BEASTly POODLEs

There have been a number of vulnerabilities detected in various security protocols over the past year or two including BEAST Attack, Heartbleed Bug and POODLE Attack.  At least 2/3 of these have names that give some indication of their severity and the remaining 1/3 leaves you with a rather interesting visual image.  But be ye not distracted by the names - they are all things that need to be addressed in various ways.

Information about the Browser Exploit Against SSL/TLS (BEAST) Attack was released in September 2011 and involved attacking the lack of security in particular implementations of TLS 1.0 traffic.  This vulnerability has been pretty much mitigated today (Dec, 2014), however there are still some older, non-updated systems out there that are vulnerable to this attack.  The table below lists the earliest version of the products that have mitigated the BEAST Attack (and yes, Apple took an inordinately long time to patch for this vulnerability):

Apple iOS	iOS 7.0
Apple OS-X	OS-X 10.9 (Mavericks)
Google Chrome	Version 16
Microsoft Windows	MS12-006 on Windows 7/Server 2008 R2 and older
Mozilla Firefox	Version 10

Following on from the BEAST Attack were the CRIME and BREACH attacks which, too, have been mitigated in current browsers and are a low-grade threat at worst these days.

The Heartbleed bug, publicly announced in April, 2014, affected anything running OpenSSL.  The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.  Yup, it is pretty nasty but this, too, is pretty much completely mitigated by the various vendors using this code.

For an easy to understand explanation of the Heartbleed bug, have a read of this XKCD comic.  To see if your website is affected by the Heartbleed bug, have a look at https://lastpass.com/heartbleed/ (Heartbleed bug only) and https://www.ssllabs.com/ssltest/index.html (Heartbleed and more).  Any site that you go to that uses the "https" protocol can be checked to ensure it is running a version of OpenSSL that is not vulnerable to this attack.  If the site *still* has not been updated, I'd suggest speaking with the vendor, outing them in social media and removing your account and changing any passwords and/or information that was stored in that site.

And now we come to what at first glance may be the fluffiest of all these vulnerabilities - the POODLE Attack.  Basically, there's the ability in browsers to request a lower level of security from the server if the browser doesn't support the version the server prefers.  This is called a security renegotation.  The POODLE Attack uses a recently discovered flaw in the now obsoleted and in the process of fast becoming deprecated SSL 3.0 protocol mixed with a renegotiation attack (forcing the server to drop from TLS 1.x to SSL 3.0).  The simple fix is to disable SSL 3.0 on all your web servers, however there are still some applications that use SSL 3.0 (again, speak with the vendor, expose in social media and seriously question your continued trusting of a vendor using 18 year old technology that's been superseded 3 times).

To read more on the POODLE Attack and how to ensure you're doing everything you can to protect against it, have a read of https://scotthelme.co.uk/sslv3-goes-to-the-dogs-poodle-kills-off-protocol/ and then go to https://www.poodlescan.com/ and https://www.ssllabs.com/ssltest/index.html to confirm your server mitigations have been invoked.  There's also a funky little tool from Nartac Software called IISCrypto that can help you properly configure your Windows IIS to mitigate against POODLE and other vulnerabilities.

The table below lists the earliest version of the products that have mitigated the POODLE Attack:

Apple iOS	iOS 8.1
Apple OS-X	OS-X Security Update 2014-005 (Mavericks & Mountain Lion)
Google Android	Chrome - still waiting
Google Android	Samsung Browser - still waiting
Google Chrome	Version 39
Microsoft Windows	Temporary Fix it released, also shows Group Policy fix
Mozilla Firefox	Version 34

If you want to see if your client (browser) is susceptible to the POODLE Attack, go to https://www.poodletest.com/.  If your browser is vulnerable, don't trust it to keep your data secure.


Regards,

The Outspoken Wookie