can be too trusting. When someone tells it that the message has 6 characters, the server automatically sends back 6 characters in response. A malicious user can take take advantage of the server's gullibility:
heartbleed_bad.png
Obviously, the word "giraffe" isn't 100 characters long. But the server doesn't bother to check before sending back its response, so it sends back 100 characters. Specifically, it sends back the 7-character word "giraffe" followed by whichever 93 characters happen to be stored after the word "giraffe" in the server's memory. Computers often store information in a haphazard order in an effort to pack it into its memory as tightly as possible, so there's no telling what information might be returned. In this case, the bit of memory after the word "giraffe" contained sensitive personal information belonging to user John Smith.

In the real Heartbleed attack, the attacker doesn't just ask for 100 characters. The attacker can ask for around 64,000 characters of plain text. And it doesn't just ask once, it can send malicious heartbeat messages over and over again, allowing the attacker to get back different fragments of the server's memory each time. In the process, it can gain a wealth of data that was never intended to be available to the public.

The fix for this problem is easy: the server just needs to be less trusting. Rather than blindly sending back as much data as is requested, the server needs to check that it's not being asked to send back more characters than it received in the first place. That's exactly what OpenSSL's fix for the Heartbleed Bug does.

OK THAT ALL FOR TODAY THIS THREAD HAVE 2 PART..YOU GUYS JUST WAIT FOR THE SECOND PART BECAUSE..IT WILL BE LONG FOR ME CLEARLY RIGHT..SO ... JUST WAIT FOR PART TWO

bye2..

FORM YUNO_V19[/SPOILER][/SPOILER]
 

LilBoyyy

Sargent
Bawang Rangers
Joined
Sep 29, 2021
Messages
585
Reaction score
2,637
DragonCoin
44,432
Eagle
Ok..Hello and good evning For non-muslim and assalammualaikum for Muslim..

umm..Do you have heard abaout HeartBleed bug??
NO!??

OK..Today you are lucky because I will explain about :

The Heartbleed BUG

So..What is Heartbleed BUG actualy??
The Heartbleed bug was a serious flaw in OpenSSL, encryption software that powers a lot of secure communications on the web. It was announced by computer security researchers on April 7, 2014.
Here's how it worked: the SSL standard includes a heartbeat option, which allows a computer at one end of an SSL connection to send a short message to verify that the other computer is still online and get a response back. Researchers found that it's possible to send a cleverly formed, malicious heartbeat message that tricks the computer at the other end into divulging secret information. Specifically, a vulnerable computer can be tricked into transmitting the contents of the server's memory, known as RAM.

Ed Felten, a computer scientist at Princeton (and, disclosure, my former graduate advisor) told me in 2014 that attackers using the technique can "sort through that information by doing pattern matching to try to find secret keys, passwords, and personal information like credit card numbers."

I don't need to explain why exposing passwords and credit card numbers could be harmful. But exposing secret keys can be even worse. This is the information servers use to unscramble encrypted information it receives. If an attacker obtains a server's private keys, it can read any information sent to it. It may even be able to use the secret key to impersonate the server, tricking users into divulging their password and other sensitive information.

Because the Heartbleed attack was generally focused on servers, there was nothing users could do to protect themselves when using a vulnerable website. But once a secure website had fixed the problem, users had to update their software to ensure that previously-captured passwords were not used for malicious purposes.

Which websites were affected?​

Affected companies included Tumblr, Google, Yahoo, Intuit (makers of TurboTax), Dropbox, Netflix, and Facebook. All of these companies have since fixed the problem. Amazon.com was not affected, but Amazon Web Services, which is used by a huge number of smaller websites, was. Apple, Microsoft, PayPal, LinkedIn, eBay, Twitter, and AOL said they weren't affected.

Most banking and investment sites, including Bank of America, Chase, E-Trade, Fidelity, PNC, Schwab, US Bank, and Wells Fargo, were not affected. This might be because these companies used encryption software other than OpenSSL, or it might be because they hadn't upgraded to the latest version. Ironically, companies who were running a version of OpenSSL more than two years old in April 2014 were not affected by the Heartbleed bug.

