Posts tagged attack
A few days ago, Google researchers alerted the world to a new Internet attack they called Poodle, which could theoretically let an attacker impersonate you on sensitive websites—Facebook, your bank, Amazon or wherever. We’ve previously covered how Poodle works, so have a look if you want more details.
The odds that you’ll run afoul of Poodle may seem low right now. The attack exploits a vulnerability in an 18-year-old security protocol called SSL 3.0 that few websites use anymore. This analysis by University of Michigan computer scientists found that only about 200 of the top million sites on the Web rely on SSL 3.0 to protect your communications with them.
But once a vulnerability like this is public, it’s only a matter of time before hackers start lining up to take advantage of it. For instance, malicious types might set up a fake Wi-Fi hotspot they could then use to intercept and rewrite the traffic between your browser and, say, your online broker in a complex scheme that would ultimately let them into your account without knowing your password.
“[W]hen using the local Starbucks or other unencrypted WiFi, you are in grave danger from this hack from hackers sitting the table next to you,” writes security expert Robert Graham.
The major browser makers all seem likely to disable support for SSL 3.0 connections, although may take them months to do so. (Mozilla promises SSL 3.0 will die in Firefox by November 25; Google says it will happen in Chrome “in the coming months“; Microsoft says only that it will “take the appropriate action” after it investigates the problem.) If you want to protect yourself in the meantime, you’ll have to do it.
Step One: Update Your Browser
If you aren’t using a modern browser (ahem, IE 6 users), it’s time to download a new version. Everyone else should make sure you’re keeping your browser up-to-date. This will ensure that you’ll get a version that’s patched against Poodle as soon as it’s available.
- In Chrome, close and reopen your browser to apply any outstanding updates, which the browser downloads automatically. Keep an eye out for new updates as they’re available; you’ll see the “hamburger” icon (the three parallel horizontal lines in the upper right-hand corner) turn green, orange or red when updates are available.
- In Firefox, ensure that the browser is set to automatically download updates by opening the Preferences option and clicking on the “Advanced” icon and the “Updates” tab, then checking “Automatically install updates.” Firefox will then prompt you to restart the browser when it’s downloaded new updates.
- In Internet Explorer, follow these instructions to turn on automatic updates (check the dropdown menu in the upper right to choose the right version of Windows first).
Step Two: Avoid Unsafe Browsing
The first and best advice is to never log into a public Wi-Fi network unless you’re absolutely sure it’s run by the coffee shop, airport or hotel you think it is. Hackers have long known that they can sucker in the unsuspecting by setting up fake but misleadingly named hotspots they can then use to plunder your Internet traffic.
But there’s more to do even if you’re on a reputable public wireless network, since your Internet traffic is still being broadcast “in the clear,” allowing hackers to “sniff” it and plan new attacks. To prevent that, use a virtual private network, or VPN, to encrypt your connection.
These setups allow you to connect securely to a trusted server that will then serve as a “home base” for your Web surfing, keeping your traffic shielded from snoops. That should frustrate most would-be hackers unless you’ve landed on an NSA watchlist (in which case all bets are off anyway). This 2012 Lifehacker guide to VPNs is a little dated, but it should be enough to get you started.
If you aren’t signed up with a VPN service, you can always set up a home VPN network you can log into from anywhere. My ReadWrite colleague Lauren Orsini published an excellent two-part guide to setting up your own home VPN using a Raspberry Pi (see here and here). You could also set up VPN software on a PC you leave running on your home network.
Step Three: Turn Off SSL 3.0
If your browser refuses to communicate using SSL 3.0, you won’t be vulnerable to Poodle. So turning it off is a smart thing to do. Be warned, though: This could break your ability to connect to older websites or related services if they rely on SSL 3.0. Such sites should be in the minority, but they presumably still exist, as it’s not clear what else might account for the fact that the ancient IE6 still accounts for 3.6% of all active desktop browsers.
