Presentation

Proposal

I hereby write this proposal with intent of explaining the class of probably the
most destructive vulnerability on the Internet ever- the Heartbleed Bug. This bug
has struck more than 2/3 of the whole Internet and was actually easy to the non
techie person to execute. The beauty of this bug is that it provides all the data
stored on a specific computer(server) which involves bank account numbers,
usernames, passwords and everything on the internet which uses SSL/TLS was
vulnerable to it. So every information online including classified documents were
at the risk of exploitation. Reports also suggest that the NSA had information of
the bug more than 2 years ago and were using it to extract the classified
information of the diplomats and other security agency for their intelligence
purpose.

We plan to present the topic in modules, which provides the class a better view
and knowledge to understand this specific vulnerability. Our presentation would
include the following stages:

1. Introduction to HTTP and why SSL/TLS is required for communication
over HTTP:

Internet is a vast entity in its own, and a lot of sensitive and personal data is
shared over the Internet, which could be used to impersonate or exploit specific
person or organization. We include a brief introduction on how HTTP works and
types of attacks are involved to steal the data, hence the introduction of SSL/TLS.
Basic information to familiarize the class over HTTP and SSL/TLS which would
help them understand the vulnerability well and follow us on our terms, which
we will be using in the more advance stages of our presentation

2.OpenSSL Heartbeat Extension introduction and Discovery of Heartbleed.
What exactly is Bleed?

Almost the whole Internet uses OpenSSL for encryption and there is a sure
chance of every one of us to have transacted with OpenSSL on the internet even
if dont know them. OpenSSL uses heartbeat extension to validate a session on
the internet periodically over the communication where the source host or
destination host send a heartbeat to verify if the other party is still available to
continue the connection. This involves a request along with a small amount of
data request to verify if the communication is alive. The Heartbeat did not have
any limitation of the amount of data request that can be requested by the party
which led to the vulnerability of Heartbleed. A party requesting a heartbeat
would request unusually high bytes of data from the recipient, who will send the
data back to the source as requested. If the string is small, it sends the
appropriate data but if the requested string is unusually high, the recipient sends
the data from its storage to respond to the partys request, which includes
sensitive data on the systems storage (also called as a memory dump). This
specifically is the summary of the Heartbeat and the Heartbleed Vulnerability.

3. A quick demo of the vulnerability along with a graphical presentation:

We plan to present the class with a quick demo on how the exploit actually
works and how a hacker would initiate the attack. This would include the actual
memory dump from the vulnerable system along with the graphical visuals of
the heartbeat extension and an attack through the Heartbleed request. We have
gone a step further to present the class with a graphical presentation of what all
could be exploited on the Internet for precise understanding of the class.

4.Famous exploits of the attacks and publics responses and protections
used against the specified vulnerability:

After the presenting the above model, we present the class with the list of
famous organizations that have been accused of involvement in exploitation of
the exploit and the organizations that have probably fallen victim to the
vulnerability. Since OpenSSL is the leading organization for encryption, also
involved is the public responses to the attack after its discovery, who were
desperate to protect themselves against the vulnerability and protect their data.
We then propose the effective measures that can be taken to protect the
organizations and individuals from the Heartbleed vulnerability.