The Weekly Ink #32
THE WEEKLY INK
The Weekly Ink is the weekly newsletter brought to you by Duo Labs, with curated links of interest in the security world to help educate and entertain on security happenings and culture.
If you have links that you think would be interesting for inclusion and commentary, send them our way at labs@duosecurity.com.
It's here! We've been so excited for this moment! No, not Half-Life Episode 3... the Verizon DBIR 2015!
Verizon released their yearly Data Breach Investigation Report (DBIR) this week -- the hottest year-in-review list other than Facebook’s (well, theirs might have caused more upset people).
Featuring pages upon pages of charts, tables, and summaries gathered from governmental and corporate participants, the DBIR provides a snapshot of the current state of corporate information security and plenty of fodder for third-party articles and conference talk slides.
It’s too lengthy to give even a cursory overview of the contents in the space dedicated to this column, but some of the takeaways we found most surprising and compelling were:
-
"99% of the exploited vulnerabilities were compromised more than a year after the cve was published"
Systems aren’t being patched and this leads to vulnerability. 0day isn’t the primary threat -- 0lday is. Duo Platform will feature device insight that can be used to identify out-of-date endpoint software. -
"Mobile devices are not a preferred vector in data breaches … 0.03% out of tens of millions of mobile devices, the number of ones infected with truly malicious exploits was negligible … When it comes to mobile devices on your network, the best advice we have is to strive first for visibility and second for control."
While there are plenty of known attacks against mobile devices and new vectors being thought of every day, attackers have plenty of other more-understood surface to target. We should expect the numbers of mobile attacks to rise in the future, but as of now things like mobile antivirus are unnecessary and the better approach would be organizational visibility into the mobile devices employees are using to access corporate services (hey, Duo Platform does that too!) and understanding of the potential dangers of things like rooted or jailbroken devices running code from shady third-party app stores. -
"96% of mobile malware targets Android."
Android is a more open system than iOS, granting the ability for more specialized apps with the potential for richer inter-app integrations, but this has a drawback in making the platform easier to write malware that interacts with potentially dangerous APIs. For example, malware interacting with SMS messaging is something that wouldn’t be seen on non-jailbroken iOS devices, with extant iOS malware targeting non-jailbroken devices primarily focusing on extraction of available information through permissions granted to applications.
IIS it over yet?
Windows server operators beware: there’s a new critical bug making the rounds that affects the core http.sys Windows kernel component… and its name is “that http.sys bug” or “CVE-2015-1635”. C’mon, it’s 2015: you need a flashy name and logo to keep anyone’s attention.
PoCs for the bug have made their way to Metasploit already, and it’s only a matter of time before attackers figure out how to get RCE via the vulnerability.
We’ve notified our customers with a threat advisory providing history and mitigation advice, but the takeaway for anyone running a Windows machine that hosts web services of any type is to patch your systems as soon as possible with the recently released patch that disables kernel-level caching of HTTP.
Microsoft will likely have to publish another patch to re-enable caching and fix the underlying issue. Best practice for Windows admins is to always monitor Microsoft’s Patch Tuesday, and deploy security fixes as soon as possible.
Who doxxes the doxxmen?
Wikileaks, in their quest for “transparency” have released a massive, searchable sensitive data set from the recent Sony Pictures breach: “30,287 documents from Sony Pictures Entertainment (SPE) and 173,132 emails”.
This raises many questions about what privacy individuals working for organizations that Wikileaks view as counter to their ideology can expect, and also calls into question the ethics of Wikileaks and where their boundaries are. Would they be willing to release private citizens’ data if they found it to be interesting, in the name of “transparency”? Who guides the ethics of the organization, and how different are they from other “doxxers”?