The Weekly Ink #39
THE WEEKLY INK
The Weekly Ink is the weekly newsletter brought to you by Duo Labs, with curated links of interest in the security world to help educate and entertain on security happenings and culture.
If you have links that you think would be interesting for inclusion and commentary, send them our way at labs@duosecurity.com.
Duo Security's Predictions Found True, U.S. CIO Demands Changes
Last week we reported on the recently discovered hack of the U.S. government's Office of Personnel Management. We also made the prediction, based on seeing the same kinds of phishing attacks keep happening again and again in the past that they didn't have two-factor auth in place...
Well, now we know more about their security posture from an audit completed months after the initial hack (but months before its detection) and it turns out that's the case. Unfortunately, I hear Vegas wasn't paying out much on this bet, as it's clear many IT organizations, governmental and otherwise, are giving bad guys easy and lucrative targets by not implementing basic and straightforward security controls like two-factor authentication.
We learned many other details regarding where their security practices went wrong from their audit report -- things like expensive and misconfigured security gadgets, a lack of operational oversight, and flagrant non-compliance with auditory regulations. For more information see our coverage or the audit itself.
In the wake of this and other recent attacks on the White House, the United States Postal Service, and the State Department, the White House has come forward and U.S. CIO Tony Scott, formerly of VMWare, has delivered a series of emergency procedures directed at all federal agencies, with the requirement of monthly status reports, in conjunction with a newly formed cybersecurity task force.
Let's hope they have positive results quickly: it's likely that this is a precursor to more targeted spearphishing attacks to access other parts of U.S. federal IT infrastructure since PII on federal employees in addition to their security clearance levels was stolen.
iOS Bug Could Lead to Increased Credential Theft
A newly disclosed bug in iOS could make password theft, even against savvy users, easier to pull off.
The details of the bug, published by Czech researcher Jan Soucek, come after an alleged period of silence on the part of Apple after initial private disclosure in January 2015.
The bug allows arbitrary HTML content to be loaded in emails by using a meta refresh tag. In Jan's proof of concept he shows how this can be used to create an "iCloud Login" prompt nearly identical to a legitimate one. In fact, the only easily-accessed indicator of a spoofed login prompt is that it will allow you to app-switch while viewing it, whereas legitimate iCloud login prompts won't allow you to switch away until they're completed or cancelled.
In the wake of scandalous celebrity photo hacking last year, the realization that two-factor wasn't actually required to download iCloud backups and data, and a heightened security and privacy focus in general, Apple has been increasing their rollout of two-factor authentication for iCloud. It would be a good idea for users to enable it, as it can reduce the impact of credential theft.
Duqu 2: No, Not the Guy From the Star Wars Prequels' Sequel
Russian security firm Kaspersky recently disclosed that their systems were breached by attackers they believe to be "the same people who created the infamous Stuxnet worm", whose malware and attack methods they had previously analyzed.
In the summary of their analysis, Kaspersky highlights that they've seen evidence other victims were targeted by the same attack. Notably, the malware apparently used no disk persistence methods, keeping itself persistent within their network solely in RAM.
The technical analysis also reveals that the attackers used multiple zero-day vulnerabilities in Windows, Kerberos, and Microsoft Word.
Due to the stealthy nature of the malware and its lack of disk usage during exfiltration, Kaspersky still doesn't know exactly what the attackers were after. A few things are certain: it was a highly sophisticated attack, endpoint security is a hard problem to solve especially in the current BYOD environment, and apps like Word have historically led to compromise due to their common usage and complex built-in parsers for various embeddable objects.