The Weekly Ink #11
##THE WEEKLY INK## The Weekly Ink is the weekly newsletter brought to you by Duo Labs, the security research team at Duo Security, with curated links of interest in the security world to inform the community on security happenings and culture.
Banks, Celebrities, and Home Improvement: Is Nothing Sacred Anymore?
If you were lucky enough to be enjoying the last few days of summer away from computers, you may have missed that all of the things you once loved have been compromised – or so it feels.
With the announcement that JPMorgan Chase was breached late last week, it was feared that other financial institutions had also been compromised. The latest news, however, is that those worries may have been unfounded which is relieving news to everyone except, well, JPMorgan. So fear not, general banker population, you may return back to your lavish beach houses and continue doing whatever it is rich people do on vacation.
Now onto a topic everyone won't admit they are concerned with: celebrity photos. It appears that via some brute-force attacks against an Apple API that didn't rate-limit potentially coupled with a lack of "two-step verification" on iCloud backups, creeper criminals were able to steal a bunch of celebrities' private photos. It's too soon to say exactly who did this, but based on the number of celebrities that have been impacted, we're going to guess the FBI won't be letting up anytime soon. Considering the person who hacked Paris Hilton's "Sidekick" a decade ago got 11 months in a juvenile facility, we're going to bet whomever gets arrested for this situation is going to really wish they had just used images.google.com for their amusement instead.
And last, but definitely not least, Home Depot is reported to have been breached. Think Target was bad? Well, there's around 33% more Home Depot stores and this breach may have lasted months. However you spin that math, it's not a good situation. Be sure to keep an eye on Brian Krebs' web site to inform you which of your beloved brick-and-mortar purchases you should be regretting next. This seems like a perfect time to tell your significant other that the only reason you have to get a new credit card is because they insisted you do landscaping.
Robots Indexing this Post, Tell Your Cousins to Beware the FTC
In a great example of the government actually helping its citizens, the FTC held a competition during the DEF CON security conference last month to improve mechanisms for hindering robocalls. In a direct example, the FTC understands how to work with hackers; they gave away prize amounts of $3,133.70 and $1,337 to appease their target participant. For more details on this success of an idea, check their Zapping Rachel site.
In what's definitely one of my favorite exploits of late, Thomas Hibbert posted a clever way of grabbing root on a number of F5's BIG-IP models. By leveraging an unauthenticated rsync for administrative needs, an attacker can write an authorized_keys file onto the device and enable their private key to give them root access. This is a good time to remember that despite an interface's best intentions, disable or heavily restrict traffic to any service that can actively read/write data to a device. On the upside, if you ever lock yourself out of this device...
It's Not a Bug, It's... a Breach!
Today's reminder that passwords should be random, unique, and reasonably hard to crack, Bugzilla's test build server leaked out about 97,000 sets of credentials used with the site. The passwords were apparently stored as salted hashes, which is certainly better than most web application password storage, but it's a good idea if you had an account with that password to purge its usage on any other accounts. We'd obviously recommend some of that two-factor authentication people keep talking about for the next time someone leaves a database export of your credentials sitting on the Internets for a month.