The Weekly Ink #20
THE WEEKLY INK
The Weekly Ink is the weekly newsletter brought to you by Duo Labs, the security research team at Duo Security, with curated links of interest in the security world to help educate the company - and anyone else who will listen - on security happenings and culture.
If you have links of your own or photos of your cats that you think would be interesting to the company, be sure to send them to firstname.lastname@example.org
My Cat's Name: hunter2
Jeremy Hammond, currently serving a sentence expiring in 2020 stemming from a 2013 conviction over his hacking of StratFor, apparently didn't have time to think of a good password for encrypting his hard disk prior to being raided by the feds. Adding more support to my beliefs that the majority of technology professionals suffer from toxoplasmosis, Hammond apparently chose the password "Chewy 123", the name of his pet cat, for his encryption password.
The StratFor hack was notable for releasing on Wikileaks tons of strategic company communications, both internally and between StratFor and its clients, that suggested a global trend of intelligence community infiltration, observation, collusion, corruption, and bribery targeting whistleblowers, political activists, foreign governments, and corporations for political and fiscal gain.
SSL/TLS Libraries Are Hard, Let's Go Shopping
Yet another vulnerability in an SSL/TLS library has been found by researchers. The love has now spread to Microsoft, whose Schannel SSL/TLS implementation was unaffected by previous bugs like OpenSSL's Heartbleed or the GnuTLS remote code execution vulnerability. On Patch Tuesday, Microsoft released a massive batch of 16 security fixes and 60 other bug fixes.
Microsoft joined other organizations in the Core Infrastructure Initiative, which is an industry-wide initiative aiming to support and improve the open source technologies that run the web. Unfortunately, Schannel is not open source (though Microsoft has recently made a splash with their announcement of open source, cross-platform .NET) and would appear not to fall under the purview of the initiative. Additionally, even if the software implementation is "secure" it doesn't mean we're safe from attacks like POODLE which abused a padding oracle inherent in the cryptographic algorithm behind SSLv3.
Hackers Go Postal on USPS
Customers of retailers aren't the only ones who should be concerned about their personal information being found and leaked. More than 800,000 current and former USPS employees (and 2.9 million customers!) have apparently had their information exfiltrated from the government agency's servers. USPS took down their VPN and suspended telecommuting in response, having found evidence that the VPN was vulnerable to compromise. The leaked information contained social security numbers, names, addresses, dates of employment and other information – the agency says it doesn't suspect any credit card data was stolen. Furthermore, they suggest that affected customers don't need to take any steps to protect themselves, but I still find it discomforting: the stolen data could definitely aid in phishing attacks and identity theft.
Various industry analysts have suggested Chinese government-sponsored hackers are to blame for the attack. The USPS and FBI, who are leading the investigation, have as of yet not made any statement on the suspected perpetrators but there is a history of suspected Chinese government-sponsored intrusion into US systems.
Security Surprise: Shady Services Shown STARTTLS Stripping
Furthering the public perception of communications service providers as shady, greedy jerks who will interfere with your traffic for profit or in the name of "security", the EFF recently discovered evidence that major ISPs are stripping the STARTTLS flag from emails. This abuses a flaw in the way STARTTLS works, in that the STARTTLS flag itself is unencrypted and modifiable by a man-in-the-middle, thus allowing the ISPs to degrade email traffic between MTAs across their networks to use unencrypted rather than encrypted connections.
The EFF has backed an initiative called STARTTLS Everywhere which would essentially be a list of mail servers and their TLS preferences, so a source MTA server can know in advance if it should only accept TLS connections to the target MTA server and disregard any attempts at degradation.