But What is SSL?​

SSL, short for Secure Sockets Layer, is a family of encryption technologies that allow web users to protect the privacy of information they transmit over the internet.

When you visit a secure website such as Gmail.com, you'll see a lock next to the URL, indicating that your communications with the site are encrypted. Here's what that looks like in Google's Chrome browser:
View attachment 15619
That lock is supposed to signal that third parties won't be able to read any information you send or receive. Under the hood, SSL accomplishes that by transforming your data into a coded message that only the recipient knows how to decipher. If a malicious party is listening to the conversation, it will only see a seemingly random string of characters, not the contents of your emails, Facebook posts, credit card numbers, or other private information.

SSL was introduced by Netscape in 1994. In recent years, there has been a trend toward major online services to using encryption by default. Today, Google, Yahoo, and Facebook all use SSL encryption by default for their websites and online services.

When implemented correctly, SSL is believed to be highly secure. But 2014 was a bad year for SSL security; Heartbleed wasn't the only security flaw uncovered that year. In February, a serious flaw was discovered in Apple's implementation of SSL. The next month a flaw was found in another SSL implementation that was popular with open source operating systems.

WHAT ABOUT OPENSSL?

OpenSSL is software that allows computers to communicate using the SSL encryption standards. It's an open source project created and maintained by volunteers. First released in 1998, it has become one of the most popular SSL implementations in the world.

OpenSSL is widely used. One reason for this is that it has been incorporated into various other software products. For example, two of the most popular web servers software packages, known as Apache and nginx, both use OpenSSL to encrypt websites.

At the time of the Heartbleed attack, the OpenSSL website listed just 15 active developers, most of whom contributed to the project on a volunteer basis. But not all changes to the OpenSSL software are written by these 15 people. Rather, these developers help to filter and organize suggested changes from a larger community of people who make occasional contributions.

Considering that high-profile commercial software projects often have dozens or even hundreds of people working on them, it's not surprising that the OpenSSL team didn't notice the subtle Heartbleed bug when they introduced a new version of the software in 2012.

After the Heartbleed bug was discovered, several large tech companies pooled their resources to fund greater efforts to secure OpenSSL and other open source software that forms the internet's core infrastructure.

How does the Heartbleed attack work?​

The SSL standard includes a "heartbeat" option, which provides a way for a computer at one end of the SSL connection to double-check that there's still someone at the other end of the line. This feature is useful because some internet routers will drop a connection if it's idle for too long. In a nutshell, the heartbeat protocol works like this:

View attachment 15620
The heartbeat message has three parts: a request for acknowledgement, a short, randomly-chosen message (in this case, "banana"), and the number of characters in that message. The server is simply supposed to acknowledge having received the request and parrot back the message.

The Heartbleed attack takes advantage of the fact that the server can be too trusting. When someone tells it that the message has 6 characters, the server automatically sends back 6 characters in response. A malicious user can take take advantage of the server's gullibility:
View attachment 15621
Obviously, the word "giraffe" isn't 100 characters long. But the server doesn't bother to check before sending back its response, so it sends back 100 characters. Specifically, it sends back the 7-character word "giraffe" followed by whichever 93 characters happen to be stored after the word "giraffe" in the server's memory. Computers often store information in a haphazard order in an effort to pack it into its memory as tightly as possible, so there's no telling what information might be returned. In this case, the bit of memory after the word "giraffe" contained sensitive personal information belonging to user John Smith.

In the real Heartbleed attack, the attacker doesn't just ask for 100 characters. The attacker can ask for around 64,000 characters of plain text. And it doesn't just ask once, it can send malicious heartbeat messages over and over again, allowing the attacker to get back different fragments of the server's memory each time. In the process, it can gain a wealth of data that was never intended to be available to the public.

