New Feature: Playlist Center! Pick a topic and let our playlists guide the way.

Start learning with our library of video tutorials taught by experts. Get started

Heartbleed Tactics for Small IT Shops
Illustration by Don Barnett

Heartbleed Tactics for Small IT Shops

with David Gassner

Video: Understanding the nature of the Heartbleed bug

As has been widely publicized, a severe hole in It primarily affects HTTP servers, the servers that host websites, The heartbeat extension is used to create a handshake between Here's the technical description, a missing bounds check 64k doesn't sound like a lot, but this hole in the security of the Here's the sort of data that can be leaked through the Heartbleed bug.

Watch every course in the library with a lynda.com membership.
Each course includes high-quality videos taught by expert instructors.

Become a member
please wait ...
Heartbleed Tactics for Small IT Shops
16m 43s Beginner Apr 15, 2014

Viewers: in countries Watching now:

Protect your sites—and your servers—from Heartbleed. This course is aimed at administrators that maintain their own small servers, and provides the information needed to diagnose as well as fix any problems. David Gassner shows how to test your secure servers, fix the services that use the compromised OpenSSL software, and audit your other vulnerable systems.

Subjects:
Developer Servers
Author:
David Gassner

Understanding the nature of the Heartbleed bug

As has been widely publicized, a severe hole in internet security, known as The Heartbleed Bug has been discovered. This bug affects a significant percentage of secure HTTP servers around the world. Heartbleed is a bug in OpenSSL, an open Source Software Package that's widely used to manage security certificates and encryption between internet clients and servers. It primarily affects HTTP servers, the servers that host websites, and specifically HTTP servers that use OpenSSL versions 1.0.1, through 1.0.1f.

This isn't an architectural problem with OpenSSL itself, it's just some bad code that was introduced into the product. The bug is in the implementation of the Transport Layer Security protocol, or TLS and specifically, a part of the protocol known as the heartbeat extension. The heartbeat extension is used to create a handshake between a client and a server, as they initiate encrypted communication. The problem, is that this bug allows memory and data to leak through.

Here's the technical description, a missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. 64k doesn't sound like a lot, but this hole in the security of the TLS heartbeat extension can be exploited over and over again once it's been discovered. This means that servers and client computers, and even mobile devices such as cell phones and tablets that are connected to the internet are potentially vulnerable if they use particular versions of Open SSL.

As an IT administrator or business owner, it's critical to understand the nature of the bug, how to find out whether your systems are vulnerable, and how to go about fixing the issue. Here's the sort of data that can be leaked through the Heartbleed bug. Primary keys are the digital security certificates, that manage encryption. These are the keys to the kingdom. And the heartbleed bug lets those leak from server memory. Also, secondary keys such as user credentials, user names and passwords, or other information that's being used to authenticate users can be leaked.

Once that information has been compromised it's possible to get to other protected contents, information as sensitive as credit card numbers. And finally, collateral information such as memory addresses or other internal technical info. Some of this information is temporary and transient. For example, if someone has captured memory addresses. From a current server session it wouldn't be useful once you've updated OpenSSL to a safe version, and restarted your server. But everything else that might have been compromised needs to be closely evaluated, and if warranted, it needs to be changed.

This is laborious and a major pain, but it might be necessary. Don't underestimate this issue. If you secure hosted services, you should immediately find out whether your systems need attention. Some organizations including national governments, have actually shut down critical web-based services until they're confident that this bug has been corrected on their servers. It's that serious. Deal with it now and you might save yourself some bigger trouble down the road.

You can easily find out whether your systems are vulnerable, if they are vulnerable it's tough to know what information might have been stolen, if any, so it's best to be safe. Security experts world wide are recommending that you change or replace potentially compromised security assets, such as certificates, passwords, and so on. To learn more about the bug and find resources to deal with it, go to the website that's been set up for this purpose at heartbleed.com. This webpage will be kept up to date as information develops.

It includes information about the nature of the bug, and, down at the bottom at the page, a list of resources that you can use to find out how to deal with particular servers. In the following movies I'll describe key strategies you can follow, to find and fix vulnerabilities in your own systems.

There are currently no FAQs about Heartbleed Tactics for Small IT Shops.

 
Share a link to this course

What are exercise files?

Exercise files are the same files the author uses in the course. Save time by downloading the author's files instead of setting up your own files, and learn by following along with the instructor.

Can I take this course without the exercise files?

Yes! If you decide you would like the exercise files later, you can upgrade to a premium account any time.

Become a member Download sample files See plans and pricing

Please wait... please wait ...
Upgrade to get access to exercise files.

Exercise files video

How to use exercise files.

Learn by watching, listening, and doing, Exercise files are the same files the author uses in the course, so you can download them and follow along Premium memberships include access to all exercise files in the library.
Upgrade now


Exercise files

Exercise files video

How to use exercise files.

For additional information on downloading and using exercise files, watch our instructional video or read the instructions in the FAQ.

This course includes free exercise files, so you can practice while you watch the course. To access all the exercise files in our library, become a Premium Member.

join now Upgrade now

Are you sure you want to mark all the videos in this course as unwatched?

This will not affect your course history, your reports, or your certificates of completion for this course.


Mark all as unwatched Cancel

Congratulations

You have completed Heartbleed Tactics for Small IT Shops.

Return to your organization's learning portal to continue training, or close this page.


OK
Become a member to add this course to a playlist

Join today and get unlimited access to the entire library of video courses—and create as many playlists as you like.

Get started

Already a member?

Become a member to like this course.

Join today and get unlimited access to the entire library of video courses.

Get started

Already a member?

Exercise files

Learn by watching, listening, and doing! Exercise files are the same files the author uses in the course, so you can download them and follow along. Exercise files are available with all Premium memberships. Learn more

Get started

Already a Premium member?

Exercise files video

How to use exercise files.

Ask a question

Thanks for contacting us.
You’ll hear from our Customer Service team within 24 hours.

Please enter the text shown below:

The classic layout automatically defaults to the latest Flash Player.

To choose a different player, hold the cursor over your name at the top right of any lynda.com page and choose Site preferencesfrom the dropdown menu.

Continue to classic layout Stay on new layout
Exercise files

Access exercise files from a button right under the course name.

Mark videos as unwatched

Remove icons showing you already watched videos if you want to start over.

Control your viewing experience

Make the video wide, narrow, full-screen, or pop the player out of the page into its own window.

Interactive transcripts

Click on text in the transcript to jump to that spot in the video. As the video plays, the relevant spot in the transcript will be highlighted.

Are you sure you want to delete this note?

No

Thanks for signing up.

We’ll send you a confirmation email shortly.


Sign up and receive emails about lynda.com and our online training library:

Here’s our privacy policy with more details about how we handle your information.

Keep up with news, tips, and latest courses with emails from lynda.com.

Sign up and receive emails about lynda.com and our online training library:

Here’s our privacy policy with more details about how we handle your information.

   
submit Lightbox submit clicked
Terms and conditions of use

We've updated our terms and conditions (now called terms of service).Go
Review and accept our updated terms of service.