Skip navigation

Duo Security is now a part of Cisco

About Cisco

Duo Labs

The Weekly Ink #5 (Bonus Edition)

Duo Labs

THE WEEKLY INK

The Weekly Ink is the weekly newsletter brought to you by Duo Labs, the security research team at Duo Security, with curated links of interest in the security world to inform the community on security happenings and culture.

Project Zero [Vulns, Bureaucracy, Days, Limits]

Google is assembling a team of powerful fighters. Bug fighters. Tasked with lofty goals like "defending the Internet" (and presumably backed by Google's army of lawyers), Project Zero members will have free reign to pursue any avenues of vulnerability across all software platforms. Though they plan to alert and work with vendors, Project Zero's commitment to a safer, more open internet will manifest in public filings in an external database after a pre-determined amount of time. Project Zero seems to work a few ways for Google. It simultaneously brings in positive publicity, puts pressure on developers to responsibly patch vulnerabilities, and makes the internet a safer playground for Google's customers: us.

CiscoTo Fail: Exposed Buffer Overflows

A new bug disclosure from Cisco reveals a suite of their Wireless Residential Gateway products are vulnerable to an HTTP request/buffer overflow combo that can result in privilege escalation and possibly full access with a remote attack. If you own any of these products, be sure to visit their disclosure statement for details on software updates for the affected units.

Maid in China: Hotel Safe(ty)

Hotels are often equipped with safes to ensure that guests' valuables are stored securely while they go out to do tourist-y things. Is it safe to trust these lockboxes with our valuables? Hotel managers often have both a master code and a master key for opening safes. The master code can be changed, but nearly all tested safes were using the default code. The emergency key is a failsafe key designed to be difficult to pick, but there are videos illustrating how to pick them.

  1. Another avenue of attack is can be achieved by short circuiting the door's locking mechanism:
  2. Assume the safe door is closed (stealing from an open safe is trivial...).
  3. Short circuit the door (in the article they took 30 minutes to screw a small hole in the brand logo plate to insert a wire.
  4. A pro thief could do this in a few minutes)
  5. The now door thinks it is open, so you can enter a new code which is now the safe's pin.
  6. The door then attempts to close (but it's already closed)
  7. Enter the same code again to open the door
  8. Finally, some safes have a card reader that uses the guests' credit card to lock and unlock the door. These safes tend to only accept credit cards and not other magnetic cards. This makes them susceptible to skimmers. Thieves can easily alter the hardware of the safe to obtain its credentials (credit card numbers in this case)

Something Something Java Something Something Bug Fix

This past week, Oracle released patches for a plethora of vulnerabilities in Java. Seven of these vulnerabilities had CVSS base scores of 9.3. In all likelihood, these vulnerabilities could be used to achieve remote code execution but may also require some user interaction. One vulnerability was ranked 10 on the CVSS scale, the highest possible severity. All in all, 113 Java bug fixes were released in this quarter's report.

Regulating Bitcoin

The New York State's Department of Financial Service has detailed its new proposal regulating the state's virtual currency exchanges. Aimed at consumer protection, the regulations closely parallel those placed on other types of financial institutions. Although it means more scrutiny for exchanges, officials at DFS hope that the proposed changes will bring accountability to the realm of (Noun)coin. The proposal leaves a large exemption for other types of business that merely accept virtual currencies as one form of payment.