Duo Breach

The well-known multi-factor application Duo was recently breached. Chief information security officer, Earl Duby, shares some more details on the beach. He also provides some tips on how to protect yourself from being breached. If you have any questions, please contact Auxion at [email protected]. 

Transcript: 

(0:05) Hello, I’m Earl Duby. I’m the Chief Information Security Officer here at Auxiom.  

(0:10) I’m going to bring you another golden nugget here today to talk about something that I think is pretty critical. 

(0:16) It just kind of came across my desk this morning and it kind of piqued my interest, 

(0:20) and I think it’ll be pretty interesting to a lot of people.  

(0:23) I don’t know how many of you use multi-factor authentication.  

(0:26) If you use a banking app or if you use, you know, any kind of a secured system,  

(0:32) you’re probably using a multi-factor authentication tool on that. 

(0:36) Well, Duo is probably the most popular and has the most market share of any MFA out there,  

(0:43) and they were hit with a third-party data breach.  

(0:46) So what does that mean? What does a third-party data breach mean for a company like Duo?  

(0:51) It’s really about what I call the supply chain,  

(0:55) the ecosystem of systems that has to be in place to make something work.  

(1:00) So Duo relies on a telephony provider, so a telecom provider. 

(1:07) So if you get your authentication code sent to you through, like, an SMS message  

(1:13) or through a voice-over IP message, that is coming across a telephony provider.  

(1:20) And so Duo was using one of those, and they got attacked by an adversary,  

(1:24) and that adversary broke into the telephony systems and stole the log data.  

(1:33) And what was contained in that log data was all of this messaging  

(1:37) that was going back and forth from Duo to their customers  

(1:41) to allow them to get authenticated into whatever system was being protected by Duo. 

(1:47) And why that’s important is there was a lot of telephone numbers in there,  

(1:51) a lot of just different types of technical data.  

(1:56) There wasn’t anything really personal in there.  

(1:58) It wasn’t, like, names or Social Security numbers,  

(2:00) but it did have a telephone number and the fact that it was coming from Duo. 

(2:05) And so what this is going to allow this adversary to do over time  

(2:08) is to create some very targeted, very specific-looking SMS messages  

(2:14) or what we call smishing messages.  

(2:17) And those types of attacks are more insidious than, like, a phishing email  

(2:25) because, you know, everyone’s kind of used to crap coming into their email systems,  

(2:29) but you kind of have a higher level of expectation  

(2:32) that what’s coming into your text messages  

(2:34) is probably from somebody you know or something like that.  

(2:37) So now that this adversary has telephone numbers,  

(2:40) they can get much more intimate in the messages  

(2:42) that they’re sending to these victims or potential victims. 

(2:46) So that’s why this is a pretty interesting attack, you know,  

(2:54) because I’d never really heard of the telephony provider of an MFA system  

(2:58) being hacked before, so this was interesting to me.  

(3:02) So this is also just another warning.  

(3:04) You know, I always like to have a little deliverable in these messages,  

(3:07) but the thing you should note here is you don’t have to use SMS messages  

(3:12) or voice-over IP messages. 

(3:15) You really should be using the application itself.  

(3:18) So go to Apple Play or go to Google Play or wherever  

(3:22) and get your Duo app, install it on your smartphone,  

(3:27) and then get your push message into the app.  

(3:31) That’s a much harder thing for the adversary to intercept or to steal. 

(3:39) Now, I know that some people are using older phones,  

(3:42) and yes, there still are people out there using flip phones  

(3:45) who can’t install the app, and they are the people  

(3:48) that are still using SMS messages and getting callbacks  

(3:51) because that’s really what the voice-over IP is,  

(3:54) is you get a callback where Duo calls you,  

(3:57) you hit 1 for yes or 2 for no or whatever.  

(4:00) So it’s fairly old-school stuff.  

(4:03) Upgrade your phone, get a smartphone, use the app,  

(4:06) and kind of cut the bad guy out of the conversation. 

(4:09) All right, and if you want more information on just all the technical details  

(4:14) of this Duo third-party breach that I was talking about  

(4:18) or that I am talking about, because I cut out a lot of the gory details,  

(4:23) but if you just go to this website, this link here will tell you  

(4:27) all the technical details about it.  

(4:29) And just for additional information,  

(4:33) if you want to contact us here at Auxiom,  

(4:38) I’m putting together a bulletin that we’re going to send out  

(4:40) to all of our clients just to give them a little bit more background  

(4:43) of how we’re protecting our clients that are using Duo,  

(4:48) and it’s just a little bit kind of real-world talk  

(4:52) about how this breach might affect different clients of ours,  

(4:56) and I’d be happy to share that with people that are not clients of ours  

(4:59) if you want more information about how this Duo breach could impact you.  

(5:04) So feel free to reach out. 

(5:07) We’re always here to help.  

(5:08) You don’t have to be a client of ours.  

(5:10) Reach out. We’ll help you out.  

(5:11) Again, go here, contact us, and I hope to hear from you  

(5:16) because there’s a lot of people out there that have a lot of confusion  

(5:19) when they see these things in the news,  

(5:21) and we’re here to help solve that confusion,  

(5:24) help manage the chaos that’s going on in your life.  

(5:26) So let us know. Thanks.