The Weekly Ink #34
THE WEEKLY INK
The Weekly Ink is the weekly newsletter brought to you by Duo Labs, with curated links of interest in the security world to help educate and entertain on security happenings and culture.
If you have links that you think would be interesting for inclusion and commentary, send them our way at email@example.com.
Gambling with Account Security
A very popular online gaming and sport gambling site who is no stranger to security problems made press this week due to a horribly flawed password reset procedure for some accounts. It is known that in the age of social media that basic “challenge questions” as a security mechanism do not actually protect accounts. However, Betfair has lowered the bar significantly by only requiring the email address and birth date of the account holder. This of course, is very easy data to find via simple searches of various social media sites. After much debate between Betfair’s helpdesk and Twitter users Betfair finally admitted that this could be a problem and have apparently changed their process. There is also no evidence that this flaw was actually used by nefarious individuals however it still makes me wonder if they support two factor authentication?
What is Personally Identifiable Information (PII)?
Most of our our weekly ink readers are all too familiar with the standard definition of PII. However, if the state of Illinois gets their way that definition may change dramatically. Illinois Bill SB1833, which has been approved by State Senate seeks to expand the definition to include "information related to a consumer's online browsing history, online search history, or purchasing history." This of course has led to a bit of criticism as much of this information is not directly identifiable (although I bet over long term analysis it might be) however, shouldn't we just be encrypting and protecting all the things anyways? I suppose this does put a bit of a burden on an organization that prior to this law had no PII to protect and now will. It would be nice if we could get all 50 states to pass reasonable breach notification laws before we fall down the rat hole of debating what should be considered PII and what is not. So far all states except for Alabama, New Mexico and South Dakota have some sort of breach law in place. I am not a lawyer nor do I play one on TV so I won’t attempt to explain the pros and cons of each state law and leave that up to readers to figure out.
Master Locks Are Not So Masterful
One of our favorite security researchers, Samy Kamkar posted an excellent video this week demonstrating how to break a Master Lock combination lock in 8 attempts or less. In addition, for those of us too lazy to manually try out his techniques, he also demonstrates an Arduino based robot that automates the process. Not too much more to say about this other than go watch this very well done video and technique. Great job Samy and keep up the interesting projects!!
Duo Labs Saved The Internet!
Ok, we didn’t save the Internet but we did point out a flaw in how MySQL handles SSL encryption. You will want to head over to Adam’s blog post and read up on all the details if you are running MySQL and it is below or equal to version 5.7.2 you will want to consider upgrading to at least 5.7.3. For those that want to have a little laugh we also created a separate logo and PR site just for the issue.
Fun, Entertaining, and Informational - Follow Us On Twitter!
The Duo Labs team here at Duo Security launched our own Twitter account this week. While our main Twitter account @DuoSec is still the place to go for all your important Duo Security news and updates, those that want free range, organic, fair trade and very serious business tweets should also follow @Duo_Labs. In fact, if you follow us you can participate in our “Attribution 8-ball Give Away”. More details can be found by following us on Twitter. It won’t be all fun and games though. We will use this Twitter account to keep those interested in what the Labs team is doing and of course communicate any security issues we may identify in our work.