Customer Alert: POODLE Vulnerability

By | October 16th, 2014|Uncategorized|

On October 14, 2014, three Google researchers announced the details of a vulnerability in the design of SSL version 3 named the POODLE (Passing Oracle On Downgraded Legacy Encryption) vulnerability. This vulnerability affects all implementations of SSLv3.0 protocol, but does not affect the newer encryption mechanism known as TLS (Transport Security Layer). Under the right conditions, the POODLE vulnerability would allow a cyber-criminal to hijack and decrypt the session cookie that identifies your browser to a service, and then take control of your accounts without needing your password. The POODLE vulnerability is being considered less severe than Heartbleed and Shellshock, since in order to exploit the vulnerability you must be running JavaScript, and the attacker has to be on the same network as you.

Secure Sockets Layer (SSL) protocol is primarily used to encrypt traffic between a browser and website.

Google’s security team has recommended that businesses disable SSLv3.0 immediately and use TLS 1.1 or 1.2 in order to avoid the problem. As an individual, it is recommended that you disable SSLv3.0 in your browser immediately to secure yourself when surfing websites that still support SSLv3.0. There currently is no patch for this, and SSLv3.0 is considered to have reached the end of its useful life and should be retired.

CSID has disabled SSLv3.0 across all our network traffic. We strongly advise that CSID customers take similar action to immediately disable SSLv3.0 in your environments and use an alternative encryption mechanism.

For more information on the POODLE vulnerability, visit the Red Hat Security Blog.

Customer Alert: Heartbleed SSL Vulnerability

By | April 9th, 2014|Uncategorized|

heartbleedOn the morning of April 8, 2014, the OpenSSL community revealed a security vulnerability in recent versions of the OpenSSL software. Dubbed Heartbleed, the vulnerability poses a serious security concern because cyber criminals could exploit the vulnerability to expose site users’ Personally Identifiable Information (PII).

What does this mean, exactly?

OpenSSL is an open-source encryption technology used by a approximately 75% of web servers. This technology safeguards site visitors who are sharing PII and financial information to make a transaction. Sites that employ OpenSSL are typically indicated with a lock icon and live at an HTTPS address. In other words, an OpenSLL site may be at the core of your business, and you probably use sites that incorporate this technology daily.

How do I mitigate risk?

The only way for businesses to avoid Heartbleed is to upgrade their site with the latest, patched version of the OpenSSL software, which addresses the vulnerability.

CSID customers should be assured that CSID has done this to its servers, and strongly recommends that they take the same action and immediately renew their SSL Certificates used with CSID services. As an additional security precaution and due to the breadth of this vulnerability, CSID joins other security professionals in recommending that businesses patch any instances of OpenSSL in their environments, and renew any SSL certificates immediately.

Further details surrounding the Heartbleed vulnerability and its disclosure can be found here.

Load More Posts