Computer Security

Yubikey vulnerability found, but don’t lose sleep over it. Nobody is going through all this effort to get into your GMail if you’re not a VIP.

https://www.schneier.com/blog/archives/2021/01/cloning-google-titan-2fa-keys.html

Also, it requires you to be separated from your yubikey for like 10 hours. Or having it swapped out for that amount of time. It’s a hell of a covert ops thing to do.

1 Like

Here’s a really great everyday computer security story from Sophos.

When the student couldn’t find a suitable free version, they searched for a “Crack” version instead. They found what appeared to be one and tried to install it. However, the file was in fact pure malware and the installation attempt immediately triggered a security alert from Windows Defender. The user disabled Windows Defender – and at the same time appears have also disabled their firewall – and tried again. This time it worked.

The recommendations in the article are very good. But it’s a good reminder to everyone, the days of pirating software on your PC are basically over. Unless you have an extremely trustworthy source, or at least run all pirate software in sandboxes/vms, do not pirate software for your PC like it’s the year 1999. Just about everything you can find out there is just a trap.

It’s also a good opportunity to point out that attaching high prices to things people need is also in itself a threat to security. The way that high prices on software led this student cause a security breach isn’t that far off from how high prices on food or health care lead to breaches in national security. Making sure everyone’s needs are met makes us all safer in all areas.

If the software company wasn’t charging so much for the license, if the institute paid the student enough that they could afford the software, if the institute provided the student with a legitimate license, etc. that also would have prevented this from happening.

a remote desktop protocol (RDP) connection was registered on the institute’s network using the student’s credentials. It came from a computer named “Totoro,” possibly after the anime character.

Critical information right there.

TL;DR: T-Mo security is reportedly complete garbage. Very believable.

Every time I speak with one of my professional InfoSec friends I come away completely dismayed and demoralized about the state of security at large, well-funded, and well-staffed corporations. I think the general public thinks that computer security is SOOOOO difficult to get 100% right and that hackers (especially State-sponsered groups from Russia & China) are constantly probing for any minor oversight they can exploit. When the reality is more that these corporations can’t be arsed to do thing 1. Even when they ostensibly have a significant InfoSec team that they pay serious salaries for, the weakness always ends up being “unencrypted FTP was still permitted” or “the password was ‘ADMIN’ and had been for 10+ years” or “the company hired a consultant and provided never-expiring credentials that permitted the account access to all systems and all network elements, then that account was forgotten about or the consultants laptop was stolen/hacked”. And it isn’t that these companies do nothing about security, but they will focus on things like requiring a VPN to check email and 90-day password expiration for the majority of employees but then on the back-end or for IT/Dev staff there are super user accounts that never change and everyone has access to them because that makes their work easier.

It is the worst kind of security theater and all it does is make some people’s life more difficult while leaving the barn door wide open and then the general public just thinks “computer security is really hard!”

1 Like

It’s because in capitalism profits > all. Actually doing something like not using FTP and forcing a more secure protocol will slow or stop business transactions. Even if your company wants to be secure, you have to interoperate with other companies who won’t or can’t. If you decide to be secure, you risk ending a profitable business relationship.

Almost all security mechanisms require some sort of additional hassle. That hassle gets in the way of doing business. And when it does, it is torn down, usually with a note to fix it later. And of course, later means never.

There doesn’t seem to be much incentive for big companies to prevent these anyway. They just keep going, maybe pay a nominal fine.

Look at Experian.

Yep. That’s because all that’s being lost is databases of mostly customer data. Someone accessing that doesn’t actually hinder the business of the company.

Ransomware, on the other hand, does damage the bottom line. However, companies are simply quietly paying ransoms. They also are increasingly, though not quickly or strongly enough, doing things to defend against it.

Get your ransomware away from my candy corn!