Tuesday, January 26, 2021
  • Healthcare Ransomware Attacks Continue Climbing
  • Discovery capabilities: A core differentiator for Black Duck SCA
  • Which AppSec Testing Type Should You Deploy First?
  • 99.99% verified uptime: 2015 to 2021
  • TetherView Launches Digital Bunker™, a Comprehensive One-Way-In and One-Way-Out Private Cloud for Enterprise Customers

Security Boulevard

The Home of the Security Bloggers Network

Community Chats Webinars Library
  • Home
    • Cybersecurity News
    • Features
    • Industry Spotlight
    • News Releases
  • Security Bloggers Network
    • Latest Posts
    • Contributors
    • Syndicate Your Blog
    • Write for Security Boulevard
  • Webinars
    • Upcoming
    • On-Demand
  • Chat
    • Security Boulevard Chat
    • Marketing InSecurity Podcast
  • Library
  • Related Sites
    • MediaOps Inc.
    • DevOps.com
    • Container Journal
    • Digital Anarchist
    • SweetCode.io
  • Media Kit

  • Analytics
  • AppSec
  • CISO
  • Cloud
  • DevOps
  • GRC
  • Identity
  • Incident Response
  • IoT / ICS
  • Threats / Breaches
  • More
    • Blockchain / Digital Currencies
    • Careers
    • Cyberlaw
    • Mobile
    • Social Engineering
  • Humor
Security Bloggers Network Vulnerabilities 

Home » Cybersecurity » Threats & Breaches » Vulnerabilities » Introducing Zombie POODLE and GOLDENDOODLE

Introducing Zombie POODLE and GOLDENDOODLE

by Craig Young on February 4, 2019

I’m excited to announce that I will be presenting at this year’s Black Hat Asia about my research into detecting and exploiting CBC padding oracles!

Zombie POODLE and GOLDENDOODLE are the names I’ve given to the vulnerabilities I’ll be discussing. Similar to ROBOT, DROWN and many other vulnerabilities affecting HTTPS, these issues stem from continued use of cryptographic modes which should have been long ago deprecated and yet are inexplicably still supported in TLSv1.2. In this case, the troublesome feature is that TLSv1.2 supports CBC mode ciphersuites.

To understand these flaws, it’s important to have a little background on block ciphers and cipher-block chaining (CBC) mode.

A block cipher operates on discrete blocks of data as opposed to a stream cipher that would encrypt individual bits. AES is an example of a block cipher, while RC4 is a stream cipher. AES can only encrypt or decrypt 128-bit blocks of data. It is not possible to directly encrypt or decrypt more or less bits with AES without defining a mode of operation. CBC is a mode of operation for block ciphers in which ciphertexts are chained together via XOR. By doing this, repeated plaintext will not lead to repeated ciphertext, and modification of a ciphertext block will also change the plaintext in the following block.

A high-level overview of AES-CBC mode encryption in TLS is as follows:

  1. Plaintext message is split into discrete 16-byte blocks of data
  2. An initialization vector (IV) is randomly generated
  3. First block is encrypted using the selected block cipher and key
  4. Block cipher output is XORed with the initialization vector
  5. Result from #4 is stored as the first block of ciphertext
  6. The next block of plaintext is passed to the block cipher
  7. Output from the block cipher is XORed with the previous ciphertext block
  8. (Read more...)

*** This is a Security Bloggers Network syndicated blog from The State of Security authored by Craig Young. Read the original post at: https://www.tripwire.com/state-of-security/vulnerability-management/zombie-poodle-goldendoodle/

February 4, 2019February 4, 2019 Craig Young Secuirty, VERT News, Vulnerability Management
  • ← Research: Corporate Phishing Incidents Cost $4.3M to Investigate per Year
  • Scammers Threatening YouTube Content Creators with Channel Suspension →

TechStrong TV – Live

Watch latest episodes and shows
Featured Blog

Eric Kedrosky

The Future of Multi-Cloud Security: A Look Ahead at Intelligent Cloud Security Posture Management Solutions

Pam Sornson, JD – Contributed Writer

IAM Best Practices For DevOps

Eric Kedrosky

Identity Risk: Identifying a Misconfigured IAM Trust Policy

Subscribe to our Newsletters

Get breaking news, free eBooks and upcoming events delivered to your inbox.
  • View Security Boulevard Privacy Policy

Most Read on the Boulevard

FBI to Investigate Parler, New Russian Host will be Revoked
What Are the 5 Elements of Trustworthy Digital Transformation?
Remote Workforce Security a Top Priority for 2021
5 Questions to Ask When Adopting a New SaaS Tool
Building Cognitive Resilience for Crisis Response
FBI to Investigate Parler, New Russian Host will be Revoked
Top 10 Best Practices for Zero Trust IoT Manufacturing
Data Loss Prevention: Artificial Intelligence vs. Human Insight
Growing Significance of Cyber Security in Healthcare Industry
Analyze Attacker Behavior, Endpoint Detection Anomalies with LogRhythm and Carbon Black  

