cryptonerd - Network

Even government officials are now telling us to use End-to-End encryption. (We've come a long way since the Clipper Chip era.) Signal is...

Even government officials are now telling us to use End-to-End encryption. (We've come a long way since the Clipper Chip era.) Signal is a great tool that's free and works across all major platforms. If one's circle is primarily in the Apple ecosystem, iMessage and FaceTime (including FaceTime audio) are also end-to-end encrypted.

There are plenty of other options available. Including many enterprise-friendly solutions that can be used to meet data retention/compliance/etc requirements (i.e. data is encrypted between the clients and the service, but the service retains a copy). Just make sure to read the fine-print and check for any publicly available security research before committing to a product/solution.

https://www.linkedin.com/posts/jen-easterly_securing-your-communications-activity-7271582429260255233-OGMi?utm_source=share&utm_medium=member_desktop

#e2ee #end2endencryption

My wife and I voted! Our lives have been super-busy these last few weeks, so it was hard to find time to research candidates and...

My wife and I voted! Our lives have been super-busy these last few weeks, so it was hard to find time to research candidates and propositions. But I’m glad we did. Not just to vote on national issues, but also all the local elections which are just as important. City Councils and school boards (which I’m now much more invested in!) have a huge impact on all our daily lives.

As an extra bonus, our daughter was able to participate in each step of the process. The poll workers even gave her an honorary “I voted” sticker too, which she is proudly wearing.

If you haven’t voted yet, there’s still plenty of time!

#ivoted

This is great news. Vendor lock-in for Passkeys has long been a problem; and a major adoption blocker for many potential users. I’m glad...

This is great news. Vendor lock-in for Passkeys has long been a problem; and a major adoption blocker for many potential users. I’m glad to see progress is being made on the transportablity of passkeys between ecosystems.

https://www.wired.com/story/passkey-portability-fido-alliance/

For organizations that rely on smart cards issued by a 3rd party (such as the US Government’s PIV and CAC); a big change arrived in...

For organizations that rely on smart cards issued by a 3rd party (such as the US Government’s PIV and CAC); a big change arrived in today’s Patch Tuesday. A new, more narrowly scoped, method of allowing name-based mapping is now available. Allowing matching based on immutable attributes (such as an employee ID number or EDIPI) from explicitly authorized CAs.

It’s important to read through the fine print on this one and understand the security implications. But for many USG organizations, this will enable continued functionality, while also significantly mitigating the risk of maliciously issued certificates and certificates with overlapping names.

Read more: https://techcommunity.microsoft.com/t5/public-sector-blog/enable-strong-name-based-mapping-in-government-scenarios/ba-p/4240402

This is a huge deal. Yubikeys are used by some of the most security-conscious organizations to protect some of the most sensitive systems...

This is a huge deal. Yubikeys are used by some of the most security-conscious organizations to protect some of the most sensitive systems in the world. https://infosec.exchange/@dangoodin/113074992609951759

Recently, eSentire published some interesting research on successfully phishing users even when they’ve configured phishing resistant MFA...

Recently, eSentire published some interesting research on successfully phishing users even when they’ve configured phishing resistant MFA (like a FIDO2 Passkey or a smart card). For organizations deploying Phishing Resistant MFA (PR-MFA), like a FIDO2 Passkey, be it for internal user authentication or customer logon, there are some important takeaways.

First off, some have mischaracterized this as a weakness in passkeys, it is not. It is a weakness in how some (many?) organizations implement passkeys. How so?

The classic phrase applies, a chain is only as strong as its weakest link. If a user can authenticate using PR-MFA and non-PR-MFA, then they are vulnerable to phishing. There are plenty of examples of similar styled attacks, from SSL Stripping to socially engineering helpdesk/customer support agents. If the default authentication method is too difficult for an attacker, they’ll try alternative/backup methods. Passkey Redaction “hides” the Passkey authentication option on logon screens, forcing users to authenticate using a non-PR-MFA method. Since this “redacted” page is a phishing site, the result is full account access for the attacker. So, what should an organization do?

Getting started on the PR-MFA journey can be daunting. Far too many services today still rely on less-secure MFA. The inevitable part of a PR-MFA journey is to (eventually) disable all legacy MFA options. But that’s a bit scary, especially for consumer-facing services. Some options:
1: Identify the most sensitive users and target them for mandatory PR-MFA access. For example, sysadmins with high-level privileges, executives with access to highly sensitive data, or customers with high-value accounts.
2: Allow users to opt-in to stronger security. Though many sensitive users can be determined programmatically, that might not catch everyone. Plus, some users have higher security awareness than others, so they may prefer living with the additional pain of higher security.
3: Ensure any account recovery option involves multiple safeguards. One real-world example: An organization sends a boring SMS as the failback for passkeys. No mention in the SMS that passkey logon has been bypassed nor an automated email notification. To a user, they might presume some technical glitch has blocked passkey logon. If PR-MFA is going to be enforced, expect attackers will go after the account recovery process; make sure a lot of thought is put into protecting that as well.

Last important note. Some services only allow 1-2 passkeys. That’s way too low, a limit of 5-10 is better. Why? Users should be encouraged to setup backup passkeys. For example, a combination of physical keys and device-bound and roaming passkeys. For a user worried about losing a device, that can easily require 3-5 passkey slots. Added bonus, the more passkeys a user has, the less likely they are to need account recovery.

Standard disclaimer: All opinions/views are my own.

