The Weekly Ink #17
THE WEEKLY INK
The Weekly Ink is the weekly newsletter brought to you by Duo Labs, with curated links of interest in the security world to help educate the company - and anyone else who will listen - on security happenings and culture.
If you have links of your own that you think would be interesting to the company, be sure to send them to firstname.lastname@example.org
"How To Brick Your FTDI In One Minute Or Less"
I can't imagine many people really like the idea of knock-off goods, but it seems that FTDI has decided to demonstrate their disdain for counterfeit FTDI-clones by deliberately "bricking" them (read: make them unusable). The manufacturer, known for their popular USB-to-serial adapters (present in a gajllion devices and used by hackers, makers, security pros, and everyone in between...and then some), released an updated driver via Windows Update that kills any knock-off FTDI-like devices by overwriting important bits on the chipset.
Suffice it to say, this has led to some serious backlash. Even still, as ZDNet also reports, FTDI acknowledges the whole debacle, but seems to steadfastly refuse to apologize. Thanks, but I'll stick to my Luuuunix VM for FTDI device fun...at least as long as this patch stays away.
Internet of Tragedies
Our friends over at Xipiter have been slicing through embedded and IoT devices like hot knives through butter -- and sharing their findings. In the second post in their "Insecurity of Things" series, the team details their methodology (and results) for attacking a "smart home controller", a device that allows the owner (or 0wner ;>) to set various schedules for things like lights, HVAC, and so on (think Nest, X10, etc.). While their full-scope approach (hardware, software, network services, and everything else) is interesting and explained well, the results aren't terribly comforting -- tl;dr: complete 0wnage of the device. Additionally, Xipiter released their accompanying IoT attack tool, idIOTic.
For anyone interested in IoT or embedded stuff, this is a good read and it'll definitely be interesting to see what else Xipiter has in store!
(FWIW, Xipiter is a research partner with BuildItSecure.ly, a small but growing consortium of researchers and vendors partnering to help improve the security around the "Internet of Things")
Pulling some strings(1)
Without a doubt, the strings utility is one of the single most valuable tools in the arsenal of system administrators, reverse engineers, malware analysts, and more. Unfortunately, it seems the GNU version of strings suffers from a case of "bugs", as lcamtuf (Michal Zalewski) points out. Specifically, libbfd, used by strings and other GNU binutils tools, is the main culprit as noted by lcamtuf, and subsequently may introduce shared attack surface. To wit, and to steal^Wborrow lcamtuf's own advice: "don't run 'strings' on untrusted files!"
( As an aside, one "funny"/unsettling observation, from lcamtuf's post: "Many Linux distributions ship strings without ASLR, making potential attacks easier and more reliable". Hehhhhh.)
How Do I Shot Web (Security Headers)?
I'm a big fan of the "Security Headers" reports that Veracode puts out, and, per usual, the October 2014 report delivers some great data on the state of security-pertinent HTTP headers and their adoption. While summarizing the report would be an injustice to the work itself, some notable points are that Content Security Policy adoption is up overall (350 -> ~800 of the top 1,000,000 websites for Chrome, and about ~800 for Firefox), as is Access-Control-Allow-Origin (jumping up by 2,000 sites to nearly 10,000 total). Isaac Dawson, the main brains behind the report, also notes that many headers continue to be used incorrectly, with sites often setting values that negate the control's effectiveness.