Email or username:

Password:

Forgot your password?
9 posts total
Dan Goodin

I dumped Chrome a few years ago and switched to Firefox. Now I'm thinking it may be time to dump Firefox as well. So, what do I use? Any suggestions? What about Vivaldi?

Dan Goodin

The YubiKey 5, the most widely used hardware token for two-factor authentication based on the FIDO standard, contains a cryptographic flaw that makes the finger-size device vulnerable to cloning when an attacker gains brief physical access to it, researchers said Tuesday.

The cryptographic flaw, known as a side channel, resides in a small microcontroller that’s used in a vast number of other authentication devices, including smartcards used in banking, electronic passports, and the accessing of secure areas. While the researchers have confirmed all YubiKey 5 series models can be cloned, they haven’t tested other devices using the microcontroller, which is SLE78 made by Infineon and successor microcontrollers known as the Infineon Optiga Trust M and the Infineon Optiga TPM. The researchers suspect that any device using any of these three microcontrollers and the Infineon cryptographic library contains the same vulnerability.

arstechnica.com/security/2024/

The YubiKey 5, the most widely used hardware token for two-factor authentication based on the FIDO standard, contains a cryptographic flaw that makes the finger-size device vulnerable to cloning when an attacker gains brief physical access to it, researchers said Tuesday.

The cryptographic flaw, known as a side channel, resides in a small microcontroller that’s used in a vast number of other authentication devices, including smartcards used in banking, electronic passports, and the accessing of secure...

Show previous comments
Ugljesa Jovanovic

@dangoodin "To uncover the side channel, the researchers reverse-engineered the Infineon cryptographic library, a heavily fortified collection of code that the manufacturer takes great pains to keep confidential." Security through obscurity. If I remember correctly Tropic Square commented on this when they were launching their effort to develop a open and transparent security chip. I'll try to find that blog post.

wetfeet2000

@dangoodin I'm generally not a big fan of freaking out over side channel attacks. In particular I get irked when they frame it as "oh you just need physical access for a few minutes!" I did training on this for PCI device certification and it required $100k+ worth of equipment and lots of custom automation to perform that analysis. No one is carting around a Xeon workstation, high-bandwidth SDR, and antennas to do this to you on the street.

Lasagne DECT 9001

@dangoodin
Nice.
Confidentiality of the firmware should be punished.

Do I really have to read the entire PDF to know if "ECDSA" includes ed255119 or not?

Dan Goodin

In 2012, an industry-wide coalition of hardware and software makers adopted Secure Boot to protect against a long-looming security threat. The threat was the specter of malware that could infect the BIOS, the firmware that loaded the operating system each time a computer booted up. From there, it could remain immune to detection and removal and could load even before the OS and security apps did.

To this day, key players in security—among them Microsoft and the US National Security Agency—regard Secure Boot as an important, if not essential, foundation of trust in securing devices in some of the most critical environments, including in industrial control and enterprise networks.

On Thursday, researchers from security firm Binarly revealed that Secure Boot is completely compromised on more than 200 device models sold by Acer, Dell, Gigabyte, Intel, and Supermicro. The cause: a cryptographic key underpinning Secure Boot on those models that was compromised in 2022. In a public GitHub repository committed in December of that year, someone working for multiple US-based device manufacturers published what’s known as a platform key, the cryptographic key that forms the root-of-trust anchor between the hardware device and the firmware that runs on it.

The repository included the private portion of the platform key in encrypted form. The encrypted file, however, was protected by a four-character password, a decision that made it trivial for Binarly, and anyone else with even a passing curiosity, to crack the passcode and retrieve the corresponding plain text. The disclosure of the key went largely unnoticed until January 2023, when Binarly researchers found it while investigating a supply-chain incident. Now that the leak has come to light, security experts say it effectively torpedoes the security assurances offered by Secure Boot.

“It’s a big problem,” said Martin Smolár, a malware analyst specializing in rootkits who reviewed the Binarly research and spoke to me about it. “It’s basically an unlimited Secure Boot bypass for these devices that use this platform key. So until device manufacturers or OEMs provide firmware updates, anyone can basically… execute any malware or untrusted code during system boot. Of course, privileged access is required, but that’s not a problem in many cases.”

arstechnica.com/security/2024/

In 2012, an industry-wide coalition of hardware and software makers adopted Secure Boot to protect against a long-looming security threat. The threat was the specter of malware that could infect the BIOS, the firmware that loaded the operating system each time a computer booted up. From there, it could remain immune to detection and removal and could load even before the OS and security apps did.

Show previous comments
Jonas

@dangoodin
I'm not sure UEFI with its large attack surface is better, security-wise, than good old BIOS which was at least easily auditable.

翠星石
@dangoodin It's a shame only one of the many keys were revealed, so while you can now at least boot whatever free software you want, the UEFI itself cannot be freed.
John Gordon

@dangoodin Thank Darwin that was the only blunder compromising Secure Boot and we can absolutely trust it otherwise.

(Are typewriters still being made? I had a very fine electric typewriter with small edit buffer I gave away in the 90s. Now it would be worth thousands :-)

Dan Goodin

General Motors has stopped sharing details about how people drive its cars with data brokers that created risk profiles for the insurance industry.

