Apple announced this week that it will no longer support the Secure Sockets Layer (SSL) 3.0 encryption standard for its push notifications service in response to a newfound vulnerability within the protocol.
In a statement on its development site, Apple said it will be switching from SSL 3.0 to the more secure Transport Layer Security encryption standard on Oct. 29. Earlier this month researchers discovered a vulnerability dubbed Poodle that enables hackers with network access to expose encrypted information. Poodle stands for Padding Oracle On Downgraded Legacy Encryption, and it is used by both websites and browsers, posing a major problem from anyone using only SSL 3.0 encryption.
Poodle allows cybercriminals to work around networks and systems that would normally be kept private, meaning hackers could use the flaw to take control of a victim’s browsing session and use the device as the owner, capable of accessing email accounts, online banking information, social networks and any other activity imaginable. Google and a variety of other companies will no longer enable SSL 3.0 on their new offerings, and have provided workarounds and patches for users of their current products.
Exploits on the rise
While many organizations have transitioned to the use of TLS encryption and attackers have to be physically near their victims to effectively exploit Poodle, the flaw does serve to highlight the growing frequency with which new vulnerabilities are discovered. Three major exploits have already been discovered this year, and there are still more than two months to go before 2014 is through.
First Heartbleed was discovered in April, which allowed hackers to steal data from servers, including encryption keys which provided access to protected data. Then Shellshock was revealed just last month, offering an even more widespread opportunity for cybercriminals to take advantage of insecure systems.
With the increase in vulnerabilities, many companies are looking for more reliable ways to protect sensitive information from being stolen by cybercriminals. However, a growing number of exploits take advantage of flaws in traditional methods of security, making it difficult to know if enterprise information is truly safe. One way to ensure that networks and systems are private and protected is to implement a security information and event management service. Use of a SIEM solution provides around the clock monitoring of enterprise networks in order to identify any suspicious activity or anomalous behavior. Event activity is then analyzed and used to create an actionable defense plan that businesses can use to increase system protection and mitigate the effects of data breaches.