The Weekly Ink #24
THE WEEKLY INK
The Weekly Ink is the weekly newsletter brought to you by Duo Labs, with curated links of interest in the security world to help educate the company - and anyone else who will listen - on security happenings and culture.
If you have links or projects that you think would be interesting to share, be sure to send them to email@example.com.
Steelin' Information: A Tale of Mettle and Forgery
Despite constant fears and many unconfirmed reports of hackers attacking physical infrastructure, real world, confirmed infrastructure attacks are few and far-between. This December saw what Wired is calling the second ever "confirmed" hack to destroy industrial equipment. A virus penetrated the business side of the steel mill in a sophisticated attack that caused a blast furnace to overheat. The major takeaway here is that companies across sectors should be doing their best to harden their sandboxing and steel their employees with best practice training.
Unquote: CTO Jon Oberheide
Sometimes you can't improve on art. Here's Duo Labs' Jon Oberheide on recent frequent flier account thefts:
"Going after frequent flyer miles, Candy Crush gold, or virtual swords and armor in World of Warcraft may seem like a surprising tactic for attackers, but for them it's an efficient way of monetizing low-hanging fruit attacks such as phishing and credential theft."
"For the affected airlines and customers, there's sure to be some turbulent times ahead. It's unclear how much runway the attackers will have before airlines land some strong authentication options for their most valued flyers. While these breaches create a lot of baggage for the airlines to deal with, it's important for them to ground these attacks before they really take off"
WhatHouse: 2015's Newest Awful "Hacker" Bill(s)
In what many readers may recognize as a trend, the White House will propose new regulations to prevent hacking following the latest slew of HOLIDAY HACKS. The new legislation looks like it's intended to to prevent organized groups from initiating, facilitating, or planning "Cyber Attacks". Like most legislation surrounding computer crime, it quickly runs off the rails, potentially making many standard security practices and tools illegal. NMap? Illegal. Forums discussing new exploits? Illegal. Linking to breach dumps? Illegal. The updated law incorporates elements of RICO (racketeering act) which have been the primary prosecutorial tool in combatting organized crime for decades. But instead of men like this
busting up your alcohol operation, we'd see men like this
making sure criminal scum can't use Kali Linux. Proceed at your own risk, hackers.
It's The Same Old Thing Since 2013 (and 2012 and 2011)
It's that time of year again, where we roll last Congress' leftover scraps back onto the legislative plate. One fine meal this year looks to be the Internet's darling: CISPA! This perennial zombie bill is once again rolling through Congress, this edition courtesy of Representative Dutch Ruppersberger. The proposed legislation is essentially unchanged from the 2011-2012-2013 versions that reviled experts and casuals alike. President Obama threatened to veto CISPA 1.0, and the White House is proposing competing legislation (see above too). Whichever option the public finds less palatable may draw attention away from faults in all 3 bills. Here's a bonus gif illustrating the methodology behind some recent hacks: