IT Security Stories to Watch: POODLE Vulnerability, TD Bank Settlement

Who would have thought a poodle could cause so much damage in such a short amount of time? That’s exactly what the world learned last week as details were released about the Padding Oracle On Downgraded Legacy Encryption, aka “POODLE,” vulnerability that hackers can use to exploit the design of SSL 3.0 to decrypt sensitive information.

What do managed service providers (MSPs) and their customers need to know about the POODLE vulnerability? Find out in this week’s IT security stories to watch:

1. Google researchers discover the POODLE SSL 3.0 vulnerability

Google (GOOG) researchers last week released details about the POODLE SSL 3.0 vulnerability.

POODLE is “a flaw in how browsers handle encryption,” TechRepublic noted, and it could harm all applications and systems that leverage SSL 3.0.

“The POODLE attack demonstrates this vulnerability using web browsers and web servers, which is one of the most likely exploitation scenarios,” the United States Computer Emergency Readiness Team (US-CERT) said in a POODLE advisory.

Computerworld reported Apple (AAPL) has issued a security update that is designed to protect OS X Maverick and Mountain Lion users against POODLE attacks, but Wi-Fi users are still at risk.

2. TD Bank settles with nine states over Oct. 2012 data breach

An Oct. 2012 TD Bank (TD) data breach exposed sensitive information from roughly 260,000 customers from Maine to Florida, according to The Associated Press.

TD Bank last week announced it has entered into an $850,000 multi-state settlement agreement that “resolves [the] 2012 data breach and is designed to help ensure that future consumer privacy breaches do not occur.”

Nine states will receive a portion of the TD Bank settlement:

“All consumers — and especially banking consumers — have a reasonable expectation of privacy and protection when it comes to their information,” John J. Hoffman, New Jersey’s acting attorney general, said in a prepared statement.

3. Was Dropbox hacked?

Several news outlets last week reported cloud-based file sharing service Dropbox was hacked, but the company quickly squashed these claims.

“Recent news articles claiming that Dropbox was hacked aren’t true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox,” Dropbox spokesperson Anton Mityagin wrote in a blog post. “Attackers then used these stolen credentials to try to log in to sites across the Internet, including Dropbox. We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens.”

Mityagin added Dropbox recommends two-step verification to help prevent cyber attacks.

4. McAfee updates Next Generation Firewall

Antivirus software provider McAfee (MFE) last week launched a version of its Next Generation Firewall software that now includes integrations with the company’s Security Connected framework.

The new release is designed to provide Next Generation Firewall customers “with layered protection against the latest threats and evasions, along with improved workflows and operational efficiencies,” according to McAfee.

“This release represents another significant milestone in bringing that strategy to fruition and further empowers our customers with the tools they need to outmaneuver attackers with even greater ease and precision,” Pat Calhoun, McAfee’s general manager of network security, said in a prepared statement.

What do you think will be the biggest IT security stories for MSPs this week? Share your thoughts in the Comments section below, via Twitter @dkobialka or email me at [email protected].