The Weekly Ink #23
THE WEEKLY INK
The Weekly Ink is the weekly newsletter brought to you by Duo Labs, with curated links of interest in the security world to help educate and entertain on security happenings and culture.
If you have links that you think would be interesting for inclusion and commentary, send them our way at labs@duosecurity.com.
Fake Malware Signed by Sony Certificates
Welp, at this point everyone is pretty familiar with the Sony hack. I heard Lex Luther is in cahoots with Wile E. Coyote and the North Korean government, and they're finally exacting revenge for Gigli. Or at least some anonymous source told me that. Ok fine, the source was actually my cat, but journalism is hard, right?
Just a couple days ago, there were some additional discoveries related to the Sony breach, originally reported by Kaspersky. In particular, they found that a malware sample appeared to have been signed with a certificate belonging to Sony. Ruh-roh, attackers must be using the leaked code signing certs to further their attacks and protest the upcoming Blackhat film, starring Thor as a computer nerd. Panic ensues.
Or maybe not. Turns out all those leaked code signing certificates and PFX keys from the Sony breach were pretty easy to decrypt. The PFX password was guessed to be "spe_csc" (Sony Picture Entertainment, Code Signing Certificate), not a tough guess when the filename is "spe_csc.pfx". So the enterprising researcher who guessed the PFX password decided to play some tricks and grab a malware sample from Malwr, sign it with the leaked Sony cert, and upload it to VirusTotal. Hence the freak out.
The true backstory was revealed by a researcher named Colin Keigher, forcing journalists to hit that dreaded "Edit Post" button and add one of those "Sooooo, yeah, about that..." updates at the top of their articles.
Ahoy, Coffee Pirates: Keurig K-Cup Vulnerabilities
Keurig was virtually mugged and subject to a brewed awakening on Wednesday, when hackers dropped some l33t 0day against their new coffee maker. The rumor is that nation-state actors had infiltrated the advanced DRM system of the Keurig 2.0 coffee maker, allowing fraudulent K-Cups to be used. The situation is still fluid, but we're grinding away to filter out the ground truth on this hot vulnerability.
Thankfully, an advisory was provided on Full Disclosure to detail the vulnerability and provide workarounds:
Since no fix is currently available, owners of Keurig 2.0 systems may wish to take additional steps to secure the device, such as keeping the device in a locked cabinet, or using a cable lock to prevent the device from being plugged in when not being used by an authorized user.
Well, we here at Duo Labs spent the day pouring over the details and did some experimentation to find a better workaround for the vulnerability, by any beans necessary. We ended up with a solution: integrating Duo Push into the Keurig 2.0 firmware to make up for the weak K-Cup authentication!
Thanks a latte, you coffee pirates!
Making Code Audits Public?
The Open Technology Fund has a good post on the value of making code and vulnerability audits public. Making publicly-funded code audits of major systems and products public certainly makes sense, but what about all the vendors and products that you use that do their own private audits and assessments?
As seen from our other blog post today on openness and transparency, we have a very similar beliefs and philosophies here at Duo. Shouldn't we as vendors be confident enough in our own products and the audits that we commission to release them publicly? Is there any precedent for vendors releasing their code and vulnerability audits publicly? Should we as vendors demand that our auditing firms be comfortable with a PFD (public-facing document) in addition to a CFD?
Feel free to comment below!