Poodles and Shellshocks
We’re getting used to hearing about security bugs these days, but recent examples have really given businesses reason to worry.
There has hardly been time for the headlines about “Shellshock” to die down before the latest threat called “Poodle” was uncovered by researchers.
The Poodle bug resides in an older encryption standard known as SSL 3.0 and could allow hackers to take over accounts for email, banking and other services. Users have been advised to disable SSL 3.0 in browsers and server software to safeguard against a potential Poodle attack.
Poodle is the third major vulnerability found this year in commonly used web technology following April’s “Heartbleed” bug in OpenSSL and last month’s “Shellshock” bug in a piece of Unix software called Bash.
Comparisons are understandably being drawn with Heartbleed – a monster many firms had to deal with earlier in the year, but, in practice, each vulnerability represents a different type of threat and each requires specific actions to ensure protection.
Heartbleed was a vulnerability in the encryption software used by servers; it gave hackers the chance to get hold of sensitive information. Bad? Definitely. As bad as Shellshock? Not quite. Shellshock gave the cyber-criminal so much more power. In effect, it could be used to take complete remote control of a device or system, both in businesses and in homes. Poodle enables cookies to be stolen, which could then be used to gain unauthorised access to other systems by using the credentials stored in the cookies.
Security updates and patches must be applied as soon as they become available and most of the browser makers are promising to disable SSL 3.0 in their next releases, but right now, the advice is to manually disable it.
As these vulnerabilities become more commonplace, the need to be able to take steps to safeguard your IT quickly becomes ever more pertinent. Systems should be monitored and assessed regularly, with any changes in behaviour taken seriously.