Security Leftovers
-
2023-03-03 Security updates for Friday
-
Passwordless authentication with FIDO2—beyond just the web
FIDO2 is a standard for authenticating users without the need for passwords. While the technology has been introduced mainly to protect accounts on web sites, it's also useful for other purposes, such as logging into Linux systems. The same technology can even be used beyond authentication, for example to sign files or Git commits. A couple of talks at FOSDEM 2023 in Brussels presented the possibilities for Linux users.
The FIDO2 standard is a joint effort between the FIDO Alliance (FIDO stands for Fast Identity Online) and the World Wide Web Consortium (W3C) to develop standards for strong authentication. Users can securely authenticate themselves with a FIDO2 security key (a hardware token), which is more convenient, faster, and more secure than traditional password-based authentication. The security key can ask the user to touch a button or enter a PIN for authentication; alternatively, it can include a fingerprint reader or other means for biometric authentication. FIDO2 can be used as an extra factor added to a traditional password as part of multi-factor authentication or as the only means of authentication. In the latter case, this is called passwordless authentication. Note that a previous FIDO standard, FIDO U2F, was primarily designed for two-factor authentication.
The FIDO2 standard consists of two parts. Web Authentication (WebAuthn) is a W3C recommendation with broad browser support that describes an API allowing web sites to add FIDO2 authentication to their login pages. FIDO's Client to Authenticator Protocol (CTAP) complements WebAuthn by enabling an external authenticator, such as a security key or a mobile phone, to work with the browser. So in short: the browser talks WebAuthn to the server and CTAP to the authenticator device.
-
Top 10 open-source security and operational risks of 2023 [Ed: Microsoft-funded sites love articles such as this. This is what Microsoft pays for.]
Many software companies rely on open-source code but lack consistency in how they measure and handle risks and vulnerabilities associated with open-source software, according to a new report.
-
UK retailer WH Smith struck by cyberattack
U.K. retailer WH Smith PLC has been struck by a cyberattack that resulted in the theft of some company data. -
YARA: Detect The Unexpected ..., (Thu, Mar 2nd)
A friend and colleague of mine, DhaeyerWolf, asked me for a bit of help with the design of a YARA rule.
-
Cyber Plan Would Hold Software Makers Responsible in Hacks
The Biden administration is set to release an aggressive new national cybersecurity strategy on Thursday that seeks to shift the blame from companies that get hacked to software manufacturers and device makers, putting it on a potential collision course with big technology companies.
The 35-page strategy, shared in advance with a group of reporters, asserts that software makers must be “held liable when they fail to live up to the duty of care they owe consumers, businesses or critical infrastructure providers.”
-
Hackers steal gun owners’ data from firearm auction website
Hackers breached a website that allows people to buy and sell guns, exposing the identities of its users, TechCrunch has learned.
The breach exposed reams of sensitive personal data for more than 550,000 users, including customers’ full names, home addresses, email addresses, plaintext passwords and telephone numbers. Also, the stolen data allegedly makes it possible to link a particular person with the sale or purchase of a specific weapon.
-
Oakland continues to work on recovery from ransomware attack; Play claims responsibility
Play does not indicate how much data they acquired, but threaten to start dumping it tomorrow (March 4). They claim to have: “Private and personal confidential data, financial, gov and etc. IDs, passports, employee full info, human rights violation information.”