#FIDO2 #MFA #PR-MFA #FIDO #Passkey

https://www.esentire.com/blog/securing-passkeys-thwarting-authentication-method-redaction-attacks

Public preview: Expanding passkey support in Microsoft Entra ID:...

Public preview: Expanding passkey support in Microsoft Entra ID: https://techcommunity.microsoft.com/t5/microsoft-entra-blog/public-preview-expanding-passkey-support-in-microsoft-entra-id/ba-p/4062702

I was recently listening to @SGgrc coverage of the EU’s QWAC proposal. There’s much debate regarding the EU’s role in the global PKI...

I was recently listening to @SGgrc coverage of the EU’s QWAC proposal. There’s much debate regarding the EU’s role in the global PKI ecosystem, when it dawned on me there’s a far simpler solution that should (hopefully) address everyone’s concerns. Instead of operating a root CA, the EU should operate a Certificate Transparency Log.

Let me explain. The Certificate Transparency system was envisioned to countersign existing certificates, ensuring that the certificate’s issuance was included in a public log. The result is the body of the certificate (i.e. subject, public key, etc) is signed by both the CA and the CT Log. Certificate can (and often do) have multiple CT Log signatures.

What I’m proposing is the EU operate their own CT Log server. But unlike standard CT Log servers which will sign any certificate sent their way, the EU would only countersign certificates that meet the QWAC requirements. For example, ensuring that the subject fields (name, address, etc) are valid and the authenticity of the requestor is confirmed.

The basic flow would be: (1) User submits a CSR to their preferred CA; just like they always do. (2) The CA performs their standard domain name and OV/EV verification. (3) User is redirected to an EU-managed portal to further complete their QWAC verification. (4) Once both the CA and EU are satisfied, then the CSR is signed by the CA and a CT Log signature is added by the EU.

The benefits: The EU no longer operates a root CA that’s globally trusted, the EU’s approval of a certificate is as cryptographically secure as if they ran their own root CA, existing applications continue uninterrupted (since this is just another CT signature), the existing CT Log ecosystem also continues on (as they can still add additional countersignatures to QWAC certificates), and client-side QWAC verification can now be accomplished either by the browser natively or via a browser plugin (effectively offering an opt-in option).

Standard caveat, the above is my personal opinion and does not represent anyone else’s opinion/position.

#QWAC #EU #eIDAS #PKI #Certificate #CAB #SecurityNow

“The war in Ukraine is the first recent conflict between two large and relatively advanced armies to widely deploy electronic warfare...

“The war in Ukraine is the first recent conflict between two large and relatively advanced armies to widely deploy electronic warfare abilities and evolve the techniques in real time.”

https://www.nytimes.com/2023/11/19/technology/the-invisible-war-in-ukraine-being-fought-over-radio-waves.html?smid=nytcore-ios-share&referringSource=articleShare

Short description says it adds support for #SecurityKeys like the #YubiKey

Short description says it adds support for #SecurityKeys like the #YubiKey

#Apple #iOS 16.3 is out! No release notes (yet): https://support.apple.com/en-us/HT201222

#Apple #iOS 16.3 is out! No release notes (yet): https://support.apple.com/en-us/HT201222

12 years ago I started paying for #LastPass Premium. Today, I canceled my subscription, migrated my data to a different service, and...

12 years ago I started paying for #LastPass Premium. Today, I canceled my subscription, migrated my data to a different service, and deleted my account. I used a very strong password and higher-than-default PBKDF2 iterations, so I'm not too worried about a brute-force of my vault. My problem is two parted:

1: LastPass did not engage in a properly post-breach analysis / cleanup. Resetting passwords/keys/credentials/etc is easily the most basic/common breach recovery tactic. That they skipped this, is inexcusable.

2: LastPass seemingly hasn't invested in securing their development environment. Introducing vulneraries into the codebase is their biggest risk. Attackers going after the dev environment should not have been a surprise.

As others have speculated, it seems the acquisition by LogMeIn has resulted in shifting from a focus on security, to instead a focus on features and profit. I have no proof of this, but points 1 & 2 above seem to support this speculation.

For those also jumping to other providers, I do recommend rotating all your vaulted passwords. Unless you had a very weak master passwords, there's no huge rush. But everyone should presume that "eventually" a well-funded adversary will be able to brute force your vault.

#LastPassBreach

New #Apple #iOS #MacOS #iPadOS #WatchOS and #TVOS update is out! Whole ton of CVEs fixed. Includes the new #EndToEnd encryption in #iCloud...

New #Apple #iOS #MacOS #iPadOS #WatchOS and #TVOS update is out! Whole ton of CVEs fixed. Includes the new #EndToEnd encryption in #iCloud (for those in the US). https://support.apple.com/en-us/HT201222

End-to-end encryption finally coming to iCloud. This is a big win for privacy minded folks. And will be enabled by every criminal in...

End-to-end encryption finally coming to iCloud. This is a big win for privacy minded folks. And will be enabled by every criminal in 5...4...3...2...1... https://www.wsj.com/articles/apple-plans-new-encryption-system-to-ward-off-hackers-and-protect-icloud-data-11670435635 #Apple #iCloud #endtoendencryption #DualUse

Out-of-band update just dropped for Windows. If your Active Directory disables RC4 support in Kerberos, super-important to get the updated...

Out-of-band update just dropped for Windows. If your Active Directory disables RC4 support in Kerberos, super-important to get the updated patch. Lots of AD hardening guides recommend disabling RC4, so this probably affects lots of folks:

https://learn.microsoft.com/en-us/windows/release-health/windows-message-center

Hello World!

Hello World!