Why I'm not FREAKing Out Over HEARTBLEEDing POODLE
There have been a number of online vulnerabilities discovered recently, which affect the secure traffic between a web browser and web server. And it seems to be the current fashion in security circles to give these bugs a catchy name.
Where once bugs like this were given CVE numbers (Common Vulnerabilities and Exposures, a central list of all the security flaws in common operating systems and applications), they are now given media friendly names.
In the past, CVE-2014-3566 would have been only known to IT departments and security researchers, and yet now the whole world now knows this as POODLE. CVE-2014-0160 (HEARTBLEED) went one further and got itself a catchy logo:
So how do all of these vulnerabilities affect me?
Well to be honest, in most cases, they don’t…
HeartBleed (lets dispense with the caps, it just looks like I’m shouting), allows an attacker to read a random small amount of memory from a server if it uses a specific encryption application. There is no guarantee that that small amount of memory will contain anything useful; it’s almost totally random.
The chances of an attacker receiving critical information are only significant on a very highly used server, the sort that has a dedicated security team to remedy issues like this as soon as they are discovered.
Poodle is a bug whereby an attacker that can intercept the traffic between you and a secure site can force the encryption to be lowered to a point where it can be broken.
Let me just repeat the major point in that sentence “an attacker that can intercept the traffic between you and a secure site”. If an attacker can intercept the traffic between you and a secure site, it’s already Game Over. They can do a million and one things without needing to rely on Poodle to break into your secure traffic.
A “friend” of mine recently successfully used an Android tablet to re-route all internet traffic on a wireless network, replacing all the pictures on any website with images of cute cuddly kittens…for research purposes of course…
Freak, the latest media hyped bug, is a similar animal. It allows an attacker that can intercept your traffic (a so called ‘Man in the Middle’ attack) to force the connection to an older, less secure encryption system, and break it with ease.
So given that the main issue is not the actual vulnerability you see in the media, but someone controlling your network connection, what can you do?
1. Only connect to networks you trust. Home, work and your mobile connection are almost certainly ok (but see Paul Burns' blog 'The Importance of Closing the Front Gate' to see why you should still take precautions). That Wi-Fi access point announcing itself as “FREE INTERNET” that you can see at the local Starbucks, but is obviously not the coffee shop access point, is probably not safe.
2. Use a VPN (Virtual Private Network) where possible, and ensure it uses the latest encryption methods. Sophos UTM (Unified Threat Management) gives you complete security from the network to the endpoint within a single appliance that includes firewall, VPN, IPS, Wi-Fi, web filtering and application control. Because you can control this extra layer of encryption, you can ensure it is up to date and not vulnerable to any public exploit.
3. Consider using something like TSG SystemCare which ensures that your PCs and servers are patched against HEARTBLEEDing FREAK POODLES. I know I said they aren’t the main issue, but it never hurts to make sure.