This is far too complicated in Chrome—an issue that Google really ought to address. Basically, you have to launch the browser using the command-line flag –ssl-version-min=tls1, though that might be tricky unless you usually start it up via the command line. (Hint: Most people don’t. Most don’t even know what the command line is.)
See also: Don’t Fear The Command Line
You can automate that process, although the method differs depending on your computer’s operating system. This page offers instructions for Windows, Mac, Linux and Chrome OS (though you’ll have to replace the example text “–foo –bar=2″ with”–ssl-version-min=tls1″). One more warning: You’ll have to be careful if Chrome ever launches automatically when you click on a link, as it won’t apply the SSL-blocking flag if it does.
In Firefox, enter about:config in the browser bar, click through the permission box and then scroll down until you find the security.tls.version.min parameter. Double-click on it and enter “1” in the popup window.
Weirdly, this step is easiest in the much-maligned Internet Explorer. All you have to do is click on Tools->Internet options from the menu bar, then select the “Advanced” tab. Scroll down and uncheck “Use SSL 3.0,” and you’re done.
Photo by Jochen Frey
View full post on ReadWrite
eBay Marketplace Growth Disappoints Due to Cyber Attack, SEO
eBay's chief executive told Wall Street analysts on Wednesday that third-quarter growth of its Marketplaces business was not what he wanted, and not what he expected. eBay Marketplaces GMV (gross merchandise volume) grew only 7% in the third quarter …
eBay, Inc. Earnings Tell a Story of 2 Companies
eBay's (EBAY) CEO John Donahoe on Q3 2014 Results – Earnings Call …
View full post on SEO – Google News
A vicious new bug on the Internet has an innocuous name but a nasty potential bite. Meet the Poodle attack, which exploits yet another vulnerability in one of the Internet’s basic security protocols that could theoretically give an attacker access to your sensitive online accounts.
Google researchers on Tuesday published details of a weakness in SSL 3.0—an encryption method, technically known as the Secure Socket Layer, that safeguards the connections your browser makes to secure websites at banks, email providers, social networks and the like. SSL, it just so happens, is also the security protocol the Heartbleed bug exploited (although that problem affected a different SSL version.)
See also: Why Google Wants To Padlock The Web
SSL 3.0 is ancient in Web terms; it’s more than 18 years old and has been considered obsolete for the past 15 years. The Internet being what it is, and server administrators being who they are, SSL 3.0 is still in use here and there across the Web. And while modern browsers use more advanced security methods, a sophisticated attacker can trick them into downgrading to SSL 3.0. If the server you’re connected to is also using SSL 3.0, that could let the same attacker unravel the encryption and extract sensitive data he or she could use to impersonate you.
Such attacks aren’t easy to pull off, and that makes the latest weakness a cause for concern, though probably not for outright panic. So far, at least.
How Poodle Attacks
Google researchers Bodo Möller, Thai Duong and Krzysztof Kotowicz outlined the (so far hypothetical attack) in a security advisory published on Tuesday. Poodle—which, in case you were curious, stands for “Padding Oracle On Downgraded Legacy Encryption”—basically takes the Internet’s heterogeneity, usually a source of robustness, and turning it into a weapon.
That’s because browsers and Web servers have to agree on the security standard they’ll use before they can begin exchanging sensitive information. If a Web server isn’t set up to use the most current form of encryption, most browsers will agreeably fall back to an older form until they find one the server will accept. But an attacker can actually trigger this “downgrade dance” by interrupting the initial browser-server “handshake” at key moments.
Once the browser and server are communicating using SSL 3.0, a malicious party can go to work breaking the encryption using a previously identified attack called Beast. This requires an attacker to intercept and modify the requests your browser sends to a Web server, which is not exactly trivial. It is, however, possible; Errata Security’s Robert Graham suggests that you might be most at risk on a public network at, say, a Starbucks, where hackers would have relatively free access to your Web connection.
