The Weekly Ink #15
THE WEEKLY INK
The Weekly Ink is the weekly newsletter brought to you by Duo Labs, with curated links of interest in the security world to help educate the company - and anyone else who will listen - on security happenings and culture.
If you have links of your own that you think would be interesting to the company, be sure to send them to labs@duosecurity.com
A Backdoor By Any Other Name...
Apple recently announced that full-disk encryption with keys non-retrievable by Apple/law enforcement would be the standard on iOS 8 and described their hardware-based “secure enclave” strategy for isolating a device’s cryptographic processes from other device activity. This led to a lot of hand-wringing by law enforcement, accusations from the director of the FBI that Apple was “trying to be above the law”, and a terrible Washington Post editorial calling for a “totally-not-a-backdoor way of law enforcement getting past encryption” that completely misses the point.
Thankfully, security professionals continue to point out that a backdoor by any other name is just as bad of an idea, and there’s no outward indication that Apple plans on compromising their device security to please law enforcement.
Dairy Queen Confirms Data Loss Blizzard in Backoff Breach
The Backoff malware, which the Secret Service estimates has affected over 1,000 US businesses, was confirmed to be present on Dairy Queen POS systems Thursday. The company had previously denied the presence of the malware until the Secret Service aided in their investigation.
In addition to providing free credit monitoring for a year, the company has made a list of affected stores available on their site. The perpetrators seem to favor finding publicly exposed remote desktop interfaces and brute forcing login details to install their malware. Takeaway: don’t expose remote desktop interfaces to the public internet unless necessary, and scan your organization’s network for any such interfaces you might not know about. If remote desktop is necessary, ensure the credentials are strong, use 2FA, and configure rate-limits to defend against brute-forcing.
Twitter Lawyers Argue for Canary Rights
Ever wonder what sort of bird the Twitter bird is? A Twitter designer claims it’s close to a mountain bluebird, but in a lawsuit filed this week their aspirational status as a canary takes flight. The company says legal restrictions prevent them from exercising their first-amendment rights to disclose data regarding NSL (National Security Letter) and FISA (Foreign Intelligence Surveillance Act) requests they’ve received. Other companies have made similar complaints, but as yet, the government has not allowed them to release more than very vague information regarding data gathering requests.
One in Five Android Devices Targeted By Malware
Kaspersky Lab, in conjunction with INTERPOL, released an analysis of Android devices protected by Kaspersky’s security solutions. This analysis indicates that one in five Android devices had encountered malicious software during the study’s timeframe. A majority of the malware attempted to use SMS messaging to siphon money from Android users, a technique that’s been employed by mobile malware for as long as anyone can remember.
Kaspersky notes that most of the attacks took place against devices in Eastern Europe, and numbers began falling in April after Russian legislation was introduced to require a confirmation from users before performing an SMS-based financial transaction. However, numbers began rising again in July. If the confirmation is delivered to the user’s phone, I’m sure there’s no way malware could fake the confirmation ;).
Here at Duo Labs, we’ve had some experience looking into Android malware; in fact we have a tool called X-Ray that allows users to scan their Android device for some known Android platform vulnerabilities.