POODLE and LogMeIn: What You Need to Know

The security community recently identified a new vulnerability in the SSLv3 protocol, known as POODLE (Padding Oracle On Downgraded Legacy Encryption). This article helps you understand POODLE and the steps you should take to protect your systems. We also discuss steps we are taking at LogMeIn to protect you against POODLE and similar vulnerabilities now and into the future.

Are LogMeIn Products vulnerable?
The latest versions of LogMeIn products and services are not impacted by POODLE. Since the vast majority of our customers receive auto-updates, most users can rest assured that they are protected against such attacks. We’ve included the latest version numbers below and have provided an easy way to check your version and update if required.

How about your browser?
It’s important to understand that only the older SSLv3 protocol is vulnerable. Most modern browsers support protocols other than SSLv3, so unless you are using Internet Explorer 6 (IE 6), you’re in good shape. If you are using IE 6, we strongly recommend that you upgrade to Internet Explorer 7 (or above) or choose an alternative browser, such as Firefox, Opera or Chrome.

Use this third-party service to check your browser for vulnerability: https://www.poodletest.com/

If you remain on IE 6, keep in mind that IE 6 is NOT SUPPORTED and you will experience problems:

  • From any LogMeIn website, you will receive the following message:  “Internet Explorer cannot display the webpage”
  • When attempting to use the LogMeIn Client, you will be unable to login or connect

But there’s a slight catch…
Even modern browsers are sometimes set to work around interoperability bugs in older servers by connecting using a downgraded protocol. Even when both sides of the connection support higher, more secure protocols, an active man-in-the-middle POODLE attack can utilize the one-sided weakness and downgrade the connection to SSLv3 and exploit the protocol’s vulnerability to gain access to the encrypted connection.

And a solution!
If either side of the connection explicitly disallows SSLv3 then the vulnerability cannot be exploited.

  • As a browser user, it’s best to disable SSLv3 in your browser. This will actually be done for you in the next versions of most popular browsers, such as Firefox and Chrome.
  • As someone running a webserver (like LogMeIn), the best thing to do is totally disable SSLv3 on the server side. And that’s just what LogMeIn will do. To ensure security of all users, we will disable SSLv3 support on our webservers starting today (20th October). The only small downside to this change is that anyone still using Internet Explorer 6 (which does not support the latest protocols) will no longer be able to communicate with any LogMeIn websites.
  • Going above and beyond what’s needed to respond to POODLE, we will disable SSLv3 support on all other servers from in coming weeks. This will impact all older versions of LogMeIn products : After this update, only the versions listed below (or newer) will able to access LogMeIn services.

Addition detail about how POODLE works
POODLE represents a broad vulnerability that can potentially allow an attacker to gain access to the contents of encrypted communications. As discussed above, browsers are sometimes set to work around interoperability bugs in older servers by connecting using a downgraded protocol. By simulating a failure when establishing a connection to server, an adversary can trick a browser and server into renegotiating their connection via an older protocol (SSLv3). Since the POODLE vulnerability is inherent to the protocol itself, not the server, the problem cannot be patched out like ShellShock and HeartBleed.

Latest LogMeIn product versions

The latest versions of LogMeIn products are NOT affected by the POODLE vulnerability. Here is a list of the latest versions, as well as instructions on how to quickly determine which version you are running and how to manually upgrade, if necessary.

  • LogMeIn Pro (LogMeIn Host v4.1.0.4408 and above on Windows or v4.1.0.4405 and above on Mac)(LogMeIn Client version 1.3.422 for Windows and 4.1.4587 for Mac) – How to check
  • Rescue Technician Console, Calling Card 7.4 or newer — How to check: Technician Console Options > About LogMeIn Rescue; Calling Card Settings > About
  • Cubby 1.0.0.12648 – How to check
  • join.me 1.17.0.156 – How to check
  • RemotelyAnywhere 11.3.2821 – Latest available here
  • AppGuru – Not impacted by POODLE due to LogMeIn webserver updates
  • Zamurai – Not impacted by POODLE
  • Xively – Not impacted by POODLE due to LogMeIn webserver updates
  • Hamachi – Not impacted by POODLE
  • Backup 3.0.789 – How to check
  • Meldium — Not impacted by POODLE

 

         

Meldium App Trends, October 2014

Just like the Billboard charts for music and the Nielsen ratings for television, Meldium App Trends looks at usage data to identify popular and trending web apps each month. Each app is scored on a 100-point scale based on the number of unique people who used it, and usage is compared to the previous month. We gathered this data from an anonymized version of our comprehensive audit logs, which record every single app launch and give Meldium users a detailed trace of who is using what at their company.

