Best of 2013: Duo Security’s Year of Excellence in InfoSec
As we ring in the new year, it’s the perfect time to take a look back at Duo Security’s most notable 2013 milestones. The following blogs chronicle one great year leading the information security industry, from finding fixes for major Android vulnerabilities to attending the top hacker conventions, to signing on a major social media giant, and more - we’d like to give three cheers to our awesome year in 2013, and here’s to many more!
In February, we discovered a way to gain full control over Google accounts; completely circumventing Google’s two-step verification process. After reporting our findings to Google’s security team, they responded with some of their own changes they implemented to mitigate the most serious threats. Find out what we found, including some very technical details on Google’s auto-login mechanism and Google’s Application-Specific Passwords in Bypassing Google's Two-Factor Authentication.
The U.S. Federal Trade Commission enlisted Duo’s CTO, Jon Oberheide, to participate in a forum on mobile security, held June 4. With the help of many other top technology researchers, academics and industry leaders, the FTC hosted a public forum on the potential threats to U.S. consumers, as well as solutions. Not only did the forum work to inform consumers and businesses alike, but also served as a way for the Commission to learn about the current mobile security environment.
Read more on Jon’s perspective as he details the process of vulnerability reporting, business complexity’s impact on security, the mobile software provider’s ecosystem, mobile malware attack models and more in the FTC’s official transcription of the panel discussion in Mobile Security Forum: Potential Threats and Solutions (PDF).
This year’s list of speakers was as exciting as ever, with topics ranging from Capture the Flag competition building, to malware research, to hiring penetration testing vendors. B-Sides, more than any other series of security events, makes a point to engage new and up-and-coming security researchers to have a chance to present in a friendly and supportive environment.
Duo Security was excited to be back this year sponsoring and speaking at a panel, with Duo’s Security Evangelist Mark Stanislav discussing the process behind hiring a well-qualified penetration tester. While penetration testing may seem like just another box to be checked in the world of security assessments, there can be a large gap between the reality of penetration testing versus what a company actually needs to have done.
The purpose of the talk was to engage the audience to think about not only what type of security assessment should be done, but also how to determine that the work being done is being handled with the appropriate amount of skill, focus, and ethical treatment. Read more about Mark’s talk in Penetration Testing and Two Factor Authentication.
In July, Duo Security and NEU SecLab teamed up to develop a mobile app that protects Android users from the Android Master Key vulnerability, initially identified by Bluebox as:
A vulnerability in Android’s security model that allows a hacker to modify APK code without breaking an application’s cryptographic signature, to turn any legitimate application into a malicious Trojan, completely unnoticed by the app store, the phone, or the end user. - Jeff Forristal, Bluebox CTO, Uncovering Android Master Key That Makes 99% of Devices Vulnerable
A common complaint against the Android platform is the control that carriers have when it comes to managing updates, especially ones related to security vulnerabilities. This control can cause a gap in protection for many consumers while carriers go through their often lengthy process to provide fixes for known issues that could allow for attackers to compromise user data or install malware.
Due to the scope of this issue and the potential for a user’s phone to become completely compromised by an attacker leveraging this vulnerability, Duo Security and Northeastern University’s SecLab quickly collaborated to provide a solution to the masses. ReKey is a mobile app that users are able to download and run that will provide protection from the Android Master Key vulnerability. Watch a video and find out how to download it in our blog post.
Duo Security attended DEFCON this year, one of the world’s largest hacker conventions held annually in Las Vegas.
What is Operation Gatorfetti? According to Regis Wakefield of Duo Security:
The plan is simple in theory. After the applause begins following Peiter “Mudge” Zatko’s DEFCON talk, rush the stage, hand Mudge a trophy and tell him to “hold his breath,” as they dump a gatorade cooler full of confetti on his head. Simple, in theory. We had assembled the “Mudge Squad,” a motley crew of Cyber Fast Trackers and Mrs. Mudge herself, all wearing bright green WWMD (What Would Mudge Do?) shirts in the front row to assist in carrying out the operation.
And who’s Mudge? Wikipedia says:
Peiter C. Zatko, better known as Mudge, was a member of the high-profile hacker think tank the L0pht, as well as the long-lived computer and culture hacking cooperative the Cult of the Dead Cow. In 2010, Mudge accepted a position as a program manager at DARPA where he oversaw cyber security research. Mudge now works for Google in Motorola's Advanced Technology & Projects division.
Mudge was one of the first people from the hacker community to reach out and build relationships with government and industry. In demand as a public speaker, he spoke at hacker conferences such as Defcon and academic conferences such as USENIX.
Find out more about Duo’s experience at DEFCON in Three Life Lessons from DEFCON 21 and The Innocents Abroad - 14 Observations on DEFCON 21 from Duo Interns.
Our team survived another fun year at GrrCON in downtown Grand Rapids, Michigan! We had an amazing time, met a lot of Duo fans, and gave out copious amounts of swag.
What is GrrCON?
GrrCON is an information security and hacking conference put together to provide the community with a venue to come together and share ideas, information, solutions, forge relationships, and most importantly engage with like-minded people in a fun atmosphere without all the elitist “Diva” nonsense. We bring together the CISO, the hacker, the security practitioner, and the researcher in a one-of-a-kind experience you CANNOT get elsewhere.
We provide three+ presentation tracks, in-con workshops, pre-con training, and a solutions arena to ensure you get the most out of the event. Come join the conversation. - GrrCON.com
Check out our photos from GrrCON 2013!
Facebook’s security team presented their internal security challenges and solutions at Purdue University, including an overview of Facebook’s implementation of Duo Security to provide two-factor authentication to protect the company’s engineers, company data and source code. During their hour-long presentation the guys provided thoughtful insight into the security culture of Facebook and how that led them through the evaluation and implementation decisions of their two-factor authentication deployment.
More recently, the Payment Card Industry Security Standard (PCI DSS) updated its requirement for two-factor authentication in their 3.0 document, relevant to anyone dealing with credit card data online.
As with PCI DSS 2.0, the core requirement related to two-factor authentication is still 8.3. Since 2.0, however, the PCI Council has decided to split and refine the testing procedure section for this requirement. Find out more and how it affects your organization’s IT security in our blog post.
Finally, we rolled out our two-factor authentication Editions for small, medium and large enterprises. We’re launched two revamped editions of Duo Security’s security solution, while keeping our free-for-life Personal Edition available to all users.
Duo’s Business Edition is designed to provide affordable security for small and mid-sized businesses on a budget, at just $1/user/month, while Duo’s Enterprise Edition boasts advanced management features for larger and more sophisticated deployments. Find out more about our features and editions in our blog post, or visit our Product Tour for details on the benefits our enhanced two-factor authentication solution.
Note: As of 1/1/2017, Duo no longer offers the Business Edition. Please visit our Pricing page to view our latest editions.