Poodle flaw draws comparisons with Heartbleed
Google researchers this week discovered a serious vulnerability with version 3.0 of the Secure Sockets Layer (SSL) software, which has since been imaginatively nicknamed ‘Poodle' (standing for ‘Padding Oracle On Downgraded Legacy Encryption'.)
The bug only affects SSL 3.0 – which was published in 1996 before being replaced three years later by the first version of the more secure Transport Layer Security (TLS) – but is still in widespread use and could allow attackers to decrypt and steal data sent between users and web servers using a Man-in-the-Middle (MiTM) attack.
This is because, while many web browsers and servers have moved onto TLS v1.0, 1.1 or 1.2, many still support SSL 3.0 as a fallback mechanism.
"Most importantly, nearly all browsers support it and, in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0," Bodo Moeller of the Google Security Team wrote in a blog post. "Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue."
Some in the industry have compared the flaw to Heartbleed, although industry observers point out that the latter - a flaw in the implementation of the TLS/DTLS (transport layer security protocols) heartbleed extension - affected nearly two-thirds of web servers.
OpenSSL had since released a new version of the encryption software which patched flaws including the Poodle bug.
Hacked smart meters raise new questions on IoT
The Internet of Things (IoT) is one of the most hyped technologies according to research outfit Gartner but there are still some notable security issues, as evidenced by the demo hack of the Google Nest thermostat and internet-connected ‘Smart TVs' earlier this year.
The latest example is network-connected electricity meters, or ‘smart' meters, in Spain which are susceptible to a wide-range of cyber-attacks.
Two security researchers - Javier Vazquez Vidal and Alberto Garcia Illera - this week demonstrated at the Black Hat Europe conference how a cyber-criminal could carry out billing fraud, shut down electric power and cause blackouts – all by using the connected meters.
The issue relates specifically to a vulnerability in the chips of the smart meters – making them re-programmable, with the flawed code able to be used to remotely shut down power supply to houses, affect meter readings and insert network worms.
The meters also have symmetric AES-128 encryption which can be compromised, according to the researchers.
Three major utility companies — Endesa, Iberdrola and E.ON – currently supply around eight million smart meters across 30 percent of households in Spain with millions more expected in the lead-up until 2018. The researchers didn't disclose the name of the manufacturer in their demo.