Physical security keys, like those sold by Yubico, Thetis and Kensington, are a great way to lock down your digital lives. They also tend to be wicked fast compared to the wait you have to put on while you're waiting for a 2FA password to arrive via SMS or typing in a verification code from an app like Google Authenticator.
Unless of course said security key is deeply, deeply borked.
Yubico is recalling a line of security keys used by the U.S. government due to a firmware flaw. The company issued a security advisory today that warned of an issue in YubiKey FIPS Series devices with firmware versions 4.4.2 and 4.4.4 that reduced the randomness of the cryptographic keys it generates. The security keys are used by thousands of federal employees on a daily basis, letting them securely log-on to their devices by issuing one-time passwords.
The problem in question occurs after the security key powers up. According to Yubico, a bug keeps "some predictable content" inside the device's data buffer that could impact the randomness of the keys generated. Security keys with ECDSA signatures are in particular danger. A total of 80 of the 256 bits generated by the key remain static, meaning an attacker who gains access to several signatures could recreate the private key.
If someone reading this can school me on why anyone working at Yubico would think that keeping 'predictable content' on a device meant to secure highly-sensitive governmental systems and information, I'd appreciate it. Read the rest
Frequent Boing Boing contributor Sean O'Brien and his colleagues Laurin Weissinger and Scott J Shapiro built a Raspberry Pi-enabled smart pumpkin and then challenged their Yale cybersecurity students to hack it.
Read the rest
With the midterm elections creeping up, everyone in the media's been busier than a cat trying to bury a turd in a marble floor watching for signs of Russian interference. Given the amount of chaos that Russia's cyber operatives have been responsible for over the past few years, this is totally understandable. However, it might be a good idea for the media to keep an eye on China's online comings and goings, as well.
According to a report released by the French government, Chinese cyber operatives have been hard at work attempting to compromise or enlist thousands of well-placed professionals and intellectuals online to leverage in the real world.
The report describes Chinese efforts to approach senior French scientists, business executives, academics and others, as “widespread and elaborate”, and warns that it poses an “unprecedented threat against the national interests” of the French state. It goes on to state that nearly 4,000 carefully selected French citizens have been approached by Chinese intelligence operatives via the LinkedIn social media platform. Of those nearly half, or 1,700, have leading posts in French industry, while the remaining 2,300 work in the public sector. In their totality, those targeted are involved nearly every area of industry and government administration, including those of nuclear energy, telecommunications, computing and transportation, said the report.
In many cases, the Chinese operatives used fake identities, pretending to be headhunters for overseas corporations and think tanks on LinkedIn. As part of the ruse, the ops would invite their targets on all-expenses-paid trips to China for job interviews or research symposiums – whatever turned their target's crank. Read the rest
Well this is fun: The United States Government Accountability Office released a report today that explains, in no uncertain terms, that the majority of the nation's new-fangled, high-tech weapons systems are hilariously vulnerable to cyber attacks.
From the Washington Post:
The report by the Government Accountability Office concluded that many of the weapons, or the systems that control them, could be neutralized within hours. In many cases, the military teams developing or testing the systems were oblivious to the hacking.
A public version of the study, published on Tuesday, deleted all names and descriptions of which systems were attacked so the report could be published without tipping off American adversaries about the vulnerabilities. Congress is receiving the classified version of the report, which specifies which among the $1.6 trillion in weapons systems that the Pentagon is acquiring from defense contractors were affected.
The Government Accountability Office used a team of hackers to see what sort of shenanigans could be caused with a little bit of access and a whole lot of digital kung-fu. The results aren't a good look for America's military. In one instance, the red team that the GOA used was pitted against Pentagon personnel tasked with holding the line against cyberintrusions. The security checks that the Pentagon were easily bypassed, thanks to the use of easy-to-crack passwords and "insiders" who were familiar with the program acting as meatspace backdoors to what would normally be secure systems. It gets worse: hackers working for the GAO reported being able to watch, in real time, a system operator's every move. Read the rest
When scammers get inside of the networks of financial institutions, they sometimes stage "cashouts" where they recruit confederates around the world to all hit ATMs at the same time with cards tied to hacked accounts and withdraw the maximum the ATMs will allow; but the wilier criminals first disable the anti-fraud and withdrawal maximum features in the banks' systems, enabling confederates to drain ATMs of all the cash they contain. This is called an "unlimited cashout."
