This Week in Security: Security Keys, Prison Break, Masquerading Prompts

Frighteningly Bad Security Keys

Earlier this week, Adam Langley published a report on the security of FIDO U2F security keys. FIDO U2F security keys are typically small USB devices (some are NFC or BLE enabled) which provide a secondary authentication factor for websites. The report is a follow up to his previous review where he took a quick overview of the various keys sold on Amazon.com.

The typical authentication process involves a user authenticating with a website with his or her credentials through a supported browser such as Google Chrome. After the credentials are verified, the webserver will respond with a challenge sent to the FIDO U2F token which will light up waiting for the user to initiate the secondary factor by pressing a button located on the USB device. The device will cryptographically sign the challenge using a key previously registered with the website.

The results are quite scary for a security-focused product. Adam’s testing revealed a number of implementation errors in the existing FIDO U2F keys ranging from invalid ASN.1 DER serialization to the ability to crash the token with a ping of death. The big takeaway is the research to be done on the security of security keys.

If you’re looking to get into two-factor authentication (2FA) or multi-factor authentication (MFA), you can’t go wrong with a Yubico U2F security key. Just make sure you don’t use SMS-based 2FA when other, more secure, options are available.

The Packets are Coming from Inside the Ceiling

Marion Correction Facility partnered with a nonprofit, RET3, as part of the prison’s green initiative to have inmates help recycle old computers. However, they didn’t expect a network of computers to magically appear in the ceiling.

The tale of how prison inmates pilfered recycled computers, hid them in the ceiling, and (Read more...)

This is a Security Bloggers Network syndicated blog post authored by Cylance Research and Intelligence Team. Read the original post at: Cylance Blog