The Weekly Ink #2
The Weekly Ink is a summary of the top security content of the week injected with our own pointed opinions, and will be posted to our blog…well, weekly.
The Weekly Ink is brought to you by Duo Labs, the advanced research team at Duo Security. Keep an eye out for more from Duo Labs in the coming weeks!
-Jon Oberheide, CTO, and the Duo Labs team
After Heartbleed, We’re Overreacting to Bugs That Aren’t a Big Deal
First out of the gate, we have an article from Wired about the recent OpenSSL ChangeCipherSpec (CCS) vulnerability claiming that “hey guys, calm down, a MITM vuln in OpenSSL isn’t a big deal”.
Ok, yes, Heartbleed was really really bad, we all know that. And yes, the CCS vuln was much less severe. But c'mon, it’s a MITM that affects the most popular library powering one of the (unfortunately) core, fundamental trust mechanisms on the interwebs. Despite what our timeline of SSL breaks may indicate, it’s still serious bizness to have this kind of vuln pop up. Gotta give it a bit of respect.
If the CCS bug had been discovered before Heartbleed (a miracle that it sat publicly undiscovered for so many years), the community as a whole would have had a much stronger reaction. If anything, I thought that the response to the CCS vuln was a bit lackluster due to everyone still being a bit desensitized (rather than oversensitized) by Heartbleed.
Anywho, I'm still kicking myself for not catching the CCS vuln when stomping around in that very same code path a few years back:
Click here for the article: After Heartbleed, We’re Overreacting to Bugs That Aren’t a Big Deal
Crowdstrike, PLA 61486, and the Secret Hacker Language That Wasn't
Next up, a response post from Jeffrey Carr to the recent Crowdstrike blog post on the "Putter Panda" malicious actor that is apparently targeting US aerospace companies. Jeffrey calls out lots of the leaps in logic, gaps in proof, and confirmation bias that exists in Crowdstrike's attribution of its intelligence.
Yes, Putter Panda may be a l33t hax0r, but how much stock can one put in that kind of OSINT powered by a few Google searches? More importantly, does anyone find this kind of "intelligence" actually useful and actionable? I'm genuinely curious.
One could claim it’s effective marketing given the coverage, but I anticipate that story edge dulling quickly. I think @SecureTips had the best read on the situation:
Click here for the article: Crowdstrike, PLA 61486, and the Secret Hacker Language That Wasn't
FOR SALE 29,656.51306529 Bitcoins
Last, but not least, the US Marshals Service is auctioning off 29,656.5130629 bitcoins. One dollar bid, now two, now two, will ya' give me two? Two dollar bid, now three, now three, will ya' give me three? No joke.
Only tangentially related to security in that the bitcoins were seized from the Silk Road, the shady online marketplace that was busted by the FBI for terrible OPSEC.
Wonder if the US Marshals will accept payment in Dogecoin.
Click here for the article: FOR SALE 29,656.51306529 Bitcoins
If you have tips for articles you'd like to see covered, send them our way to labs@duosecurity.com. If you disagree with any of our commentary, leave a comment below and we'll get you back on the path to righteousness!
Until next week!