Tag Archives: Security

POODLE? What the heck is POODLE?

Thought I’d take a few moments and talk about the latest Internet-wide vulnerability called, of all things, POODLE.

But first a little background. Back when the Internet was first created, there was no security. None. Everyone trusted everyone else and the idea that they’d need to keep things secure wasn’t an issue. That worked fine when it was just a couple of universities and a few defense contractors. But the Internet grew and the users connected to it became diverse. And my “diverse” I mean filled with both good and bad guys.

Perhaps you’d expect the folks who created the Internet would go back to the drawing board and redesign things with security built in, but that’s not how those guys think. The Internet was designed to be as simple as possible. If you needed something more than just the ability to move bits from one place to another, you had to create a layer on top of the existing network that did what you needed. That’s why there are things like HTTP (the basis of the World Wide Web), it handles all the special things you need to display web pages that aren’t already there.

The software that the Internet runs on is called TCP/IP. It stands for Transmission Control Protocol/Internet Protocol. TCP handles things like making sure the bits you send somewhere actually get there and in the right order while IP helps tie together different smaller networks so they all seem like one big network. TCP/IP doesn’t care if your bits are from a web page or an email or an MP3 file, it just makes sure it gets to where it’s supposed to go.

That’s why if you want to do cool things like the WWW or email, you have to add software to do it that works with TCP/IP. That’s why if you want to send those bits in a way that no one but your intended recipient can read, you need to add a security layer to TCP/IP. The first attempt to do that is called Secure Sockets Layer or SSL.

SSL uses encryption to achieve that security. And that’s what’s wrong with it and why POODLE is in the news. SSL has gone through three revisions. Version 1 was never really used, version 2 was for a while but it was quickly replaced by version 3. Version 3 hung in there for years but you have to understand that it was designed in the 1990s. The encryption it uses is easily broken. That makes it unsafe to use and it was replaced by Transport Layer Security, or TLS.

TLS has much better encryption, although it’s had to go through multiple versions as well to keep up. Pretty much every computer and operating system supports TLS so you’d think the problem would be gone. Well, you’d think that but unfortunately, many systems still support SSL version 3 as a backup in case something happens with TLS. So instead of getting an error about not being able to securely connect, your computer quietly drops into what is an effectively insecure connection without telling you. So you think you’re secure, but you’re not.

What’s worse, a bad guy can listen in to connections being made and interfere in such a way to force this drop into SSLv3 and read your communications (sometimes called a Man-in-the-Middle attack). All of this is possible because most computers and servers still support SSLv3 “just in case”. Sure it’s broken and not secure but hey, you never know.

POODLE, which stands for Padding Oracle On Downgraded Legacy Encryption, is the official name for that attack. It’s been around for a very long time and really knowing if anyone’s used it or not is difficult. Security folks take the easy route and assume it has. Still, it’s possible to defend against it for the most part.

The majority of network traffic is probably the result of your web browser. Luckily, browsers like Firefox and Internet Explorer can have SSLv3 shut off entirely right now. Both browsers will have new versions with SSLv3 removed eventually so you should look for those updates. Chrome does not allow you to turn SSLv3 off from its settings menu so it will require a new version.

Since so many servers still support SSLv3, they will have to be updated as well. Google is proposing a change for servers to implement but it remains to be seen if everyone is going to use that or adopt something else. The good news is you don’t have to wait as long as you can turn SSLv3 off in your computer/smartphone/tablet etc.

Here are some info links on turning off SSLv3 in various web browsers:

Firefox
Internet Explorer – Note: Only for version 7 and higher. Version 6 does not support TLS and you shouldn’t be using it.
Chrome – Note: More complicated than the other two.

I should note there’s small probability that if you turn off SSLv3 you might see some connection issues with certain web sites. It won’t be the Googles or Facebooks but more likely smaller sites that haven’t kept up with the times. It’s up to you to decide if viewing them is important enough to turn SSLv3 back on. If you do that, don’t do it while connected to public WiFi. The likelihood of a bad guy who’s looking to take advantage of POODLE also being connected to that access point is quite high.

