Jun 30, 2015

System security is something that everybody - System admins, end users and everyone in between - should be ever vigilant about – even if you think you are covered, there is always an exception that can catch you out!

The other day I got caught out on my home systems – my server started raising alarms about unusual traffic, and then I got an email from my ISP to the effect that “We have received reports that a machine accessing the internet using your service ... Is causing unwanted traffic to be transmitted, such as spam and viruses ... It may be that your equipment has been compromised ... please remediate ... if you fail to do so and the malicious traffic persists ... we may take steps to limit it by suspending your service.” Well, you get the gist. (Come on, own up – who has received these emails before?) This, of course, immediately raised a huge number of “red flags” with me, so I started investigating immediately. My first thought was “Oh no, my son is downloading torrents again,” but the firewall rules I had in place to block torrents were all intact and working. So my son’s internet access was safe for now.

So after analysing my traffic logs and the info from my ISP, it turned out there had been a concerted effort to hack into my remote access server (yes, I am a geek that has multiple workstations, a server or two and other tablets, smartphones and even a “smart” TV or two etc. at home). It turns out the culprit was an SSL attack method known as POODLE (Padding Oracle On Downgraded Legacy Encryption). This,of course, fired off a whole new set of “red flags,” especially as I thought my security was pretty tight, and even my email being outsourced to an Office 365 account for a long time now.

It turns out that even though I actually had managed to nip this attack in the bud, it also raised a number of security issues – all machines on my network are/were fully patched and totally up to date, firewalls were in place and working correctly etc., but it still managed to get past all that and 2 different Anti-Virus/Anti-Spam systems and start to impact my network. In fact, it was only by diligent traffic monitoring and analysis that it was found and stopped so quickly.

Now POODLE is a man-in-the-middle attack on a known vulnerability in SSL 3.0, first publicised by Google back in October last year, with Microsoft and others bringing out their own advisories shortly thereafter. It has become so effective purely due to the willingness of a lot of systems to “fall back” to more unreliable and outdated security protocols for “backwards compatibility.” (By the way, this particular SSL protocol – now over 18 years old - has been shown to have a number of vulnerabilities, not just POODLE.)

The fix is relatively simple in most cases – stop using SSL 3.0 - but it has to be done on both servers and workstations. SSL 3.0 has not been required for communications for some time now, with the modern default TLS protocols being far more secure. You have been able to turn off SSL 3.0 altogether in Internet Explorer since version 7 and above, and the latest Chrome client does not use SSL 3.0 at all. But for older legacy systems, platforms and programs that depend upon SSL 3.0, there is no fix.

Testing your browsers for this vulnerability is as simple as going to http://www.poodletest.com and seeing whether a picture of a poodle (Vulnerable!) or a terrier (Not Vulnerable!) appears – hence the title of this blog.

There is an excellent and detailed article (including step by step screenshots) on how to disable SSL 3.0 on various browsers such as I.E., Chrome, Firefox and Safari etc. that can be found here.

Qualys SSL Labs have an excellent generic server test site for web accessible servers, and information on how to patch your Windows Servers for the POODLE vulnerability can be found here, with other servers such as Ubuntu servers, MAC servers etc. found here.

So in summary, the POODLE vulnerability raises a number of important security concerns you should be aware of right now:

• Make sure all your systems, and platforms are fully patched and up to date.
• Make sure your firewalls are in place and working as configured (and that they are configured appropriately).
• Make sure that you are running reliable Antivirus/AntiSpam programs on all your systems (preferably more than 1 if possible, but at least 1!) and they are also up to date with their signature files.
• Don’t rely totally on points 1, 2 and 3 above for your overall network security – System/Network Admin’s in particular should be subscribing to the latest security updates for their equipment and software vendors and checking them regularly. There will always be exceptions to break the rules such as POODLE, Heartbleed, Beast, Cryptolocker etc. etc. etc.
• Make sure that you know exactly which clients you need to communicate with, and configure your servers and clients to only use the most secure protocols for those machines – particularly if they have internet access.
• Update your legacy systems and programs NOW – POODLE especially shows that outdated platforms and programs are a major security concern for most organizations – big and small – AND IN A LOT OF CASES CANNOT BE FIXED OR MITIGATED. And yes, I am looking at all you out there still using Windows XP and Vista/Windows 7, Server 2003 and Server 2008, Internet Explorer 6 and so on.
• And if the worst happens – you have been taking regular backups – and checking them regularly as well haven’t you?

So do your systems rate a Poodle or a Springfield terrier?

IMPORTANT UPDATE: If you tested your systems for this vulnerability some time ago, you need to retest them now – it has been found that some TLS protocols are also now affected, as well as hardware Network Load Balancers, particularly from F5 Networks and A10 Networks. If you have these devices, please see your vendor support for the latest firmware updates - and if you don’t have them check with your current Network Load Balancer provider(s) to make sure they are not susceptible either!

IMPORTANT UPDATE! Please read  'Are Your Systems Safe?' for updates on this blog post.