Beware Poodle Bug!

Three Google researchers have uncovered a security bug in widely used web encryption technology that they say could allow hackers to take over accounts for email, banking and other services in what they have dubbed a "Poodle" attack.

The discovery of "Poodle," which stands for Padding Oracle On Downloaded Legacy Encryption, prompted makers of web browsers and server software to advise users on Tuesday to disable use of the source of the security bug: an 18-year old encryption standard known as SSL 3.0.
It was the third time this year that researchers have uncovered a vulnerability in widely used web technology, following April's "Heartbleed" bug in OpenSSL and last month's "Shellshock" bug in a piece of Unix software known as Bash.

It is the third time this year that researchers have uncovered a "Heartbleed" bug and last month's "Shellshock" bug.

Security experts said that hackers could steal browser "cookies" in "Poodle" attacks, potentially taking control of email, banking and social networking accounts. Even so, experts said the threat was not as serious as the two prior bugs.

"If Shellshock and Heartbleed were Threat Level 10, then Poodle is more like a 5 or a 6," said Tal Klein, vice president with cloud security firm Adallom.

The threat was disclosed in a research paper published on the website of the OpenSSL Project, which develops the most widely used type of SSL encryption software.

Rumors of a bug in SSL software had been circulating in recent days, prompting some security professionals to prepare for a major new threat this week.

Ivan Ristic, director of application security research with Qualys, said "Poodle" was not as serious as the previous threats because the attack was "quite complicated," requiring hackers to have privileged access to networks.

Jeff Moss, a cyber adviser to the U.S. Department of Homeland Security, said attackers would need to launch a "man-in-the-middle" attack, placing themselves between victims and websites using approaches such as creating rogue WiFi "hotspots" in Internet cafes.

Google suggested a technical workaround to secure web servers, but added on its blog that it hopes to eventually remove support for SSL 3.0 from all client software.

Mozilla plans to disable SSL 3.0 by default in the next version of its Firefox browser, to be released on Nov. 25. (mzl.la/1DaxOwY).

"SSL version 3.0 is no longer secure," Mozilla said on its blog. "Browsers and websites need to turn off SSLv3 and use more modern security protocols as soon as possible."

Microsoft Corp issued an advisory suggesting that customers disable SSL 3.0 on Windows for servers and PCs.

Representatives with Apple Inc could not be reached. An Oracle Corp spokeswoman had no immediate comment. Matthew Green, an assistant research professor of computer science at Johns Hopkins University said that disabling SSL 3.0 can be difficult for some computer users.
"It's not going to take out the infrastructure of the Internet. But it's going to be a hassle to fix," Green said.

« Two weeks to save your computer from major cyber attack
Newsletters »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

SSH Communications Security

SSH Communications Security

SSH Communications Security is a leading provider of enterprise cybersecurity solutions for controlling trusted access to information systems and data.

Okta

Okta

Okta is an enterprise-grade identity management service, built from the ground up in the cloud to address the challenges of a cloud-mobile-interconnected world.

Hotlava Systems

Hotlava Systems

HotLava network adapters enable today's powerful servers and workstations to deliver more productivity by reducing congestion at the network interface.

Experian

Experian

Experian provide software solutions to help organizations prevent identity fraud and crime.

Ingenio Global

Ingenio Global

Ingenio is a specialist recruitment business for SaaS companies. Our purpose is to source exceptional talent in areas including cyber security for leading SaaS companies in the UK and Ireland.

Sixgill

Sixgill

Sixgill, an IoT sensor platform company, builds the universal data service and smart process automation software allowing any organization to effectively govern its IoE assets.

Converge Technology Solutions

Converge Technology Solutions

Converge Technology Solutions Corp. is a North American IT solution provider delivering advanced analytics, cloud, cybersecurity, and managed services solutions.

InfoLock

InfoLock

Infolock are experts in data governance, providing consulting and advisory services that help organizations effectively secure, manage, and optimize their data.

CyberSheath Services International

CyberSheath Services International

CyberSheath integrates your compliance and threat mitigation efforts and eliminates redundant security practices that don’t improve and in fact might probably weaken your security posture.

Ridge Canada Cyber Solutions

Ridge Canada Cyber Solutions

Ridge Canada helps insurance brokers and insurance buyers understand, evaluate, and secure cyber coverage that is tailored to their business.

Hayes Connor Solicitors

Hayes Connor Solicitors

Hayes Connor Solicitors is a specialist data breach and cybercrime law firm. We act for clients on individual data breaches and also where a group has been compromised as part of a targeted attack.

CrossCountry Consulting

CrossCountry Consulting

CrossCountry Consulting is a trusted business advisory firm that provides customized finance, accounting, human capital management, risk, operations and technology consulting services.

Emtec

Emtec

Emtec’s cyber security team provides advisory, assessment, & managed security services that help you build the cyber security policies, toolsets & best practices to elevate your cyber security posture

Paragon Cyber Solutions

Paragon Cyber Solutions

Paragon Cyber Solutions provides specialized security risk management and IT solutions to protect the integrity of your business operations.

Var Group

Var Group

Var Group is one of the main partners for innovation in the ICT sector in Italy.

Codezero Technologies

Codezero Technologies

Codezero is at the forefront of microservices development, employing an identity-aware overlay network that delivers zero-trust security to DevOps.