Information Security News
In October, Apple released Security Update 2014-005, specifically with the intend to address the POODLE issue . The description with the update stated:
There are known attacks on the confidentiality of SSL 3.0 when a cipher suite uses a block cipher in CBC mode. An attacker could force the use of SSL 3.0, even when the server would support a better TLS version, by blocking TLS 1.0 and higher connection attempts. This issue was addressed by disabling CBC cipher suites when TLS connection attempts fail.
However, even with the most recent version of Safari, I am still not able to prove this statement as true. Instead, I am able to connect to a test server that ONLY supports SSLv3 and block ciphers.  Multiple users of the site confirmed this observation, and the logs also confirm that current versions of Safari will happily ignore Apple"> SSL Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Version: TLS 1.2 (0x0303)
"> Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
Version: SSL 3.0 (0x0300)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
The server offers AES, a block cipher (CBC) which is accepted by Safari.
Other issues we discovered with the poodletest.com website is the use of proxies. Some proxies still support SSLv3, and if they are configured as a trusted proxy terminating SSL connections, then they may downgrade a connection to SSLv3.
How serious is it? The POODLE attack is still a low probability attack. I am not aware of any active use of the attack. So no need to panic. But vendors like Apple arent helping with incomplete statements. It is possible that Safari is doing some form of downgrading protection. But this is not explained in the very brief advisory.
This attack got it all, and shows how hard it can be for a non ISC reader to evade some of these tech support scams. The URL used, http://login.microsoftlonine.com is only one letter off from the legit Microsoft Office 365 login page (you noticed the extra letter?).
The content you will get back varies. But here is a screenshot submitted by our reader Daniel:
The user was redirected to warning.netsecurityalerts.com (the site appears down right now), and to bolster the sites credibility, it displays the users correct ISP (we all know this is an easy whois lookup, but a user confronted with this message is much more likely to fall for it then a recent message).
Calling the 800 number now will lead to a sales system trying to sell you a medial alert button if you are 50 years or older.
About 100,000 or more websites running the WordPress content management system have been compromised by mysterious malware that turns the infected sites into attack platforms that can target visitors, security researchers said.
The campaign has prompted Google to flag more than 11,000 domains as malicious, but many more sites have been detected as compromised, according to a blog post published Sunday by Sucuri, a firm that helps website operators secure their servers. Researchers have yet to confirm the cause of the infection, but they suspect it's related to a vulnerability in Slider Revolution, a WordPress plugin, that was disclosed in early September. Update: In a new blog post published after Ars went live with this brief, Sucuri says it has confirmed the so-called "RevSlider" vulnerability is the culprit.
The in-the-wild attack observed by Sucuri causes infected sites to load highly obfuscated attack code on every webpage that includes the following:
Criminal hackers are actively exploiting the critical shellshock vulnerability to install a self-replicating backdoor on a popular line of storage systems, researchers have warned.
The malicious worm targets network-attached storage systems made by Taiwan-based QNAP, according to a blog post published Sunday by the Sans Institute. The underlying shellshock attack code exploits a bug in GNU Bash that gives attackers the ability to run commands and code of their choice on vulnerable systems. QNAP engineers released an update in October that patches systems against the vulnerability, but the discovery of the worm in the wild suggests a statistically significant portion of users have yet to apply it.
"The attack targets a QNAP CGI script, /cgi-bin/authLogin.cgi, a well known vector for Shellshock on QNAP devices," Johannes B. Ullrich, dean of research at Sans, wrote. "This script is called during login, and reachable without authentication. The exploit is then used to launch a simple shell script that will download and execute a number of additional pieces of malware."