The Weekly Ink #16
THE WEEKLY INK
The Weekly Ink is the weekly newsletter brought to you by Duo Labs, with curated links of interest in the security world to help educate the company - and anyone else who will listen - on security happenings and culture.
If you have links of your own that you think would be interesting to the company, be sure to send them to firstname.lastname@example.org
Taking POODLE out for a Walk
A report published by Google this week exposed a vulnerability in SSL 3.0. Yes, SSL 3.0. You know, the version of SSL that is old enough to get a driver's license, drive down to the local Blockbuster, and rent R-Rated movies.
The vulnerability's main threat is as a tool in a MITM attack (M as in Man, not as in Malcolm). A MITM attacker could force a failed connection until a user's browser fell back to a less secure version of their SSL (the good old 3.0 version that is really enjoying its senior year of high school). It's fairly easy to trim POODLE's impact by disabling support for old SSL versions. There is also a patch to block spurious protocol downgrades on the Google Security Blog.
Check this link out for a breakdown of those initially affected.
"We're not going back to Cincinnati..."
Finally a vendor breach that none of my family members will email me about: Kmart! The Sears subsidiary is the latest in a long line of POS breaches. Krebs On Security has the story: the breach started in early September and apparently only has led to leaked card data. Kmart has assured customers that their other information is safe. Though they laud the fact that no customer Social Security Numbers were leaked, I'm more concerned that Kmart has Social Security information. Tell him Ray:
The Spice Must Flow
In the latest in malware with nerdy names that start office-wide Dune discussion, word of Sandworm has reached the media. A vulnerability affecting all currently supported Microsoft Windows versions (except Server 2003; users of that ancient OS - along with XP - are "safe"). iSight Partners and Microsoft rolled out the announcement along with a patch for the vulnerability. Sandworm is, of course, accompanied by the usual nation-hacker fanfare: Russian agents have been using the software to snoop on NATO, the Ukrainian Government, and others. Though the exploit maybe be as old as 5 years, it seems that scope of implementation has only ramped up in the past year or two.
The Snap that Smiles Back and Back and Back
Zomg, Snapchat got breached!!! Er, um wait, no. Sorry an "illegal" Snapchat impostor got breached? Or breached Snapchat by impostering? If the photo service for sharing pics with grandma was trying to get back on their feet this week, a new method for decrypting Snapchat images on Android probably was not on top of their moments list. With the app using great directory names like "bananas" and generating keys by concatenating the Android ID to the string "seems legit...", Snapchat is not necessarily building with security in mind. Which is important to remember when you're taking photos of your banana: