Beware Poodle Bug!

Three Google researchers have uncovered a security bug in widely used web encryption technology that they say could allow hackers to take over accounts for email, banking and other services in what they have dubbed a "Poodle" attack.

The discovery of "Poodle," which stands for Padding Oracle On Downloaded Legacy Encryption, prompted makers of web browsers and server software to advise users on Tuesday to disable use of the source of the security bug: an 18-year old encryption standard known as SSL 3.0.
It was the third time this year that researchers have uncovered a vulnerability in widely used web technology, following April's "Heartbleed" bug in OpenSSL and last month's "Shellshock" bug in a piece of Unix software known as Bash.

It is the third time this year that researchers have uncovered a "Heartbleed" bug and last month's "Shellshock" bug.

Security experts said that hackers could steal browser "cookies" in "Poodle" attacks, potentially taking control of email, banking and social networking accounts. Even so, experts said the threat was not as serious as the two prior bugs.

"If Shellshock and Heartbleed were Threat Level 10, then Poodle is more like a 5 or a 6," said Tal Klein, vice president with cloud security firm Adallom.

The threat was disclosed in a research paper published on the website of the OpenSSL Project, which develops the most widely used type of SSL encryption software.

Rumors of a bug in SSL software had been circulating in recent days, prompting some security professionals to prepare for a major new threat this week.

Ivan Ristic, director of application security research with Qualys, said "Poodle" was not as serious as the previous threats because the attack was "quite complicated," requiring hackers to have privileged access to networks.

Jeff Moss, a cyber adviser to the U.S. Department of Homeland Security, said attackers would need to launch a "man-in-the-middle" attack, placing themselves between victims and websites using approaches such as creating rogue WiFi "hotspots" in Internet cafes.

Google suggested a technical workaround to secure web servers, but added on its blog that it hopes to eventually remove support for SSL 3.0 from all client software.

Mozilla plans to disable SSL 3.0 by default in the next version of its Firefox browser, to be released on Nov. 25. (mzl.la/1DaxOwY).

"SSL version 3.0 is no longer secure," Mozilla said on its blog. "Browsers and websites need to turn off SSLv3 and use more modern security protocols as soon as possible."

Microsoft Corp issued an advisory suggesting that customers disable SSL 3.0 on Windows for servers and PCs.

Representatives with Apple Inc could not be reached. An Oracle Corp spokeswoman had no immediate comment. Matthew Green, an assistant research professor of computer science at Johns Hopkins University said that disabling SSL 3.0 can be difficult for some computer users.
"It's not going to take out the infrastructure of the Internet. But it's going to be a hassle to fix," Green said.

« Two weeks to save your computer from major cyber attack
Newsletters »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Cynet

Cynet

Cynet simplifies security by providing a rapidly deployed, comprehensive platform for detection, prevention and automated response to advanced threats with near-zero false positives.

Coro Cybersecurity

Coro Cybersecurity

Coro (formerly Coronet) empowers organizations to protect against malware, ransomware, phishing, and botnets - across devices, users, and cloud applications.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

InPhySec

InPhySec

InPhySec is a leading New Zealand information, physical and cyber security company.

Sky Data Vault

Sky Data Vault

Sky Data Vault provide the simplest and most cost effective method of Disaster Recovery / Business Continuity for mission critical systems and applications.

Ecubel

Ecubel

Ecubel is the market leader in Belgium in buying and selling used IT harware guaranteed by a certified data erasure.

Caveonix

Caveonix

Caveonix’s RiskForesight TM solution is an automated, proactive risk and compliance platform designed for hybrid and multi-cloud.

Q-Net Security

Q-Net Security

Protect your critical networks. Q-Net Security make hardware that provides the strongest drop-in security for your existing critical infrastructure.

NetApp Excellerator

NetApp Excellerator

NetApp Excellerator is NetApp’s global start-up program that aims to fuel innovation by partnering with deep-tech start-ups.

Axio Global

Axio Global

Axio is a leading cyber risk management SaaS company. Our Axio360 platform gives companies visibility to their cyber risk, and enables them to prioritize investments to protect their business.

SoloKeys

SoloKeys

SoloKeys provides the first open-source FIDO2 security key: Protect your online accounts against unauthorized access by using the most secure login method.

Hyperproof

Hyperproof

Hyperproof is a cloud-based compliance operations software. Launch new programs immediately, collect evidence automatically, and manage a compliance program intelligently.

Cider Security

Cider Security

Cider Security - It’s time to revolutionize the way Security, Dev and DevOps teams work together to supercharge security at the speed of engineering.

Utimaco

Utimaco

UTIMACO develops on-premises and cloud-based hardware security modules, solutions for key management, data protection and identity management as well as data intelligence solutions.

Cybertech Nepal

Cybertech Nepal

Cybertech Nepal is committed to provide high-quality cyber security solutions, including server assessment and hardening, forensics and malware analysis, end-point threat analysis, and VAPT.

Dedagroup (Deda)

Dedagroup (Deda)

Dedagroup provide application solutions and IT services to bring innovation at the core of business processes.