MADISON, Wis. (10/22/14)--Keeping operating systems and browsers up to date is key to protecting credit unions and members against a new security vulnerability discovered last week.
POODLE (Padding Oracle on Downgraded Legacy Encryption) exploits a flaw in old Secure Socket Layer (SSL) 3.0 encryption protocol. POODLE allows a third party to capture information sent between the user and the website--known as a "man in the middle" attack.
"You might not notice anything," said Andrew Jaquith, chief technology officer for SilverSky, a provider of cloud security solutions and a CUNA Strategic Services alliance provider. "They are snapping up the information that you're transmitting. It's insidious--you just won't know."
"It affects every browser, every server, because everyone supports backward capability," he told News Now. "Now it needs to be disabled in all these areas."
For credit unions, that means they must disable SSL 3.0 on all servers and member-facing sites. "If you're using any systems newer than 2006 or 2007, you should be fine," he said. Credit unions also should make sure they have recently updated versions or patches on their operating systems. "Always turn on automatic updates," he advised.
Credit unions can also help protect their employees and members by making sure they are using "slightly more modern browsers," he counseled. Internet Explorer 6 and below are vulnerable so members should be using Google Chrome, Firefox, Safari or Internet Explorer 7 and above.
"As a browser user, the nice thing about Chrome and Firefox is that they do silent updates in the background," Jaquith said.
Silver State Schools CU, Las Vegas, with $655 million in assets, took a proactive approach in notifying its members about the vulnerability and what it was doing to update its four member-serving systems. "We have begun taking corrective action," it noted on its website. "As a result, you may experience short interruptions in some or all online services."
It also suggested members look at their own Web browsers to ensure SSL 3.0 is disabled.