Yesterday a security vulnerability known as POODLE was publicly announced that affects a relatively low number of Internet connected devices. However, this vulnerability is critical and could allow an attacker to read encrypted information, even when passed over an SSL connection. While not vulnerable, Nmbrs is taking this issue seriously by following the steps below. At the bottom of the article, we’ve listed steps you can take to help protect yourself.
What we've done:
- Validated that Nmbrs is not vulnerable to the published vulnerability. We do not enable CBC ciphers in SSLv3, which is a key component to executing the current exploit. Our mitigation is similar to the recommendation that Google has made here.
- Validated that our CDN provider has disabled SSLv3 support. While we prefer to give our customers more notice, our provider moved quickly to address the risk once announced.
What we will continue to do:
- Like many other companies, to avoid future SSLv3 weaknesses, we have disabled SSLv3 across the Nmbrs platform.
- Utilize both our internal and third-party threat intelligence capabilities to continue to monitor for potential attacks related to Nmbrs. Continue to scan and monitor our infrastructure for any possible weaknesses.
What you should do:
- If you are an integration partner, in your application connection with Nmbrs, please make sure that you are not using SSL 3.0.
- Upgrade your browser to the latest version. if using Internet Explorer 6, move to a more modern, supported browser.
- Disable SSLv3 support within your browser. You can check if your browser is vulnerable by going here and looking for SSLv3 “Yes”. To disable SSLv3 support, making the following changes and restart your browser:
- Mozilla Firefox
- Open about:config, find security.tls.version.min and set the value to 1.
- Google Chrome
- Newer versions of Chrome support TLS_FALLBACK_SCSV, which mitigates this issue.
- You can explicitly disable support for SSLv3 by issuing the command line command --ssl-version-min=tls1. Further instructions about using command line flags can be found here.
- Internet Explorer
- Go into “Internet Options”, “Advanced”, and uncheck SSLv3.
- Become familiar with the issue. This blog post provides an excellent breakdown of the vulnerability.
- Contact your Nmbrs users to let them know that older browsers, like Internet Explorer 6, are no longer supported.
- Scan your own infrastructure for this vulnerability using available tools. Two tools are available from Tinfoil Security and SSL Labs.
- Reach out to your external third-parties to ensure that they are aware of this critical issue, and are executing a mitigation strategy.
- Be cognizant of opportunistic phishers who email you to patch your devices. Don’t click on links that look suspicious.