The Weekly Ink #5
THE WEEKLY INK
The Weekly Ink is the weekly newsletter brought to you by Duo Labs, the security research team at Duo Security, with curated links of interest in the security world to inform the community on security happenings and culture.
This is a classic case of a bug bounty paying off in a big way. A major error at Facebook allowed anyone to use REST API calls to any user's profile, given a user's User-ID (that blurb at the end of your Facebook profile's URL address). This lapse would allow an attacker to access all of a user's private messages, post links as the user, upload photos, and effectively hijack profile content. Mr. Scalfini should be commended for his responsible reporting here, as exploitation of this vulnerability for phishing, spear-phishing, and blackmail purposes is probably worth much more to many buyers than his $20,000 bug bounty payout.
Long considered one of the most artistic tools in a hacker's arsenal, social engineering is the creative manipulation of privileged users or administrators to obtain sensitive material. In a technically light article, Wired profiles businesses who have seen dramatic drops in customers due to social engineering efforts by rival businesses using Google Maps. Restaurants can be sabotaged by something as small as a change of their listed hours of operation. While its somewhat dramatic examples suffer from causation arguments, this article does a nice job of showing how even small hits to a business's online presence can deeply impact many facets of operation.
A peer-reviewed study on the most popular web-based password managers. In a not too surprising conclusion, none of them are impervious to all kinds of vulnerabilities. While a few show sloppy implementation, the larger message is the impact the weakest link in your security system can have. Is the easiest way to leverage your system through arbitrary password management exploitation? Probably not. Instead, this study should serve to enforce the idea that there are no silver bullets where security is concerned. Total reliance on any one layer of security builds up huge pressure on your systems.
The most recent leak from The Spy Who Loved Me plays out as more of a human interest story, profiling NSA and FBI spying on Muslim-Americans. Though this leak isn't rife with new technical information, the clandestine activity strongly parallels similar surveillance of Civil Rights leaders in the 60's. Be sure to check out the video interviews for perspective on the human impact of the program on Muslim community leaders.