Google 2FA Cloning, Speed vs. Security, & “Hack The Army” Bug Bounty 3.0 – ASW #136
Significant source code leak from misconfigured repo, side-channel attack on hardware authentication keys, a third bug bounty for the U.S. Army, the cost of poor software quality, the benefits of DevOps approaches to building systems.
Announcements
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!
Hosts
- 1. Nissan source code leaked online after Git repo misconfigurationAttackers siphon source due to a SaaS misconfiguration that not only allowed public repos, but used trivial credentials.
- 2. New side-channel attack can recover encryption keys from Google Titan security keysWell written research on hardware authentication keys that provides insights on improving security as well as placing the attack within perspective of practical threat models. Don't worry about the heavy presence of acronyms and check out the paper at https://ninjalab.io/wp-content/uploads/2021/01/a_side_journey_to_titan.pdf
- 3. Hack the Army bug bounty challenge asks hackers to find vulnerabilities in military networksAnnounced back in November 2020, the bounty program is now live and interesting to watch from the perspective of maturing a bug bounty approach to AppSec.
- 4. What is the cost of poor software quality in the U.S.?Another chance to talk about security budgets, metrics, and security as a dimension of quality. Related to this topic, two recent papers at the Workshop on the Economics of Information Security took an academic look at how breaches raise the cost of capital for companies (https://weis2020.econinfosec.org/wp-content/uploads/sites/8/2020/06/weis20-final14.pdf and https://weis2020.econinfosec.org/wp-content/uploads/sites/8/2020/06/weis20-final16.pdf)
- 5. 7 Trends Influencing DevOps and DevSecOps AdoptionWhether you take these as principles or prognostication, the type of engineering in these topics benefits from a DevOps approach to software and security.
- 6. Navigating the trade-off between development speed and securityRather than positioning speed and security as polar opposites, consider security as a guide to how fast you could and should be able to build systems.
- 1. Google’s 2FA tokens can be cloned within 10 hoursIf you lose a 2fa token, you should be able to have it disabled ASAP. For many, this might be a "oh I misplaced it" on a Saturday morning, and "I'll get to it on Monday." The takeaway that might be useful to corporations here is "a 2FA token can be cloned within 10 hours" which might give reason to create a policy saying "The misplacement/loss of a 2FA token MUST be reported ASAP and disabled within 10 hours." In reality, if I steal a 2fa token, I'd probably make sure I have the credentials first so I'm ready to roll when as soon as it's in my possession, so I don't fully get the value of this, but if it helps it helps.
