Beware Poodle Bug!

Three Google researchers have uncovered a security bug in widely used web encryption technology that they say could allow hackers to take over accounts for email, banking and other services in what they have dubbed a "Poodle" attack.

The discovery of "Poodle," which stands for Padding Oracle On Downloaded Legacy Encryption, prompted makers of web browsers and server software to advise users on Tuesday to disable use of the source of the security bug: an 18-year old encryption standard known as SSL 3.0.
It was the third time this year that researchers have uncovered a vulnerability in widely used web technology, following April's "Heartbleed" bug in OpenSSL and last month's "Shellshock" bug in a piece of Unix software known as Bash.

It is the third time this year that researchers have uncovered a "Heartbleed" bug and last month's "Shellshock" bug.

Security experts said that hackers could steal browser "cookies" in "Poodle" attacks, potentially taking control of email, banking and social networking accounts. Even so, experts said the threat was not as serious as the two prior bugs.

"If Shellshock and Heartbleed were Threat Level 10, then Poodle is more like a 5 or a 6," said Tal Klein, vice president with cloud security firm Adallom.

The threat was disclosed in a research paper published on the website of the OpenSSL Project, which develops the most widely used type of SSL encryption software.

Rumors of a bug in SSL software had been circulating in recent days, prompting some security professionals to prepare for a major new threat this week.

Ivan Ristic, director of application security research with Qualys, said "Poodle" was not as serious as the previous threats because the attack was "quite complicated," requiring hackers to have privileged access to networks.

Jeff Moss, a cyber adviser to the U.S. Department of Homeland Security, said attackers would need to launch a "man-in-the-middle" attack, placing themselves between victims and websites using approaches such as creating rogue WiFi "hotspots" in Internet cafes.

Google suggested a technical workaround to secure web servers, but added on its blog that it hopes to eventually remove support for SSL 3.0 from all client software.

Mozilla plans to disable SSL 3.0 by default in the next version of its Firefox browser, to be released on Nov. 25. (mzl.la/1DaxOwY).

"SSL version 3.0 is no longer secure," Mozilla said on its blog. "Browsers and websites need to turn off SSLv3 and use more modern security protocols as soon as possible."

Microsoft Corp issued an advisory suggesting that customers disable SSL 3.0 on Windows for servers and PCs.

Representatives with Apple Inc could not be reached. An Oracle Corp spokeswoman had no immediate comment. Matthew Green, an assistant research professor of computer science at Johns Hopkins University said that disabling SSL 3.0 can be difficult for some computer users.
"It's not going to take out the infrastructure of the Internet. But it's going to be a hassle to fix," Green said.

« Two weeks to save your computer from major cyber attack
Newsletters »

ManageEngine
CyberSecurity Jobsite
Check Point

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

Censornet

Censornet

Censornet's autonomous, integrated cloud security gives mid-market organisations the confidence and control of enterprise-grade cyber protection.

Untangle

Untangle

Untangle provides network security products designed specifically for the below-enterprise market, safeguarding businesses, home offices, nonprofits, schools and governmental organizations.

Cryptsoft

Cryptsoft

Cryptsoft provides key management and security software development toolkits based around open standards such as OASIS KMIP and PKCS#11.

National Digital Exploitation Centre (NDEC) - United Kingdom

National Digital Exploitation Centre (NDEC) - United Kingdom

NDEC is a project to create a centre of cyber and digital development and education for the UK. It will offer training in digital practices, cyber security and research.

Cybercrime Support Network (CSN)

Cybercrime Support Network (CSN)

CSN is a public-private, nonprofit collaboration created to meet the challenges facing millions of individuals and businesses affected each and every day by cybercrime.

Caulis

Caulis

Caulis FraudAlert is a cyber security solution. It can detect fraud and identity theft based on users’ online behaviour.

Cytelligence

Cytelligence

Cytelligence is a cyber security consulting company with deep expertise in Cyber Breach Response, Cyber Breach Investigations, and Digital Forensics.

SecZetta

SecZetta

SecZetta provides third-party identity risk solutions that are easy to use, and purpose built to help organizations execute risk-based identity access and lifecycle strategies.

HEQA Security

HEQA Security

HEQA Security (formerly QuantLR) offer the world’s most cost-effective, easy-to-integrate, and secure Quantum Key Distribution (QKD) solution

Prelude Research

Prelude Research

Prelude offer the first autonomous platform built to attack, defend and train critical assets through continuous red-teaming.

Descope

Descope

Descope is a service that helps every developer build secure, frictionless authentication and user journeys for any application.

Space Hellas

Space Hellas

Space Hellas is a dynamic, established System Integrator and Value Added Solutions Provider, holding a leading position in the high technology arena.

Global Resilience Federation (GRF)

Global Resilience Federation (GRF)

GRF builds, develops and connects security information sharing communities for mutual defense.

Cybersecurity Elastic Laboratory (CEL)

Cybersecurity Elastic Laboratory (CEL)

CEL specialize in providing top-tier services in vulnerability diagnosis and penetration testing, offering a comprehensive suite of solutions to mitigate cyber risks.

VCI Global

VCI Global

VCI Global is a diversified holding company. Through its subsidiaries, it focuses on consulting, fintech, AI, robotics, and cybersecurity.

Aurva

Aurva

Aurva are a team of engineers, product thinkers, and security minds who believe that data security should be simple, powerful, and built for speed.