Image

The Meldium team reviewed usage data for October and found that TwitterMailchimpGmail, and AWS are gaining points in the “Top Apps” category. Trello also posts the largest gain in the “Trending Up” category.

Click here to read the full App Trends report.

         

Meldium App Trends, October 2014

Just like the Billboard charts for music and the Nielsen ratings for television, Meldium App Trends looks at usage data to identify popular and trending web apps each month. Each app is scored on a 100-point scale based on the number of unique people who used it, and usage is compared to the previous month. We gathered this data from an anonymized version of our comprehensive audit logs, which record every single app launch and give Meldium users a detailed trace of who is using what at their company.

Image

The Meldium team reviewed usage data for October and found that Twitter, Mailchimp, Gmail, and AWS are gaining points in the “Top Apps” category. Trello also posts the largest gain in the “Trending Up” category.

         

LogMeIn Rescue to exhibit at the TSW Service Transformations conference

TSW

The LogMeIn Rescue team will be exhibiting at the TSW Service Transformations Conference on Oct 20-22 in Las Vegas. This bi-annual event takes a forward-looking and strategic approach at technology services and will empower services and other functional leaders with the information and ideas needed to help their companies compete and thrive in the new consumption economy.

The widespread adoption of both smartphones and tablets, coupled with their constant connection to social media outlets, has shifted the balance of power squarely to the customer. This ever-changing world of customer service has companies questioning what they can do to live up to the increasing expectations of their mobile customers.

LogMeIn’s Don Brass, Sr. Product Manager of Rescue, will be leading a presentation titled, “Transform the Customer Experience with Effective Mobile Engagement” on Tuesday, Oct 21 at 1:10 PM. During this session, Brass will elaborate on how to build and develop best practices to elevate the mobile customer experience. More specifically, he will cover how social media, mobile messaging and other communication channels, combined with expectations around resolution speed, are all critical factors in this evolution of support.

If you’re attending the event, be sure to attend this session and stop by our booth (#8). Hope to see you there!

         

Rescue 7.5 New User Interface is now available!

LMI_logos_new_RGB

The LogMeIn Rescue team is excited to announce the immediate availability of Rescue 7.5, which features an improved user interface and new home page! This new modern look and feel offers technicians a more streamlined experience with the interface. In addition to the enhanced user interface, the new Rescue home page offers a direct information portal to Rescue technicians.

Designed with the user in mind, the new home page is where you’ll find Rescue best practices, product updates, market news, tips and tricks, and much more. Updated weekly, the home page is where you can stay up to date on what’s happening in Rescue.

Check out this short video overview for a quick demonstration:

Current Rescue users will be prompted to download this update upon logging in. Not a Rescue user? Sign up for a free trial!

         

Customer alert: New phishing emails mimic invoices, encryption update

We’ve had reports from LogMeIn customers, as well as the general public, that a couple emails are making the rounds that mimic LogMeIn branding and are designed to look like they are coming from LogMeIn addresses. The MO looks very different — one purports to be a notification that “LogMeIn.com is moving to 1024 bit encryption from 128 bit” and the other is designed to appear as an invoice — and its not clear if they are coming from the same malicious source/entity.  Both appear to be phishing attempts, and we want to make it clear that these did NOT come from LogMeIn.

As part of our commitment to security, we want to make sure our users and the public are aware of these specific emails, and we wanted to share what we’ve learned, as well as provide an easy way for people to identify the tell tale signs of phishing attacks.

The subject lines on the emails are:

Email 1: “LogMeIn.com is moving to 1024 bit encryption from 128 bit – Update”

Email 2: “Your most recent LogMeIn invoice no. 8573984893 is attached for your review.” (please note the invoice number is likely altered per email)

Intended behavior/action:

Email 1: Tries to lure you to click on a link to a fake login page. The URL goes to a .su address, NOT logmein.com

Email 2: Tries to get you to open a .zip file attachment.

Both of these are classic red flags in phishing emails.

What they look like:

Email 1 (image)

Phishing mail 1

Email 1 (text/copy):

Dear,

Because the security of your online session is most important to us , and to maintain the quality of the services offered on our website we have decided to upgrade the encryption algorithm from 128 bits to 1024 bits , and to encrypt the passwords using the MD5 algorithm.
The MD5 algorithm is undecryptable, so if anyone manages to get passed our security systems, your information will be safe. But in order to apply this new algorithm on our entire system , we require you to login over a secure connection and update the username and password of your every computer using Logmein system.
Please click on the link below to begin the update process :

<hyperlink removed for safety reasons>

After the update is complete you will be redirected to your account , and will be able to use our new encryption system.Even if you won`t notice any differences rest assured that your online session has never been safer.