The fix for this problem is easy: the server just needs to be less trusting. Rather than blindly sending back as much data as is requested, the server needs to check that it's not being asked to send back more characters than it received in the first place. That's exactly what OpenSSL's fix for the Heartbleed Bug does.

OK THAT ALL FOR TODAY THIS THREAD HAVE 2 PART..YOU GUYS JUST WAIT FOR THE SECOND PART BECAUSE..IT WILL BE LONG FOR ME CLEARLY RIGHT..SO ... JUST WAIT FOR PART TWO

bye2..

FORM YUNO_V19[/SPOILER][/SPOILER]
Tq you for sharing
 

nanovim

Sargent
DFM Hackers
Joined
Jul 12, 2021
Messages
487
Reaction score
5,850
DragonCoin
206
Ancient Piranha
Ulat Gonggok Gergasi
I think the information is good but if you can, please try to paraphrase cause it looks similar to this website. Good writing also means avoiding plagiarism whenever possible. Thank you for initiating this sharing topic. [ Source Here ]
 

Craglitch

Corporal
DFM Member
Joined
Oct 29, 2021
Messages
247
Reaction score
691
DragonCoin
17,211
Fire Red Dragon
Frost Dragon
Eagle
Ok..Hello and good evning For non-muslim and assalammualaikum for Muslim..

umm..Do you have heard abaout HeartBleed bug??
NO!??

OK..Today you are lucky because I will explain about :

The Heartbleed BUG

So..What is Heartbleed BUG actualy??
The Heartbleed bug was a serious flaw in OpenSSL, encryption software that powers a lot of secure communications on the web. It was announced by computer security researchers on April 7, 2014.
Here's how it worked: the SSL standard includes a heartbeat option, which allows a computer at one end of an SSL connection to send a short message to verify that the other computer is still online and get a response back. Researchers found that it's possible to send a cleverly formed, malicious heartbeat message that tricks the computer at the other end into divulging secret information. Specifically, a vulnerable computer can be tricked into transmitting the contents of the server's memory, known as RAM.

Ed Felten, a computer scientist at Princeton (and, disclosure, my former graduate advisor) told me in 2014 that attackers using the technique can "sort through that information by doing pattern matching to try to find secret keys, passwords, and personal information like credit card numbers."

I don't need to explain why exposing passwords and credit card numbers could be harmful. But exposing secret keys can be even worse. This is the information servers use to unscramble encrypted information it receives. If an attacker obtains a server's private keys, it can read any information sent to it. It may even be able to use the secret key to impersonate the server, tricking users into divulging their password and other sensitive information.

Because the Heartbleed attack was generally focused on servers, there was nothing users could do to protect themselves when using a vulnerable website. But once a secure website had fixed the problem, users had to update their software to ensure that previously-captured passwords were not used for malicious purposes.

Which websites were affected?​

Affected companies included Tumblr, Google, Yahoo, Intuit (makers of TurboTax), Dropbox, Netflix, and Facebook. All of these companies have since fixed the problem. Amazon.com was not affected, but Amazon Web Services, which is used by a huge number of smaller websites, was. Apple, Microsoft, PayPal, LinkedIn, eBay, Twitter, and AOL said they weren't affected.

Most banking and investment sites, including Bank of America, Chase, E-Trade, Fidelity, PNC, Schwab, US Bank, and Wells Fargo, were not affected. This might be because these companies used encryption software other than OpenSSL, or it might be because they hadn't upgraded to the latest version. Ironically, companies who were running a version of OpenSSL more than two years old in April 2014 were not affected by the Heartbleed bug.

But What is SSL?​

SSL, short for Secure Sockets Layer, is a family of encryption technologies that allow web users to protect the privacy of information they transmit over the internet.

When you visit a secure website such as Gmail.com, you'll see a lock next to the URL, indicating that your communications with the site are encrypted. Here's what that looks like in Google's Chrome browser:
View attachment 15619
That lock is supposed to signal that third parties won't be able to read any information you send or receive. Under the hood, SSL accomplishes that by transforming your data into a coded message that only the recipient knows how to decipher. If a malicious party is listening to the conversation, it will only see a seemingly random string of characters, not the contents of your emails, Facebook posts, credit card numbers, or other private information.