Upcoming Webinars

Tue 26

Preventing Code Tampering & Verifying Integrity Across Your SDLC

January 26 @ 1:00 pm - 2:00 pm
Thu 28

Protecting Cloud-Native Apps and APIs in Kubernetes Environments

January 28 @ 1:00 pm - 2:00 pm
Feb 03

Too Close to the Sun(burst): A Supply Chain Compromise

February 3 @ 11:00 am - 12:00 pm
Feb 04

Lessons from the FinTech Trenches: Securing APIs at Finastra

February 4 @ 3:00 pm - 4:00 pm
Feb 09

How 2020’s Top 5 Attacks Reveal the Coming Cyberthreats in 2021

February 9 @ 1:00 pm - 2:00 pm
Feb 10

Finding Vulnerabilities in Your Cloud Native Applications Before They Find You!

February 10 @ 11:00 am - 12:00 pm
Feb 11

How to Merge AppSec and DevOps Effectively for the Good of Software

February 11 @ 3:00 pm - 4:00 pm
Feb 16

Security Policy Management in Hybrid Cloud Environment

February 16 @ 11:00 am - 12:00 pm
Feb 16

How Vertical Change Secures Sensitive Data Using Open Source Tools

February 16 @ 1:00 pm - 2:00 pm
Feb 17

Finding and Preventing Secrets in Code

February 17 @ 3:00 pm - 4:00 pm

More Webinars

Download Free eBook

The Dangers of Open Source Software and Best Practices for Securing Code

Recent Security Boulevard Chats

  • Cloud, DevSecOps and Network Security, All Together?
  • Security-as-Code with Tim Jefferson, Barracuda Networks
  • ASRTM with Rohit Sethi, Security Compass
  • Deception: Art or Science, Ofer Israeli, Illusive Networks
  • Tips to Secure IoT and Connected Systems w/ DigiCert

Industry Spotlight

How Educational Institutions can Disrupt Ransomware Attackers
Cybersecurity Data Security Endpoint Identity & Access Industry Spotlight Network Security Security Awareness Security Boulevard (Original) Social Engineering 

How Educational Institutions can Disrupt Ransomware Attackers

January 26, 2021 Tony Cole | 11 hours ago 0
Human and Software Flaws Leave Remote Workers Vulnerable
Application Security Cybersecurity Data Security Endpoint Incident Response Industry Spotlight Malware Security Boulevard (Original) Threats & Breaches 

Human and Software Flaws Leave Remote Workers Vulnerable

January 26, 2021 Alexander Ivanyuk | 11 hours ago 0
Insider Risk Threatens Digital Enterprise
CISO Suite Cybersecurity Data Security Endpoint Identity & Access Industry Spotlight Security Boulevard (Original) 

Insider Risk Threatens Digital Enterprise

January 25, 2021 Joe Payne | Yesterday 0

Top Stories

FBI to Investigate Parler, New Russian Host will be Revoked
Analytics & Intelligence Cloud Security Cyberlaw Cybersecurity Endpoint Featured Governance, Risk & Compliance Incident Response Network Security News Security Boulevard (Original) Spotlight Threat Intelligence Uncategorized 

FBI to Investigate Parler, New Russian Host will be Revoked

January 22, 2021 Richi Jennings | 3 days ago 0
Trump Hates Cloud, Because China Cyber?
Analytics & Intelligence Cloud Security Cyberlaw Cybersecurity Featured Governance, Risk & Compliance Identity & Access News Security Boulevard (Original) Spotlight Threat Intelligence 

Trump Hates Cloud, Because China Cyber?

January 21, 2021 Richi Jennings | Jan 21 0
Capitol Rioters ID’ed With Help From Dating Apps
Cyberlaw Cybersecurity Featured Incident Response Mobile Security News Security Awareness Security Boulevard (Original) Social Engineering Spotlight Threat Intelligence 

Capitol Rioters ID’ed With Help From Dating Apps

January 18, 2021 Richi Jennings | Jan 18 0

Security Humor

via     the comic delivery system monikered   Randall Munroe   resident at   XKCD  !

XKCD ‘Allow Captcha’

Join the Community

  • Add your blog to Security Bloggers Network
  • Write for Security Boulevard
  • Bloggers Meetup and Awards
  • Ask a Question
  • Email: info@securityboulevard.com

Useful Links

  • About
  • Media Kit
  • Sponsors Info
  • Copyright
  • TOS
  • Privacy Policy
  • DMCA Compliance Statement

Other Mediaops Sites

  • Container Journal
  • DevOps.com
  • DevOps Connect
  • DevOps Institute
Copyright © 2021 MediaOps Inc. All rights reserved.
Our website uses cookies. By continuing to browse the website you are agreeing to our use of cookies. For more information on how we use cookies and how you can disable them, please read our Privacy Policy.