The Weekly Ink #7
THE WEEKLY INK
The Weekly Ink is the weekly newsletter brought to you by Duo Labs, the security research team at Duo Security, with curated links of interest in the security world to inform the community on security happenings and culture.
Wow, the Tor project sure has been in the news a lot, recently! Last week, we learned that CMU researcher Alexander Volynkin's BlackHat talk - You Don't Have to be the NSA to Break Tor: Deanonymizing Users on a Budget - had been abruptly cancelled. Hot on the heels of that announcement comes a security advisory from the Tor project that some unknown attacker had figured out some techniques to, erm, de-anonymize Tor users.
The Tor advisory offers some very interesting discussion of the details of the attack, but as Project Leader Roger Dingledine (a.k.a. arma) writes, the core concepts are not particularly novel: "...the good news is traffic confirmation attacks aren't new or surprising, but the bad news is that they still work." Really, anyone who's spent time studying distributed systems should have a good understanding that collusion attacks - of various sorts - are extremely difficult to resist.
It seems that the security community (and the media) is therefore much more interested in the politics here: Can we attribute this attack to Volynkin's research? If so, was his project a huge breach of research ethics? On the other hand, maybe Vladimir Putin could be responsible for all this?!
Android Fake ID Vulnerability Lets Malware Impersonate Trusted Applications, Puts All Android Users Since January 2010 At Risk
On Tuesday, researchers from Blue Box Security announced a newly-discovered vulnerability in Android, dubbed "Fake ID" (hey, in the post-Heartbleed world, every vulnerability needs a catchy name and logo!). It turns out that Fake ID is just another example of a really common flaw: failing to correctly validate PKI certificate chains! We've literally been revisiting these same sorts of problems for decades, and at the moment, there may be little reason to believe that things will get better in the future...
Over the past several years, Microsoft has spent a lot of time and resources building some very sophisticated security technologies into Windows. These particular technologies (things like ASLR and DEP) have done quite a bit to raise the security bar - even when bugs somehow find their way into Windows software, it is often very difficult for attackers to exploit them.
Some of these mitigations aren't enabled by default - but you can turn them on by downloading and installing EMET! In my own experience, it's a great "set-it-and-forget-it" tool, and if you pay much attention to Microsoft's monthly security advisories, you'll see that EMET really can make a big difference.
For more background on EMET, check out Brian Krebs' post on the subject from last year.
Oh, hey, while you're looking at krebsonsecurity.com, you might also happen to notice that he just broke the news that Jimmy John's looks to be the latest retailer to suffer a breach "involving customer credit card data." They're far from alone in this (we haven't forgotten Target yet, right?), but I can't help but wonder - if Jimmy John's can't keep their systems secure, then what of their product? After all, "integrity" and "freshness" are attributes that I - for one - value in both secure systems and sandwiches...