The Weekly Ink #40
THE WEEKLY INK
The Weekly Ink is the weekly newsletter brought to you by Duo Labs, with curated links of interest in the security world to help educate and entertain on security happenings and culture.
If you have links that you think would be interesting for inclusion and commentary, send them our way at labs@duosecurity.com.
Federal Government launches "Cybersecurity Sprint"
In the wake of several recent data breaches (most notably, the massive OPM breach disclosed earlier this month) United States Chief Information Officer (CIO) Tony Scott recently launched a 30-day Cybersecurity Sprint. In particular, the sprint requires that agencies begin efforts to patch vulnerable systems, limit privileged access, and "dramatically accelerate implementation of multi-factor authentication" - and report to the DHS and OMB on their progress - within 30 days.
Meanwhile, members of the House Oversight and Government Reform Committee excoriated top OPM officials over the breach in a two-hour hearing on Tuesday. Testimony during the hearing made clear just how completely the agency had failed at securing its systems and data:
Department of Homeland Security Assistant Secretary for Cybersecurity Dr. Andy Ozment testified that encryption would "not have helped in this case" because the attackers had gained valid user credentials to the systems that they attacked—likely through social engineering. And because of the lack of multifactor authentication on these systems, the attackers would have been able to use those credentials at will to access systems from within and potentially even from outside the network.
Samsung Phones Vulnerable to Rogue Keyboard Updates
According to research released by NowSecure, over 600 Million Samsung phones worldwide may be vulnerable to a critical flaw in a custom mechanism used to update the bundled Swift keyboard; affected models include at least the Galaxy S6, S5, and S4 Mini.
The vulnerability stems from the simple fact that the keyboard updates are (a) sent over an unsecured connection, and (b) not digitally-signed in any meaningful way. If an attacker can intercept update traffic from a vulnerable phone, he can get the phone to execute code "in one of the most privileged contexts on the device, system user, which is a notch short of being root." Attacks against insecure update mechanisms have been discussed for years; that we could see such a braindead variant of this flaw appear in 2015 is discouraging, to say the least.
It's not all bad news in the world of Android security, though; Google just announced that they're extending their "Security Rewards" program to Android. There's a major caveat, though the program is limited to Nexus devices only. While improving the stability of the base Android platform is undoubtedly good for everyone, the Samsung keyboard update flaw once again demonstrates that some of the most egregious Android security failures have little to do with Android itself, but rather the 3rd-party modifications made by OEMs / carriers. Worse, the same OEMs and carriers often have incredibly slow patch cycles.
Given all of this, one conclusion is clear: if you want any confidence that your Android phone is not full of vulnerabilities, you must buy a Nexus device. For now, though: if you have an affected Samsung device, you might want to at least stay away from untrusted wifi networks.
Cross-App Resource Attacks in iOS and OS X
Not to be outdone by one of its rivals, Apple also saw several unpatched vulnerabilities announced this week, affecting various security mechanisms used in both OS X and iOS. In particular, the research team (primarily comprising researchers from Indiana University) disclosed techniques that could be used to defeat per-application protections in the OS X keychain, intercept various forms of inter-process communication (IPC) traffic, and gain unauthorized access to other applications' sandboxed filesystem containers.
In designing the sandboxing mechanisms used on iOS and OS X, Apple went to great lengths to try to limit the impact that one piece of malware might have on the rest of the system, but it should come as no surprise that these mechanisms are not perfect. The old conventional wisdom still holds: please, just don't install untrusted software on your devices.
Foul Play Suspected
The FBI has launched an investigation into the St. Louis Cardinals for apparently breaking into the internal database of another team. By all accounts, the accusations are not base-less, but the "attack" - such as it was - was also incredibly unsophisticated; had the Astros' GM even changed his password once in the last several years, the "hackers" probably would've struck out. If anything, the Cardinal sin here was probably not so much envy or greed, but sheer stupidity.