Yubikey vulnerability found, but don’t lose sleep over it. Nobody is going through all this effort to get into your GMail if you’re not a VIP.
https://www.schneier.com/blog/archives/2021/01/cloning-google-titan-2fa-keys.html
Also, it requires you to be separated from your yubikey for like 10 hours. Or having it swapped out for that amount of time. It’s a hell of a covert ops thing to do.
1 Like
Here’s a really great everyday computer security story from Sophos.
When the student couldn’t find a suitable free version, they searched for a “Crack” version instead. They found what appeared to be one and tried to install it. However, the file was in fact pure malware and the installation attempt immediately triggered a security alert from Windows Defender. The user disabled Windows Defender – and at the same time appears have also disabled their firewall – and tried again. This time it worked.
The recommendations in the article are very good. But it’s a good reminder to everyone, the days of pirating software on your PC are basically over. Unless you have an extremely trustworthy source, or at least run all pirate software in sandboxes/vms, do not pirate software for your PC like it’s the year 1999. Just about everything you can find out there is just a trap.
It’s also a good opportunity to point out that attaching high prices to things people need is also in itself a threat to security. The way that high prices on software led this student cause a security breach isn’t that far off from how high prices on food or health care lead to breaches in national security. Making sure everyone’s needs are met makes us all safer in all areas.
If the software company wasn’t charging so much for the license, if the institute paid the student enough that they could afford the software, if the institute provided the student with a legitimate license, etc. that also would have prevented this from happening.
a remote desktop protocol (RDP) connection was registered on the institute’s network using the student’s credentials. It came from a computer named “Totoro,” possibly after the anime character.
Critical information right there.
TL;DR: T-Mo security is reportedly complete garbage. Very believable.
Every time I speak with one of my professional InfoSec friends I come away completely dismayed and demoralized about the state of security at large, well-funded, and well-staffed corporations. I think the general public thinks that computer security is SOOOOO difficult to get 100% right and that hackers (especially State-sponsered groups from Russia & China) are constantly probing for any minor oversight they can exploit. When the reality is more that these corporations can’t be arsed to do thing 1. Even when they ostensibly have a significant InfoSec team that they pay serious salaries for, the weakness always ends up being “unencrypted FTP was still permitted” or “the password was ‘ADMIN’ and had been for 10+ years” or “the company hired a consultant and provided never-expiring credentials that permitted the account access to all systems and all network elements, then that account was forgotten about or the consultants laptop was stolen/hacked”. And it isn’t that these companies do nothing about security, but they will focus on things like requiring a VPN to check email and 90-day password expiration for the majority of employees but then on the back-end or for IT/Dev staff there are super user accounts that never change and everyone has access to them because that makes their work easier.
It is the worst kind of security theater and all it does is make some people’s life more difficult while leaving the barn door wide open and then the general public just thinks “computer security is really hard!”
1 Like
It’s because in capitalism profits > all. Actually doing something like not using FTP and forcing a more secure protocol will slow or stop business transactions. Even if your company wants to be secure, you have to interoperate with other companies who won’t or can’t. If you decide to be secure, you risk ending a profitable business relationship.
Almost all security mechanisms require some sort of additional hassle. That hassle gets in the way of doing business. And when it does, it is torn down, usually with a note to fix it later. And of course, later means never.
There doesn’t seem to be much incentive for big companies to prevent these anyway. They just keep going, maybe pay a nominal fine.
Look at Experian.
Yep. That’s because all that’s being lost is databases of mostly customer data. Someone accessing that doesn’t actually hinder the business of the company.
Ransomware, on the other hand, does damage the bottom line. However, companies are simply quietly paying ransoms. They also are increasingly, though not quickly or strongly enough, doing things to defend against it.
Get your ransomware away from my candy corn!
Could have gone in the crypto thread, but ultimately this is about a shocking (not at all shocking) security vulnerability vector.
On February 21, 2022 an article on Tom’s Hardware did a quick review of a newly released utility that was supposed to “unlock” Nvidia GPU’s that have their crypto hashrate limited by firmware to less than the chips onboard should be capable of. Those well-documented limits have been appearing on recent Nvidia GPU’s to make the cards less appealing to crypto miners. On February 23rd Tom’s Hardware published an update on this story that this utility is actually malware! Not only does it infect PowerShell on your machine, it doesn’t even improve the hashrate on the GPU!
I’ve always found Tom’s a decent source for reviews and benchmarks but they’ve been low-key enabling crypto mining wannabes for years and the fact they would publish the first article was pretty disappointing and the follow-up news could not have been more predictable.
Source: Nvidia RTX LHR Unlocker Is Malware: From Hack to Hoax | Tom's Hardware
2 Likes
Their audience is people who want to buy and upgrade computer hardware as a hobby. And due to circumstances, right now those people are largely cryptominers and not so much gamers.
1 Like
Sure, the system could be made more secure. But the real lesson here is don’t cloudify something for no reason.
I dunno, seems reasonable to have monitoring for infrastructure like that. It’s not like a toaster or something where cloud adds nothing of value.
I supposed that could be the case if one person was controlling several gas stations. But if you are just a person who owns and operates one station, it’s best to operate it with a closed LAN.
You make a secure WAN in that case. Hell, you could cobble it together with stunnel and basic Linux machines cheaply and easily.
No matter how you do it, the only way someone should be able to hack the gas station is to physically break into the office, know the owner’s login credentials, and have the owner’s 2FA device.
Don’t forget physical access to the pump itself.