Wednesday, October 15, 2014

POODLE SSLv3 Vulnerability

The POODLE SSLv3 vulnerability [CVE-2014-3566] requires that an attacker already have the vantage point on a network to perform a man-in-the-middle (MITM) attack against a user.  For example, a public WiFi hotspot in a coffee shop or airport would give an attacker a MITM vantage point.

An attacker can then force a client's web browser to downgrade the encryption connection to SSLv3 or lower to exploit the vulnerability in these older versions of SSL.

An attacker will most likely use this vulnerability to steal session cookies to read a victim's email or access other Internet accounts.

Mitigations for system administrators

System administrators should configure their servers to not use SSLv3 or earlier.  Servers accessible from the Internet can be checked using Qualys' SSL Server Test.
https://www.ssllabs.com/ssltest/

Servers that still require SSLv3 to operate with legacy systems should implement the TLS_FALLBACK_SCSV feature to prevent unnecessary protocol downgrades from happening.
https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00

Mitigations for end-users

End-users should keep their web browsers up to date.  Patches will be available to disable SSLv3 or earlier soon.  End-users that don't want to wait for patches can configure their web browsers to disable SSLv3 and earlier as follows.

Chrome
Start the browser using the command-line flag:  --ssl-version-min=tls1

Firefox
Install the SSL Version Control extension:
https://addons.mozilla.org/en-US/firefox/addon/ssl-version-control/

or

Under about:config set security.tls.version.min to 1

Internet Explorer
Internet Explorer 6 does not support TLS.  Users of Internet Explorer 6 should update to the latest version possible on their operating system.

To change the default protocol version to be used for HTTPS requests, perform the following steps:
  1. On the Internet Explorer Tools menu, click Internet Options.
  2. In the Internet Options dialog box, click the Advanced tab.
  3. In the Security category, uncheck Use SSL 3.0 and check Use TLS 1.0, Use TLS 1.1, and Use TLS 1.2 (if available).
  4. Click OK.
  5. Exit and restart Internet Explorer.
Safari
Unknown.

References

https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
http://blog.erratasec.com/2014/10/some-poodle-notes.html
https://www.imperialviolet.org/2014/10/14/poodle.html
http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
https://www.ssllabs.com/ssltest/
https://technet.microsoft.com/en-us/library/security/3009008.aspx
https://www.openssl.org/~bodo/ssl-poodle.pdf
https://access.redhat.com/articles/1232123

Monday, October 6, 2014

CTSC Year Two Report

CTSC's Year Two Project Report has been submitted to NSF and is available at http://trustedci.org/reports/ (along with the year one report). The Executive Summary follows.



The Center for Trustworthy Scientific Cyberinfrastructure (CTSC) is transforming and improving the practice of cybersecurity and hence the trustworthiness of NSF scientific cyberinfrastructure (CI). CTSC is providing the NSF CI community with cybersecurity leadership, expertise, training, and the nexus of a community for sharing experiences and lessons learned. The vision of CTSC is an NSF CI community in which each project knows where it fits in a coherent cybersecurity ecosystem, has access to the tools and expertise to enact a cybersecurity program, participates in the sharing of experiences and collaboration between projects and is greatly benefited by leveraging services from universities, regional and national networks (e.g., CIC, SURA, Internet2).

This report covers CTSC project year two, from October 2013 through September 2014, during which time CTSC engaged with seven NSF CI projects, re-invigorated the NSF CI cybersecurity community by organizing the 2013 and 2014 NSF Cybersecurity Summits for Large Facilities and Cyberinfrastructure, provided the community with a guide and templates for developing a cybersecurity program, and provided training in secure coding, incident response and developing a cybersecurity program.

Nearly 150 individuals, representing over 70 projects, attended one or both of the Summits. The 2014 Summit was particularly successful in building community around a call for participation that resulted in the broader community presenting two training sessions and four experience reports.

Through its first two years, CTSC has now engaged with 13 NSF projects, and trained over 130 CI professionals representing 30 projects. Those numbers include a significant impact on NSF Large Facilities, who comprised 4 CTSC engagees, 14 of the projects who have attended a Summit, and 9 of the projects benefitting from CTSC training.

Awareness of CTSC increased in its second year, with International Science Grid This Week publishing an article on CTSC’s work with LIGO, a NSF solicitation mentioning the CTSC-organized Summit, and CTSC’s blog and website receiving a significant number of views.

This report describes all CTSCs activities in detail, concluding with a set of lessons learned by CTSC over its first two years and the project’s plans for its third year.