A collection point
...and some of my own.
FR: French researchers hack Google Titan security keys. https://ninjalab.io/wp-content/uploads/2021/01/a_side_journey_to_titan.pdf This work shows that an attacker can clone a legitimate Google Titan Security Key. Our attack requires physical access to the Google Titan Security Key, expensive equipment, custom software, and technical skills. They used electromagnetic emanations – tiny, stray radio waves emitted by the device as a side-effect of the electrons whizzing around inside it as it operates – to make guesses about the internal state of the Titan processor chip while it was performing cryptographic calculations. They trained up on a "we had to make a quick stop on Rhea (NXP J3D081 JavaCard smartcard). Freely available on the web, this product looks very much like the NXP A700X chip and uses the same cryptographic library." And then had to have physical access to the Google Titan Security Key to run the 4000 observations that would allow them to "guess" the private key during the Elliptic Curve Digital Signature Algorithm (ECSDA) by monitoring the chip while it was performing authentication operations. Er to prep your own lab, because of course you are going to want to try this at home, you will need the following: 1.) A Langer ICR HH 500-6 electromagnetic probe 2.). A Thorlabs PT3/M 3-axis (X-Y-Z) manual micro-manipulator ...they will set you back about US$10K 3.). A heat gun to soften the plastic on the Titan Key 4.) A scalpel to then cut the key apart 5.) Nitric acid to dissolve the secure plastic coating on the secure chip 6.) the patience to collect about 6000 digital signature calculations (about 6 hours) 7.). Something to run the statistical calculations to figure out the private key. Ah, there are a couple other gotchas: Fast IDentity Online Alliance (FIDO) standard includes a counter... every authentication reponse that’s created by a FIDO key includes a count of how many responses the key has computed so far, together with a digital signature of that count. To use the key you have to guess the current value of the counter in your key, add one, and use that to get in. If you get that wrong... well it won't work. And remember that is all in addition to having the correct username and password initially... So, as far as the work presented, it is still safer to use your Google Titan Security Key or other impacted products as FIDO U2F two-factor authentication token to sign in to applications rather than not using one. Nevertheless, this work shows that the Google Titan Security Key (and other impacted products) would not avoid unnoticed security breach by attackers willing to put enough effort into it. Users that face such a threat should probably switch to other FIDO U2F hardware security keys, where no vulnerability has yet been discovered. So if you use Google's total keys instead of Yubikeys, you should keep on using it, but keep it with you. Look for tampering (in this research the Titan key looked liked it had been mauled by a Rottweiler puppy). Lastly you can ask your security providers to track FIDO key counters, as often they do not. https://ninjalab.io/a-side-journey-to-titan/ SolarWinds hire Krebs Stamos Group https://ks.group/ On Friday the news surfaced that Chris Krebs, the head of the US government's Cybersecurity and Infrastructure Security Agency (CISA) until he was fired by presidential tweet for saying the American election was not hacked, has started a security consultancy with former Facebook, Yahoo! And Zoom security chief Alex Stamos. The two say that they have already been hired by SolarWinds and it's a long-term contract. Way to hit the road running! Kawasaki and then Nissan taken out with kung-fu breaches. https://global.kawasaki.com/news_201228-1e_1.pdf Kawasaki first: "On June 11, 2020, an internal system audit revealed a connection to a server in Japan from an overseas office (Thailand) that should not have occurred. unauthorized accesses to servers in Japan from other overseas sites (Indonesia, the Philippines, and the United States) were subsequently discovered." "The unauthorized access in question had been carried out with advanced technology that did not leave a trace." Then Nissan.... when Swiss based software engineer Tillie Kottmann found loadsa data available on one of Nissan's North American Git servers through username: Admin, password: Admin. The tweet has been removed, and Tillie's account suspended, but the comments are still available and are pretty funny: https://twitter.com/antiproprietary/status/1346238602536214528 You can also see some of the data from the open server here: https://www.zdnet.com/article/nissan-source-code-leaked-online-after-git-repo-misconfiguration/ Trump sneaks in another agency: Bureau of Cyberspace Security and Emerging Technologies (CSET) https://www.state.gov/secretary-pompeo-approves-new-cyberspace-security-and-emerging-technologies-bureau/ Last week while your attention was diverted by insurrection, DJT had Secretary Mike Pompeo quickly set up another agency to meet the cyber challenges to U.S. national security presented by China, Russia, Iran, North Korea. Apparently creating yet another agency will allow the US defense Dept to "posture itself appropriately and engage as effectively as possible with partners and allies". It's interesting that this is being hastily done in the last couple weeks of a 4 year term. So your first question might be "Does the US have any partners or allies left?" And your second might be "why suddenly now?" We don't have answers but we do expect one more committee to be formed: TCOTAOHYTATO or "The Committee Overseeing The Awfulness Of Having Your Twitter Account Turned off". |
Linking the world
Sharing is caring Archives
May 2024
Categories |