23andMe Blames Users, Abusing Google’s OAuth2, Rustls Performance, AI Goes OSINT – ASW #268
23andMe shifts blame to users for poor password practices, abusing Google's OAuth2 through a MultiLogin endpoint, Rustls is memory safe and fast, AI enters OSINT, and more!
Hosts
- 1. 23andMe: “Negligent” Users at Fault for Breach of 6.9M Records
The year starts off with a regression in security attitudes -- 23andMe says users should have taken security seriously with better password practices. It's the ultimate shift left, where a company best positioned to vet credentials against known breaches, support MFA, and even require MFA decides that the fate of users lies solely in the password practices of users.
- 2. Polish Hackers Say Manufacturer’s Repair DRM Killed Train’s Power, Broke Emergency Brakes
We covered this in the last episode of 2023, but here's an update to the article as well as the video now available from the Chaos Communication Congress where the researchers presented their work.
- 3. Compromising Google Accounts: Malwares Exploiting Undocumented OAuth2 Functionality for session hijacking | CloudSEK
- 4. Billion times emptiness | Trail of Bits Blog
- 5. Securing the Web: Rustls on track to outperform OpenSSL – Prossimo
Here's my usual reminder: memory safety is necessary, but insufficient for secure software.
In cryptography, constant-time operations are important for countering side-channel attacks. The Marvin attack is a case in point, with the RustCrypto/RSA code impacted.
OpenSSH, a cryptographic peer of OpenSSL, had a recent flaw called Terrapin. There's no direct consequence for this Rustls, but I mention it as the type of thing to be aware of when implementing cryptographic protocols and ciphers.
- 6. AI: This AI can find your location just by looking at a few photos | ZDNET
- 7. AI: Artificial Intelligence Security Center
- 8. AI: Deconstructing the AI Cyber Challenge (AIxCC) – Open Source Security Foundation
- 9. INFO: Do we think of git commits as diffs, snapshots, and/or histories?
If you come across code, you're likely to come across git. If you come across git, you're likely to deal with an unintuitive command line and concepts. This is a nice resource for understanding some of the basics of git. The site has tons of great resources for not only git, but common Unix commands, network protocols, and coding. The zines are entertaining and informative. Check them out!
- 10. FYI: Federal Register :: Request for Information on “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software”
Want to influence secure by design? You have until February 20th to respond to this RFI.
- 1. Kaspersky engineers publish “Operation Triangulation”
At one of my favorite conferences I haven't been to - the Chaos Communication Congress - some engineers from Kaspersky disclosed some really interesting research they've been doing into a extremely complex attack against Apple iOS devices.
- 2. Tackle technical debt by reframing it as “business risk”
I'm pulling a Matt Alderman and looking at this more from a business, "CIO" side. But I do think it's important for us to figure out how we can reframe a technical debt - or security - problem in a way that captures the resources it needs.
- 3. When Apple ditches tbolt, hack usbc
I'm posting this more to discuss the idea that you can't just solve security issues by swapping out tech components. Sometimes you actually need to do work to harden those parts of your stack
