The Weekly Ink #28
THE WEEKLY INK
The Weekly Ink is the weekly newsletter brought to you by Duo Labs, with curated links of interest in the security world to help educate the company - and anyone else who will listen - on security happenings and culture.
If you have links or projects that you think would be interesting to the company, be sure to send them to firstname.lastname@example.org.
Case Study: Casing for Bitcoin
In terms of media narratives, we usually only hear about the initial impact and financial fallout of major breaches. News of smaller, individual account compromises don't make headlines. It's rare to get a well-written, interesting account of account hijacking. The Verge has a great article on an overnight theft of $3,000 in bitcoin. It's an interesting exercise to explore how even strongly protected users can have their accounts cracked with just slight misconfigurations of settings. Twitchy and flashing graphics in the article give you the whole Darknet hacker experience. Even great narratives can use some dramatization.
This CIO Got Up in Front of an Audience At SXSW and You Won't Believe What Happened Next!
Alex Stamos, Yahoo's CIO and Chief Tweeter was promoting two big security moves at this week's South by Southwest festival. Picking up where Google left off, Yahoo is rolling out an End-to-End encryption plugin for its email services. A major focus was placed on how easy Yahoo's new plugin will be to use in comparison to current alternatives (in the crosshairs: GPG). For those unfamiliar with End-to-End encryption, it seeks to obfuscate the content of a message, in this case email, using standard private key encryption. For those of you familiar with End-to-End Encryption, here's a cat in a bowtie:
The second initiative from the Yahoo security team seeks to protect less savvy users: those who only use 1 factor of authentication (passwords) switching to a different factor (not quite passwords). The new "on-demand password" system ditches that traditional memorized strings for one-time codes sent via SMS to users' phones. This may be an better option than using "password123" as your password on every site, but many attack vectors exist for SMS based mobile authentication. The philosophy of 2 factors is simple: authenticate using both something you have and something you know. Offering this solution in halves to users doesn't offer any additional safety for users already using non-trivial passwords. So for most users actually concerned with privacy, "on-demand" passwords are almost a step-in-place compared to using strong passwords. Strong passwords game and a "something you have ", like a 2FA application (*cough*) or a U2F token (*coughcough*) are more powerful than the some of their parts (see Diagram 1).
As with all important security issues, the herd immediately started Tweeting their doubts of using any single factor. While we at Labs are proponents of the Password Manager + Mobile 2nd factor, Stamos defended the merits of eliminating passwords. As with all security experiments, you're not making an impact if nobody is attacking you on Twitter. Now to see if Yahoo's password experiment will be adopted by any of the users it seeks to defend.
That's A Nice Server. It'd Be A Shame if Somebody DoS'ed It...
It probably should have been clear to me that an OpenSSL bug would be announced this week? How could I write The (Very Nearly) Weekly Ink without a new OpenSSL bug? The new bugs haven't been collated into an \[word\]bleed yet, but they do offer real avenues of attack. One can be used to DoS servers, forcing them to reboot. The other is an iteration of last week's FREAK (was FREAKbleed taken?) vulnerability. Watch out for haX0rs and update OpenSSL!