Read the rest
A federal lawsuit brought by voting security activists against the State of Georgia has revealed breathtaking defects in the state's notoriously terrible voting machines -- and, coincidentally, the machines in question were wiped and repeatedly degaussed by the state before they could be forensically examined as evidence of their unsuitability for continued use.
Read the rest
Have you tried turning it off and on again?
The FBI sent out an urgent bulletin advising anyone with a home or small office internet router to immediately turn it off and then turn it on again as a way to help stop the spread of a malware outbreak with origins in Russia. Read the rest
A recently concluded cybersecurity review conducted by the Trump White House and Department of Homeland Security finds most government agencies remain shockingly insecure, despite Trump's campaign promises for super great cybersecurity unlike the very bad hacker criminal Hillary Clinton who bleached emails and acid-washed her network devices, and should be in jail. Read the rest
According to The Hong Kong Free Press, Apple is set to hand over the keys to the the accounts of iCloud users in China to a company owned by the surveillance and censorship-happy Chinese government.
Guizhou-Cloud Big Data (GCBD) will take over the operation of Apple's Chinese data center at the end of February, making GCBD responsible for all legal and financial transactions between the Apple and China's iCloud users. Once GCBD is running the show, Apple will be responsible for investing one billion USD to build a new server farm in Guiyang and to provide technical support in the interest of preserving data security.
Apple's doesn't like telling folks what iCloud user data they're able to read. The information could be limited to the size of uploaded files and where those files were uploaded, or as comprehensive as being able to browse through the photos taken with an iPhone. That China's communist government, which is big on watching the digital doings of its citizens, censorship and political activism could will soon have access to the iCloud account information of every iPhone, iPad or Mac user in China pretty troubling.
This isn't the first time that Apple has bowed to pressure from the Chinese government, either. At the ass end of 2017, they happily removed close to 700 VPN apps from the Chinese iTunes App Store, making it extremely difficult for iOS users to view uncensored content. So, say good bye to news stories about China and the rest of the world that hasn't been approved by Chinese state censors. Read the rest
U.S. Girl Scouts as young as 5 years old will soon be able to earn their first-ever cybersecurity badges. 18 of these merit patches will be launched by the Girl Scouts of the USA starting in September, 2018.
Read the rest
Micah Lee and The Intercept put together this video with “tips on how to prepare your phone before you go to a protest and on how to safely communicate with your friends.” Read the rest
'President' Donald Trump is expected to sign an executive order addressing cybersecurity today, Reuters reports in an item that cites "two sources familiar with the situation.” The EO is expected to be Trump's first action to address what he called a top priority of his administration during the Presidential campaign. Read the rest
Of 1700+ known acts of global power-grid sabotages, affecting some 5,000,000 people, 879 were caused by squirrels; between 0 and 1 were caused by Russia, and another 1 was caused by the USA (Stuxnet). Read the rest
Three posts from the Electronic Frontier Foundation dispassionately recount the on-the-record policies of Trump and his advisors on issues that matter to a free, fair and open internet: net neutrality; surveillance, encryption and cybersecurity; free speech and freedom of the press. Read the rest
"Cybersecurity": it's the new "terrorism," a word to conjure with, a source of bottomless no-bid procurements for the military-industrial complex, full employment for snake-oil salesmen. Read the rest
Ted Koppel's new book, Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath warns of an impending disaster when America's critical infrastructure will be destroyed by cyberattackers, plunging the nation into a literal dark age. Read the rest