The Weekly Ink #4
The Weekly Ink is the weekly newsletter brought to you by Duo Labs, the security research team at Duo Security, with curated links of interest in the security world to inform the community on security happenings and culture.
Adam is Principal Security Architect at Duo Security, where he is responsible for leading Duo's security engineering practice. He has spent nearly a decade building secure systems, protocols, and culture (and occasionally veering into security research) at a variety of start-ups.
The Weekly Ink is the weekly newsletter brought to you by Duo Labs, the security research team at Duo Security, with curated links of interest in the security world to inform the community on security happenings and culture.
tl;dr: Duo’s cloud service was fully patched and protected against Heartbleed within hours of the vulnerability being publicly disclosed.
Earlier this year, we wrote about how any Google Application Specific Password (ASP) could be used to bypass 2-Step Verification. Although Google issued a fix to prevent account compromise, your ASPs can still be used to do almost anything else with your Google account.
Attackers were once able to bypass Google's two-step verification to gain account control by capturing a user's application-specific password (ASP).
Following our last post on the basicConstraints vulnerability in Apple's iOS certificate validation, we developed a proof-of-concept app that implements a better workaround, with some help from OpenSSL.