The Weekly Ink #9
THE WEEKLY INK
The Weekly Ink is the weekly newsletter brought to you by Duo Labs, the security research team at Duo Security, with curated links of interest in the security world to inform the community on security happenings and culture.
It's no secret that the Tor Browser Bundle (or "TBB" for short) has been the target of attackers of all stripes. Bug inheritance and shared attack surface being what they are, many of Firefox's issues trickle down into TBB. In an effort to enhance the overall security of TBB, iSEC Partners engaged in a study of TBB, including Firefox ESR's vulnerability history, Tor's Firefox/TBB build process, and overall strategic security direction for TBB. In the end, iSEC's recommendations (154-page report!) included changes to TBB's memory allocator (jemalloc -> PartitionAlloc), reworking build processes to include ASLR across all builds, and more. Overall, this study yielded some great findings that will help increase TBB's security and resiliency to attacks.
Docker, the sys/DevOps darling, has made deploying Linux application containers a cinch, leading to an explosion in popularity. Of course, with popularity comes increased scrutiny...including guest-to-host exploits. In a recent, humorous (but very informative) presentation by Jérôme Petazzoni (of Docker, Inc.) he dives into a brief overview of containers/LXC, threats and risks at each level (apps, services, kernel) as they pertain to containers, and mitigation strategies. Personally, I found the Xzibit-inspired strategy to be both hilarious and a bit disconcerting.
Research surrounding the security of embedded and "Internet of Things" devices is increasing at breakneck speed. "Cyber physical" systems, in particular automotive devices, are an area of high interest and concern for some groups. Building on their previous automotive security research, Charlie Miller and Chris Valasek recently released a very thorough white paper about their findings of the attack surface of ECUs and supporting interfaces, systems, and networks on a myriad vehicles. The authors tore apart and poked and prodded at various components in some of these cars, such as anti-theft systems, remote keyless entry/starters, and telematics systems. Even use of simple, "old reliable" tools like nmap and netcat proved useful in the hacking process. Additionally, the white paper describes the the components in each vehicle in the survey, the "hackability" of each car and component, and closes with a set of recommended defenses/mitigations.
Tack on yet another addition to the neverending list of side-channel attacks! A group of researchers from Tel Aviv University released a white paper (replete with a bunch of math and funny symbols) describing the ability to measure power fluctuations at various (metal) points on laptops – as well as Ethernet, VGA, and USB cables – in an effort to extract GPG encryption keys. Although they used super-amazing lab equipment to achieve high-fidelity results, the researchers also demonstrated that the attack is relatively feasible using a smartphone attached to an Ethernet cable (plugged into the target system). All the more reason to yell "KEEP YOUR HANDS OFF MY COMPUTER!"