The Poodle computer bug: The what, how, and why for business
By now you’ve probably heard of a new computer bug called Poodle. Sure, the name is adorable. (It really stands for the far less cute “Padding Oracle On Downgraded Legacy Encryption.”) It was discovered by Google researchers two months ago. And, most importantly, cyber security researchers have determined that it’s less serious than the Heartbleed (from April) and Shellshock/Bash (from September) bugs.
But “less” is a relative term. The flaw demands a fix.
What you can do about it
Here’s the download if you’re willing to get a bit technical. If the web browsers on your machines still support the long since deprecated encryption protocol Secure Sockets Layer (SSL) 3.0, which is intended to securely connect computers and web servers, disable it yourself. It’s 15 years out of date.
As for which browsers: If you’re using Google Chrome version 40, you’re in good shape—SSL 3.0 is disabled by default. Mozilla will disable the protocol by default in the next version of its browser, Firefox 34, which is due later this month. All versions of Microsoft’s Internet Explorer support SSL 3.0; that support needs to be disabled through the Options menu. And as for Apple’s Safari, the company’s security update 2014-005 mitigates the vulnerability while still allowing SSL 3.0.
Until you deactivate SSL 3.0, you might want to avoid connecting to public Wi-Fi networks. Otherwise sophisticated attackers occupying a privileged position on your network may be able to intercept your data, steal your passwords and browser cookies, and masquerade as you on websites, allowing them to hijack your accounts.
“In terms of security, when a protocol becomes deprecated that’s about the time you say we need to get off this and get off this soon,” says Waylon Grange, a senior malware researcher at Blue Coat, a Sunnyvale, Calif. cyber security firm. “It means a vulnerability or weakness has been found and people know it can be attacked.”
In the world of encryption, a newer, more secure protocol, Transport Layer Security (TLS) 1.0, replaced SSL 3.0 in 1999. Since then, there have been two updates—TLS 1.1 in 2006 and TLS 1.2 in 2008. Another, TLS 1.3, is in the works.
“This is almost four versions now,” Grange adds, “at some point you need to say, ‘Let’s move up.’”
How we got here
Some businesses may not wish to retire older protocols like SSL 3.0 since they want to ensure they can connect with every last potential customer. That means accommodating people who have not updated their browsers in eight years, when Internet Explorer 7 enabled TLS 1.0 support by default. “Do you really want those guys still on your networks?” Grange asks, noting that their machines are likely vulnerable to a host of other flaws—and adding that SSL 3.0 transactions represent less than one percent of all web traffic.
“If a machine is vulnerable with this, it’s likely to have other vulnerabilities because it’s that old,” Grange says. “It’s putting your whole network at risk because of this ancient technology.”
Then again, retaining older protocols like SSL 3.0 also provides a fallback option for browsers should connection attempts by newer protocols not work, for whatever reason—an if-all-else-fails approach. The problem is that savvy hackers can sit on a network, scramble communications, and frustrate a machine’s attempts to connect with a server, forcing it to fall back on an outdated protocol. The hackers perpetuating this type of attacks, referred to as man-in-the-middle, can then implement Poodle and steadily decrypt transacted sensitive information.
Hugh Thompson, chief security strategist at Blue Coat, says companies should retire SSL 3.0 as soon as possible, even if they’re unsure what old devices relying on it may still be connected to their networks. If a browser embedded in a printer has no update option, “it may just be time to get rid of that printer,” he says.
Forgotten, outdated devices are bound to have issues, he says. “Almost certainly something will stop working.” Nevertheless, “You should definitely deprecate it,” he says. “It’s definitely worth it.”
What to take away from the incident
Disabling SSL 3.0 is not the only lesson to be learned from Poodle. Consider the bigger picture: In the past year, three high-profile bugs have rocked the business world.
In April, the web was hit by Heartbleed, a frighteningly pervasive encryption vulnerability. Five months later we were shocked by Shellshock, a slightly less worrisome bug (because it poses more of a technical challenge to hackers) yet one that bore grave implications (like the ability of a hacker to take over machines). Now we have Poodle—and more bugs are bound to surface.
As Internet companies begin to encrypt more traffic across the web, attackers are going to become even more interested in finding cryptographic weaknesses. Businesses must learn to cope, Thompson says.
“If you thought Heartbleed was the equivalent of a meteorite hitting a data center,” Thompson says, “you would do everything you could to clean up from the meteorite. But you wouldn’t have set up some big meteorite cleaning processes. These three signal that this is not a rare event. If that’s the case, there is a need to be able to build up a set of competencies around failure.”
That means putting in place agile response teams, building network forensic capabilities and updating to new versions of software and protocols in a timely manner. It’s a matter of setting up the right processes and practicing good network hygiene, Thompson says. There is no excuse to be caught unaware–especially if, in the end, it appears your company is more concerned with backward compatibility than security.
Next, read: “How Home Depot CEO Frank Blake kept his legacy from being hacked” by Jennifer Reingold.