Pratum Blog

SSL has been obsolete for some time now. It had a useful life and now it needs to go away. During many of our penetration tests or ethical hacks, we find SSL is alive and well. There is no information security if you are using SSL today. It’s broken beyond repair. Don’t use it or you are inviting someone to hack you.

The POODLE hack is a serious threat to information security. For some reason though, many webservers still allow browsers to negotiate all the way back to SSL v3.0. To give you some perspective, TLS 1.0 superseded SSL in 1999, TLS 1.1 was released in 2006 and 1.2 in 2008. I get the whole backward compatibility thing but seriously, browsers have supported TLS since early last decade. That’s nearly 15 years folks. It’s time to implement a process to progressively not support browsers that don’t support security. We have no problem forcing out older browsers which don’t support the cool new functionality that makes our updated websites look so rich and full featured. Why not do the same thing for security to prevent hacking?

You need to check all of your webservers and ensure that nothing less than TLS 1.2 is supported. There have been many security enhancements to the protocol to prevent very specific and well documented hacks. Anything less than that is weak at best. Besides, how could you look your peers in the face and say you were taken down by a POODLE attack without being the butt of several jokes about other small canines attacking your systems.

I’d like to call on college professors to listen to me for a few minutes.  I’ve been a strong proponent of higher education even though I originally dropped out of college.  I eventually went back to finish my degree but it was only after I had been in the workforce for about 8 years.  (Kids, if you read this, stay in school.  I chose a hard road that worked for me but it won’t for most others.)  I am finding however, a fairly large gap in what colleges are teaching and what the real world needs.  This has been a trend for several years and we need to reverse it if a college education for information technology careers is going to maintain its relevance.

If you are responsible for teaching anything in computer science, CIS, MIS or a similar program, please consider the following:

  1. Students need to learn more about infrastructure.  Even developers need to understand TCP/IP principles in fairly deep detail.  The way data is transported over a network is critical to keeping it secure.  Please make TCP/IP either a mandatory semester or at the minimum, 8 weeks within a semester.  I simply don’t understand how anyone coming out of a computer science program today can be so clueless about how the internet or networks work when everything is interconnected today.  Seriously, this is the norm and not the exception.  And it’s happening at both large, highly respected national schools as well as smaller ones.

  2. Many students or fresh graduates we encounter have really poor troubleshooting or analytical skills.  They are relying on automation, peers or professors to solve their problems.  During interviews, the most common response when we ask someone how they approach troubleshooting a problem they have encountered is that they start by doing a Google search, then ask for help.  Really?  We need students in these fields to be able to problem solve on their own.  Find a solution to a problem that no one else has thought of yet.  I can pay someone a lot less to simply search Google for me.

  3. Many students have no idea what types of jobs are out there.  The vast majority of CS, CIS, MIS majors are looking for software development jobs.  Many of them will learn to hate that career field in a matter of years.  We need to do a better job of doing academic advising for students to help them understand the vastness of this field and the various ways they can get plugged in to it.  This also falls on any of you professionals that are out there.  Contact your local college and volunteer to be a guest speaker for a class.  Many times, the only way a student will ever hear about a career option is to hear directly from a practicing professional.

For those of you in academics.  Please don’t take this as a criticism of the job you are doing.  It’s a hard job.  I know.  I was once a faculty member and an academic department chair.  I know the demands placed on you.  I’m simply trying to help identify where I see a need in the marketplace and an opportunity to help our students come out of college fully prepared to enter the workforce.  Thank you for your efforts to provide our next generation of technology professionals with a great foundation.

So the LizardSquad has taken responsibility for the DDOS attacks on the Microsoft Xbox Live and Sony PlayStation networks over the past couple of weeks.  The attacks were nothing special though.  DDOS is simply an attack where you throw more junk at something than it was designed to handle.  Pour a gallon of water in an 8oz glass and it’s going to overflow.  I could always drink from a 128oz glass to ensure I never have lose a drop of water but what’s the point?

While DDOS attacks are real and their effects have serious consequences, there is nothing clever about them in most cases.  They are simply a collection of compromised machines all turning their resources to overwhelm a victim that wasn’t prepared.

Even though information security breaches are bad, you sometimes have to marvel at the skill and creativity needed to carry some of them out.  I don’t typically do this with DDOS attacks.  I’m just not impressed with turning on the fire hose to fill water balloons.  I’m sure Microsoft and Sony are working to ensure the Xbox and PlayStation networks are better able to defend against such attacks.

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.