Email 2 (text/copy)

Your most recent LogMeIn invoice no. 8573984893 is attached for your review.

If you have any questions regarding this invoice, please contact your LogMeIn service team at the number provided on the invoice for assistance.

Please note that your bank account will be debited within one banking business day for the amount(s) shown on the invoice.

Thank you for choosing LogMeIn for your business solutions.

Important: Please do not respond to this message. It comes from an unattended mailbox.

As with all suspicious emails, please don’t click on any links or open/download any attachments in these messages.  We’ll update this post if we learn more, but please be sure delete these messages if you receive them.  We also recommend taking a look at our primer on how to protect yourself against phishing attacks.

         

LOGMEIN CEO MICHAEL SIMON TO SPEAK ON HOW TO TRANSFORM YOUR BUSINESS MODEL FOR A CONNECTED AGE

We are happy to announce that on Tuesday, October 21st, 2014 LogMeIn’s CEO, Michael Simon, will lead the session “How to Transform your Business Model for a Connected Age,” at the Gigaom Structure Connect conference in San Francisco, CA. Details around the session are as follows:

2014 Gigaom Structure Connect 

  • Date: Tuesday, October 21st, 2014
  • Remarks: 2:40 PM PT
  • Location: Mission Bay Conference Center, 1675 Owens Street, San Francisco, CA 94158
  • Speaker: Michael Simon, CEO
  • Moderator: Stacey Higginbotham

Register for the conference here.

For more information, please contact me at 781-897-1301 or rbradley@LogMeIn.com.

         

LogMeIn Sets Date to Announce Third Quarter 2014 Results

Today we announced that LogMeIn will report its third quarter 2014 financial results for the period ended September 30, 2014 following the close of market on Thursday, October 23rd, 2014. On that day, management will hold a conference call and webcast at 5:00 p.m. ET to review and discuss the Company’s results for the third quarter.

  • What: LogMeIn Third Quarter 2014 Financial Results Conference Call
  • When: Thursday, October 23rd, 2014
  • Time: 5:00 p.m. ET

Live Call:

  • + 1-888-505-4375 (U.S. and Canada)
  • + 1-719-325-2144 (international)
  • 5602336 (conference ID)

Replay:

Webcast:

https://investor.logmein.com/about-us/investors/events-and-presentations/webcasts/default.aspx

         

LOGMEIN CEO MICHAEL SIMON TO SPEAK ON HOW THE INTERNET OF THINGS CAN TRANSFORM BUSINESS

We are excited to announce that on Thursday, October 2nd, 2014 LogMeIn’s CEO, Michael Simon, will lead the session “Moving the Internet of Things from Hype to Business Reality,” at the Interop New York conference. Details around the session are as follows:

2014 Interop New York Conference

  • Date: Thursday, October 2nd, 2014
  • Remarks: 4:00 PM ET
  • Location: Jacob K. Javits Convention Center, 655 West 34th Street, New York, NY 10001
  • Speaker: Michael Simon, CEO

For more information, please contact me at 781-897-1301 or rbradley@LogMeIn.com.

         

LogMeIn Named ‘Best Cloud Solution’ at ASCII Success Summit in Phoenix

Cloud AwardLogMeIn recently attended the ASCII Success Summit in Phoenix, where we were given the opportunity to speak to the event’s solution provider attendees about our newest solution, AppGuru. LogMeIn’s AppGuru gives channel partners the ability to discover and manage 3rd party cloud applications (e.g. Office 365, Salesforce & Dropbox) for their end-user customers though a single pane of glass.

During the presentation, we shared a success story from Chris Johnson, CEO of Untangled Solutions. The case study illustrated how Chris used AppGuru to solve an Active Directory/Google Apps discrepancy, discover many unauthorized file sync and share solutions running on network, and identify network bandwidth issues for his customer. Chris’s efforts resulted in him saving the customer thousands of dollars and strengthening their relationship. Click here to read the full case study.

At the conclusion of the event, the ASCII attendees voted for the best vendors in 10 different categories, including Best Cloud Solution, Best Software Solution and Best Partner Commitment. LogMeIn was honored to receive the award for the ‘Best Cloud Solution’ product for the IT industry. We’d like to thank ASCII and all the attendees for recognizing our efforts to making intuitive cloud solutions and we look forward to closing out the ASCII 2014 season in Atlantic City on October 22-23.

If you’re a solution provider in or around the NJ area and interested in attending the ASCII Atlantic City event, please email Shannon.mayer@logmein.com to secure your free VIP pass. Passes are limited and will be distributed on a first come, first serve bases. For more information on ASCII Success Summit events, please visit: www.asciievents.com.