The decision followed a New York Times report this month that G.M. had, for years, been sharing data about drivers’ mileage, braking, acceleration and speed with the insurance industry. The drivers were enrolled — some unknowingly, they said — in OnStar Smart Driver, a feature in G.M.’s internet-connected cars that collected data about how the car had been driven and promised feedback and digital badges for good driving.

Some drivers said their insurance rates had increased as a result of the captured data, which G.M. shared with two brokers, LexisNexis Risk Solutions and Verisk. The firms then sold the data to insurance companies.

nytimes.com/2024/03/22/technol

@kashhill doing the lord's work.

General Motors has stopped sharing details about how people drive its cars with data brokers that created risk profiles for the insurance industry.

The decision followed a New York Times report this month that G.M. had, for years, been sharing data about drivers’ mileage, braking, acceleration and speed with the insurance industry. The drivers were enrolled — some unknowingly, they said — in OnStar Smart Driver, a feature in G.M.’s internet-connected cars that collected data about how the car had...

Nick Selby :donor:

@dangoodin But, like, the way we're supposed to be like, thanking GM for stopping. I wish upon them perennial bowel discomfort

Dan Goodin

GitHub is struggling to contain an ongoing attack that’s flooding the site with millions of code repositories. These repositories contain obfuscated malware that steals passwords and cryptocurrency from developer devices, researchers said.

The malicious repositories are clones of legitimate ones, making them hard to distinguish to the casual eye. An unknown party has automated a process that forks legitimate repositories, meaning the source code is copied so developers can use it in an independent project that builds on the original one. The result is millions of forks with names identical to the original one that add a payload that’s wrapped under seven layers of obfuscation. To make matters worse, some people, unaware of the malice of these imitators, are forking the forks, which adds to the flood.

“Most of the forked repos are quickly removed by GitHub, which identifies the automation,” Matan Giladi and Gil David, researchers at security firm Apiiro, wrote Wednesday. “However, the automation detection seems to miss many repos, and the ones that were uploaded manually survive. Because the whole attack chain seems to be mostly automated on a large scale, the 1% that survive still amount to thousands of malicious repos.”

arstechnica.com/security/2024/

GitHub is struggling to contain an ongoing attack that’s flooding the site with millions of code repositories. These repositories contain obfuscated malware that steals passwords and cryptocurrency from developer devices, researchers said.

The malicious repositories are clones of legitimate ones, making them hard to distinguish to the casual eye. An unknown party has automated a process that forks legitimate repositories, meaning the source code is copied so developers can use it in an independent...

Show previous comments
noplasticshower

@dangoodin wow. Good thing it's all open source???! Lol.

Bill Zaumen

@dangoodin I' sort of wonder if a reason for someone to put malware on github is to steal developers' GPG keys, which would allow one to compromise a lot more than a single library or application.

Gillytron 🐊

Folks need to take this more seriously. Make sure you’re checking the source of your dependencies. Check for signed commits. Inspect the source code. Open source is provided as it is. It’s your job as the “consumer” to validate and weigh the risks.

Dan Goodin

If you use a Windows or Linux device, it's vulnerable to a new post-exploit attack that can remotely install an undetectable backdoor at the UEFI level. Updates from just about every vendor available today. Impressive work from @matrosov and the rest of Binarly.

arstechnica.com/security/2023/

Show previous comments
josh

@dangoodin @matrosov

Has there been any discussion as to how these attacks interact with TPM/PCR-based system integrity checks? My understanding is that even if this method were used to bypass Secure Boot protections/etc, that behavior would still result in modified PCR measurements and would be detectable in any subsequent boot processes that rely on TPM-sealed secrets? (for instance, disk encryption)

Gustav Wengel

@dangoodin @matrosov what a wild exploit to have existed for so long

Dan Goodin

It should be clear now that it was and remains a catastrophic mistake for people to view privately owned social media platforms as any kind of public resource. People didn't know better a decade ago. They have no excuse now.

Show previous comments
Thad

@dangoodin People *should* have known better a decade ago; we went through this same thing with AOL back at the turn of the century.

I'm afraid the necessity of open platforms and decentralization is something people are going to have to re-learn every generation.

Jim Fenton 🇺🇸🇨🇦

@dangoodin By “privately owned” do you mean privately held companies or any corporate ownership? I’m not sure what the viable alternatives are.

Bruno Nicoletti

@dangoodin I’d go further and say _any_ automated platform that relies on advertising for revenue will always end up deeply enshitified as they have to chase “engagement”. And what engages most is outrage. So we end up with systems, that by design, drag you further and further in the world of grift and crazies.

Dan Goodin

People following me for cybersecurity content: Chris Bing, one of the most distinguished reporters on this beat, recently joined the Fediverse. Chris has broken way too many stories to count and also has valuable insight into all things related to hacking. Please follow him.

@Bing_Chris

And please boost for reach.

Show previous comments
Hyphlosion

@dangoodin Meanwhile, like a good little consumer, I’m anxiously waiting for the next generation Kindle Oasis so I can trade in my current one.

Go Up