Breaking SSL 3.0 encryption is most likely to yield access to a so-called session cookie—a bit of data your browser uses to remind a site that you are logged in as you. Anyone who can lay hands on your session cookie can then also log into that site as you. As Graham puts it:
Thus, while you are at Starbucks, some hacker next to you will be able to post tweets in your Twitter account and read all your Gmail messages. These are two examples—they really have near complete control over your accounts. They won’t be able to steal your password, however.
So that’s the scary part, although at this point the risk of that actually happening to you seems fairly low.
Taming The Wild Poodle
There is currently no way to patch SSL 3.0 against the Poodle attack, and while there might eventually be a way to secure it, there’s a good chance that any such patch would be incompatible with existing SSL 3.0 servers. So instead, Möller and his colleagues argue that server administrators should disable SSL 3.0 entirely if they can. The Web-security company Cloudflare has done just that for all its customers.
Similarly, modern browsers are also moving to disable SSL 3.0 by default. Google said it will eliminate SSL 3.0 support from its products, including the Chrome browser, “in the coming months.” Mozilla will likewise disable SSL 3.0 in Firefox 34, slated for a November 25 release. Near as I can tell, Microsoft hasn’t yet issued a similar notice about Internet Explorer.
But not all websites are able to kill off SSL 3.0, in part because some older browsers—particularly Internet Explorer 6—rely on it. IE6 may not be quite as old as SSL 3.0, but at 14 years, it’s also pretty ancient. Yet some business and government systems still require it. (They’re apparently a dwindling minority, though; data from Net Applications shows that IE6 accounted for only 3.6% of all desktop browser use in the third quarter.)
So one backup plan involves preventing the “downgrade dance” that makes the Poodle attack possible. That patch, called TLS_FALLBACK_SCSV, basically forces the browser to inform the server when it offers a weaker security protocol, as it might during a “downgrade dance” attack. That allows the server to reject the connection.
Unfortunately, the TLS_FALLBACK_SCSV workaround is only effective when both browsers and servers have been patched. As we’ve seen in previous vulnerabilities, that can take a long time across the big, wide Internet.
Protecting Yourself Against Poodle
There are a few things you can do to protect yourself against Poodle attack. For starters, if you can’t wait for your browser to disable SSL 3.0, you can turn it off yourself:
- In Chrome, you’ll have to issue the command-line flag –ssl-version-min=tls1, though doing that isn’t completely straightforward. Instructions for Windows, Mac, Linux and Chrome OS are here.
- In Firefox, enter about:config in the browser bar, then scroll down until you find the security.tls.version.min parameter. Double-click on it and enter “1” in the popup window.
- In Internet Explorer, open Tools->Internet options and click on the “Advanced” tab. Scroll down and uncheck “Use SSL 3.0.”
It’s possible that doing this will break some of your Internet services, although the odds of that seem low unless you’re trapped using some custom-built site that never updated.
One other tip: If you’re online on a public Wi-Fi network, use a VPN to encrypt your connection. That should frustrate most would-be hackers unless you’ve landed on an NSA watchlist. If you aren’t signed up with a VPN service, you can always set up a home VPN network you can access from anywhere.
Photo by Greg Westfall (who notes that Scarlett is actually smiling in this picture)
View full post on ReadWrite
Yesterday a new anti-Google consortium called “Focus on the User” launched a website that cleverly uses Google’s own words and algorithm to make an argument against Google+ Local (map pack) search results. It also operates as a concrete proposal that might partly substitute for…
Please visit Search Engine Land for the full article.
The email starts off with “This is an extortion email” and goes on to say if you do not pay a certain amount of money, the sender will hit your website with tactics they call negative SEO. Now what? Yes, negative SEO exists and can impact your site’s performance on Google. Scraped content from your website, spammy links, and unnatural anchor text are all evidence that your site might have been a victim of negative SEO. While it is difficult to avoid an attack, especially for larger sites, it is not impossible to stay protected. What Exactly is Negative SEO? Negative SEO […]
The post How to Combat & Recover from Negative SEO Attack: The Survival Guide by @navneetkaushal appeared first on Search Engine Journal.
View full post on Search Engine Journal