Three Google researchers have discovered a new security flaw, dubbed “Poodle” which could allow hackers to gain access to user information that should be encrypted in plain text. Information at risk includes email, banking and other widely used services.
This is the third time in 2014 that a major vulnerability in web technology has been discovered, following the discovery of the “Heartbleed” bug in OpenSSL and the “Shellshock” bug in a piece of Unix software known as Bash.
Experts have suggested that this particular vulnerability is not as serious as the previous bugs, and so far, no hackers have made use of the vulnerability to hack an account. However, this does not mean that precautions should not be put into place in order to prevent any issues.
Poodle stands for Padding Oracle on Downgraded Legacy Encryption and exists in old software that is still often used by web browsers and servers. This highlights the need for well monitored and up to date IT systems and support for businesses who are generally high risk targets.
The bug is contained in an 18 year old encryption standard which is known as SSL 3.0 and has generally been replaced by TLS (Transport Layer Security). According to an article by the BBC, it is estimated that SSL 3.0 is used in around 1% of web traffic.
The bug is not simple for hackers to exploit as it requires control of the internet connection between both the browser and the server which is possible if in a range of an unencrypted wi-fi access point. However, what is more concerning is the fact that hackers could force an internet connection to downgrade to SSL 3.0. If this was to occur, the bug would make it possible for a hacker to steal cookies and gain access to information of users.
Earlier this week, Microsoft issued an advisory which suggested that users disable SSL 3.0 on Windows for servers and PCs. However, it has been advised that this is a job for system administrators. Again this reinforces the necessity of an experienced and reputable IT support team to ensure the maximum amount of protection for the users and wider organisation. The most effective way for consumers to stay protected is by using the most up to date browser.
For new clients, Eventura offer a comprehensive network and IT security audit in order to advise organisations of where the network can be improved so that the organisation can remain secure.