If you want a nice “ones and zeroes” description of the vulnerability How POODLE Happened is pretty good.

Former NSA head Keith Alexander is profiting on cybersecurity

Keith Alexander is the former director of the NSA as well as former head of the US Cyber Command, who announced he was going into cybersecurity consulting upon his retirement from the government Hardly surprising given his background, right? But he also announced that the company he founded will be delivering a new anti-hacker tool based on behavioral models. And also filing for nine patents around technology associated with that tool. This is where things get a little ugly. While it’s possible he came up with this technology on his own and on his own time, but it’s far more likely he did so as a result of his employment with the NSA and Cyber Command. Meanwhile, Jason Leopold is suing the NSA for failure to disclose Alexander’s financial information.

Stay tuned, this could get exciting.

What the heck is going on with TrueCrypt?

Yesterday, without warning, the SourceForge page for file and disk encryption package TrueCrypt popped up this message: “WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues”. Discussions on reddit, Metafilter and other sites are full of speculation but nothing definitive. The only version available for download, v7.2, only allows for decrypting of existing archives.

TrueCrypt did a fund raiser for a security audit and the initial review found no backdoors (additional review was in progress).

I will update if I hear anything. I am a TrueCrypt user so this directly affects me.

Hacking Traffic Systems for Fun and Chaos

Ever see one of those traffic information signs along the roadway and wonder how they were updated? At least in some cases they’re connected via a radio link. And you can control them using a remote-controlled drone and some simple hardware.

What’s worse, the manufacturer as well as CERT were made aware and have chosen to take no action. Drive safely.

xkcd explains the Heartbleed bug

Webcomic xkcd does an excellent job of explaining the “Heartbleed” bug:

If you know something about programming this is bug is the result of dynamic memory and lack of bounds checking. It allows the server to return the contents of RAM that may include information like passwords, login ids, etc. that are normally not visible externally. If you’ve recently logged in your information could easily still be in RAM and vulnerable but if you haven’t it’s likely nothing of yours remains. It’s all dependent on whether or not someone has determined a particular server is vulnerable and exploited the bug.

So what should you do? First, check this list on Mashable. If there’s a site you use frequently and it’s marked as vulnerable, change your password now. Otherwise, you can probably take your time but still change it. Consider using a password manager like 1Password or LastPass to make creating and managing passwords easier. Turn on multi-factor authentication where available. Also consider a personal password expiration policy. Yes, I know it’s a pain but if you use a password manager generating a new password is painless.

Security isn’t a “set it and forget it” thing, it’s an ongoing process.

Nest’s smoke alarm stumble (and creepy capability)

I’ll be honest, I haven’t been paying much attention to the Nest smoke alarm because, like its thermostat, it solves a problem I don’t have. But a lot of people have been attracted to the devices because of their emphasis on design and user interface. After all, Google didn’t buy the company because it wanted to get into the thermostat business.

Unfortunately, in the case of the smoke alarm that emphasis might have blinded them to more practical matters. The alarm was designed to be silenced when you wave your hands underneath it, thus eliminating that annoying issue that often crops up when you’re cooking something that gives off even a little bit of smoke. But Nest forgot something pretty important, people have a tendency to wave their arms around when there’s a real fire. To their credit they’ve temporarily halted sales while they investigate. But now here comes the creepy part.

They remotely turned off the hand waving sensing on any alarm connected to the Internet via WiFi. In other words, Nest (and now Google) has the ability to control your smoke alarm without your knowledge. Sure, this is a situation where doing so makes perfect sense, but as I’ve often said if Nest can access your smoke alarm over the Internet, someone else can as well.

NSA can bridge the air gap

You have to admit the NSA is nothing but thorough. We all know they’re grabbing data from the Internet and cell networks and while that might lead you to believe you’re safe if you’re not actually connected to a network, you’d be wrong. Very wrong. The NSA has spy devices with built-in radios that can send data from unconnected computers to listening stations miles away. While this requires physical access to the computer, once installed they are undetectable unless you’re looking for an RF signal. They claim to only be using this technology against foreign targets but at this point does anyone believe them?