News
Hi everyone,
I hope you're having a good Friday. I present you this week's issue. The Yubikey cloning is fascinating to read up on (and confusing, as crypto always is, it's not just you). I also learned that there are "2fa bypass service providers", and that the latest Russian hacker collective seems so young they make me feel old. Which I guess I am. I keep learning new things by writing this newsletter ;-)
Aaaanyway, enjoy the read folks!
Cheers,
YubiKeys are vulnerable to cloning attacks thanks to newly discovered side channel
Don't be afraid that your Yubikeys are now worthless, they are not. The attack requires physical access, your normal credentials, and a bunch of expertise. But it's interesting to read up on. Unfortunately the vulnerable firmware can't be patched, all current Yubikeys 5 series up to versions 5.7 are and will always be vulnerable.
"By using an oscilloscope to measure the electromagnetic radiation while the token is authenticating itself, the researchers can detect tiny execution time differences that reveal a token’s ephemeral ECDSA key, also known as a nonce. Further analysis allows the researchers to extract the secret ECDSA key that underpins the entire security of the token."
Damn fine research. You can find the paper with the research by Ninjalabs here, and a Hackernews disscussion here.
FTC issues $3 million fine for security camera firm
"The FTC plans to fine the security camera company Verkada $2.95 million over the firm’s poor security practices that led to a hacker breaking into customers’ devices as well as accessing personal data. The company is also accused of spamming potential clients, sending more than 30 million email ads over 3 years." Always good to see a crappy company held liable for being crap.
Admins of MFA bypass service plead guilty to fraud
Apparently there is such a thing as a "bypass 2fa as a service" company, which I never knew until now. They promised to help deliver OTPs for over 30 online services, including Apple Pay, for weekly subscriptions that ranged between £30 and £380.
Ask HN: How to store and share passwords in a company?
Nice thread on Hackernews with varying opinions on how to handle passwords in a company setting.
Quick links
- City of Columbus tries to silence security researcher: link.
- Docker-OSX image used for security research hit by Apple DMCA takedown: link.
- Team of junior Russian military hackers linked to critical infrastructure attacks: link.
- Microsoft is training developers on the intricacies of threat intelligence: link.
Breaches and leaks
- Transport for London discloses ongoing “cyber security incident”: link.
- Oil titan Halliburton confirms data was stolen in cyberattack: link.
- Business services giant CBIZ discloses customer data breach: link.
- Microchip Technology confirms data was stolen in cyberattack: link.
- Planned Parenthood confirms cyberattack as RansomHub claims breach: link.
- Toronto school board confirms students’ info stolen as LockBit claims breach: link.
Issues and fixes
- Veeam warns of critical RCE flaw in Backup & Replication software: link.
- Apache fixes critical OFBiz remote code execution vulnerability: link.
- D-Link says it is not fixing four RCE flaws in DIR-846W routers: link.
- Zyxel warns of critical OS command injection flaw in routers: link.
- Cisco warns of backdoor admin account in Smart Licensing Utility: link.
- VMWare disclosed Fusion vulnerability with 8.8 rating: link.
- LiteSpeed Cache bug exposes 6 million WordPress sites to takeover attacks: link.
What 1Password can do for developers
If you're an engineer, it's really worth checking out 1Password's developer tools. It can manage secrets for your infrastructure and CI/CD pipeline, manage SSH keys, and inject tokens into CLI scripts. Play around with it and see how it can fit in your development flow. (Sponsored)