The Weekly Ink #19
THE WEEKLY INK
The Weekly Ink is the weekly newsletter brought to you by Duo Labs, the security research team at Duo Security, with curated links of interest in the security world to inform the community on security happenings and culture.
Silk Road 2.0 Owner Couldn't Buy a Clue
Blake Benthall was arrested this week under the suspicion that he was the operator behind the lazily named Silk Road 2.0. Like its predecessor, SR2 specialized in a fine selection of illegal activities. Unlike some criminal cases, this one seems like a bit of a slam dunk for the FBI with the work they did to have this guy pinned down for ownership.
Notably, Mr. Benthall decided to use his home network, personal machine, and personal e-mail address to sloppily handle actions related to the hosting and monetary transfers for the site. Further, just to you know, "lay low", he made a $70K down payment on a Tesla Model S in Bitcoin. While everyone is innocent until proven guilty in a court of law, this dude apparently already confessed to the fuzz upon being read his rights. I wonder if he will get lenience for contributing to open-source software?
Newly Reported Apple Malware Actually "Thinks Different"
While most Apple malware stories usually bore me to tears, Palo Alto researchers have briefly changed that situation with their publication of a paper about "WireLurker". Through the usage of clever techniques like leveraging enterprise provisioning profiles and automated generation of malicious apps WireLurker is able to infect iOS devices, even if they aren't jailbroken. That being said, it should be noted that the third-party Chinese Maiyadi app store had contained over 450 infected applications in the past six months with hundreds of thousands of downloads! If malware samples are your thing, you've already got some code to play.
It's worth remembering that if you're plugging into a Mac you don't actually own, probably select, "Don't Trust" when prompted. Further, never accept a provisioning profile to be installed on your device unless it's from your employer. Oh, and lastly, don't jailbreak -- the upsides are definitely not better than the downsides.
If You Thought WPS Sucked Before, D-Link Has Set a New Bar
Wi-Fi Protected Setup (WPS) makes it easier for your average home user to setup a secure network by taking away all of that, passphrase typing, and stuff. Unfortunately, there have been a few issues with that over the years (surprise, surprise) and now D-Link felt like upping the ante.
Recent research published by the /dev/ttyS0 folks has shown that D-Link figured using a the MAC address of the unit with some bit munging would be sufficient to generate the WPS PIN that's typically just in the NVRAM. Why is this a problem, you may ask? Since the BSSID is able to be "seen" with simple WiFi inspection tools, knowing how the computation of the PIN is done can yield said PIN. It's OK, though, there's only 22 D-Link devices impacted by this -- wait, what?! Call it junk hacking but the /dev/ttyS0 team is doing some awesome work exposing seriously flawed logic by engineers in the embedded world.
Google's Making Sure You "Do No Evil" with SSL/TLS
With perhaps one of the largest pokes-of-fun in human history, Google recently released "nogotofail" which is a clear jab at Apple's previous "gotofail" bug. This tool helps expose misconfigurations and weaknesses in SSL/TLS implementations. As if them giving us POODLE and basically forcing folks to finally kill off SSLv3 wasn't enough, Google's now given developers an easy way to know if they're going to get yelled at during next quarter's risk assessment.