The Weekly Ink #14
THE WEEKLY INK
The Weekly Ink is the weekly newsletter brought to you by Duo Labs, with curated links of interest in the security world to help educate the company - and anyone else who will listen - on security happenings and culture.
If you have links of your own that you think would be interesting to the company, be sure to send them to labs@duosecurity.com
I'll Take a #10, No Mayo, With Extra Breach
Despite the fact that Jimmy John's may have made some sick with the Sapovirus a few months back, our credit cards are safe (at least from this breach). Unfortunately, around 216 Jimmy John's stores were breached from mid-June through early September of this year. While this wasn't a Gargantuan breach, nobody wants to look like a Turkey Tom. If only we could hit those criminal jerks with a Billy Club and keep ourselves out of a Pickle like this in the future. Wondering if your data was stolen Freaky Fast? Check out their list of impacted stores to find out if those salt & vinegar chips were worth a new credit card (of COURSE they were).
Don't Worry, I'm Sure Your WordPress Site is Totally Safe
Following on the awesome work Ryan Dewhurst and contributors have been doing over the years on WPScan, there's now an easy-to-use web site to figure out just how many of your WordPress plugins and themes are getting you owned. The WPScan Vulnerability Database site provides a web interface to the awesome data set already found in WPScan. This is a great way for everyday WordPress users to have access to data that was typically accessed through a CLI application that may obscured it for less technical folks. Not sure if there's any good vulnerabilities in here? Well, I know of a certain issue in portable-phpMyAdmin that a super k-rad hax0r (me) found while on a penetration test a couple years ago. Thanks for the lulz, WordPress plugin coders.
What's Better Than 2 Million SSL-enabled Web Sites? How about 4 MILLION!
Since the world basically exploded with the Shellshock shenanigans last week, CloudFlare thought they'd give us the gift of transport security en masse! In what they are calling, "Universal SSL," CloudFlare is enabling SSL for free and paid customers (to varying levels of end-to-end crypto) as part of their modest goal of #savetheweb. They're effectively providing SSL certificates for everyone, because, #yoloswag. If you're interested in how the hell they managed to achieve this crazy goal, check out their awesome technical write-up. It should be interesting to see their follow-up on how this deployment ended up going at scale. Not matter if you've used CloudFlare before or not, you've got to respect the engineering effort, cost, and boldness to do something like this in the first place.
When You've Got 0-Day, Maybe Don't Give it to a Social Engineer
Wanting to add some new content to the web site he clearly designed in 1997, Kevin Mitnick is apparently going into the least controversial information security business possible – exploit sales! Yes, that's right, everyone's favorite 2600 charity case from a couple decades ago wants you to trust him to broker six-figure 'sploit sales because he's totally not of questionable character to lead such a venture. Alas, I'll just have to wait until I find some XSS in my buddy's hobby project so I can cash in big and totally not get ripped-off.