SSL was introduced by Netscape in 1994. In recent years, there has been a trend toward major online services to using encryption by default. Today, Google, Yahoo, and Facebook all use SSL encryption by default for their websites and online services.

When implemented correctly, SSL is believed to be highly secure. But 2014 was a bad year for SSL security; Heartbleed wasn't the only security flaw uncovered that year. In February, a serious flaw was discovered in Apple's implementation of SSL. The next month a flaw was found in another SSL implementation that was popular with open source operating systems.

WHAT ABOUT OPENSSL?

OpenSSL is software that allows computers to communicate using the SSL encryption standards. It's an open source project created and maintained by volunteers. First released in 1998, it has become one of the most popular SSL implementations in the world.

OpenSSL is widely used. One reason for this is that it has been incorporated into various other software products. For example, two of the most popular web servers software packages, known as Apache and nginx, both use OpenSSL to encrypt websites.

At the time of the Heartbleed attack, the OpenSSL website listed just 15 active developers, most of whom contributed to the project on a volunteer basis. But not all changes to the OpenSSL software are written by these 15 people. Rather, these developers help to filter and organize suggested changes from a larger community of people who make occasional contributions.

Considering that high-profile commercial software projects often have dozens or even hundreds of people working on them, it's not surprising that the OpenSSL team didn't notice the subtle Heartbleed bug when they introduced a new version of the software in 2012.

After the Heartbleed bug was discovered, several large tech companies pooled their resources to fund greater efforts to secure OpenSSL and other open source software that forms the internet's core infrastructure.

How does the Heartbleed attack work?​

The SSL standard includes a "heartbeat" option, which provides a way for a computer at one end of the SSL connection to double-check that there's still someone at the other end of the line. This feature is useful because some internet routers will drop a connection if it's idle for too long. In a nutshell, the heartbeat protocol works like this:

View attachment 15620
The heartbeat message has three parts: a request for acknowledgement, a short, randomly-chosen message (in this case, "banana"), and the number of characters in that message. The server is simply supposed to acknowledge having received the request and parrot back the message.

The Heartbleed attack takes advantage of the fact that the server can be too trusting. When someone tells it that the message has 6 characters, the server automatically sends back 6 characters in response. A malicious user can take take advantage of the server's gullibility:
View attachment 15621
Obviously, the word "giraffe" isn't 100 characters long. But the server doesn't bother to check before sending back its response, so it sends back 100 characters. Specifically, it sends back the 7-character word "giraffe" followed by whichever 93 characters happen to be stored after the word "giraffe" in the server's memory. Computers often store information in a haphazard order in an effort to pack it into its memory as tightly as possible, so there's no telling what information might be returned. In this case, the bit of memory after the word "giraffe" contained sensitive personal information belonging to user John Smith.

In the real Heartbleed attack, the attacker doesn't just ask for 100 characters. The attacker can ask for around 64,000 characters of plain text. And it doesn't just ask once, it can send malicious heartbeat messages over and over again, allowing the attacker to get back different fragments of the server's memory each time. In the process, it can gain a wealth of data that was never intended to be available to the public.

The fix for this problem is easy: the server just needs to be less trusting. Rather than blindly sending back as much data as is requested, the server needs to check that it's not being asked to send back more characters than it received in the first place. That's exactly what OpenSSL's fix for the Heartbleed Bug does.

OK THAT ALL FOR TODAY THIS THREAD HAVE 2 PART..YOU GUYS JUST WAIT FOR THE SECOND PART BECAUSE..IT WILL BE LONG FOR ME CLEARLY RIGHT..SO ... JUST WAIT FOR PART TWO

bye2..

FORM YUNO_V19[/SPOILER][/SPOILER]
Wow i understand how ssl is not very secure now! Thanks sharing !
 
Top