TEMPEST@Home - Finding Radio Frequency Side Channels
https://duo.com/labs/research/finding-radio-sidechannels [duo.com]
2020-04-27 06:01
tags:
opsec
security
sidechannel
solder
wifi
As the test procedures in the TEMPEST standards are rudely made unavailable to us as they are considered “classified” we have to do the next best thing and make up our own. This article aims to make barely acceptable analogies about how radios work and show that you really don’t need that much in terms of know-how and equipment to find and take advantage of leaky radio signals. Towards the end, we will apply what we have learned to find a signal that can exfiltrate data out of a radio-less and air-gapped desktop workstation through a wall and 50ft away.
IoT Security Bills Use Federal Spending as Leverage
https://duo.com/decipher/iot-security-bills-use-federal-spending-as-leverage [duo.com]
2019-03-16 04:20
tags:
ioshit
policy
security
vapor
The bill includes a number of separate provisions, but the one that stands to have the biggest potential effect on IoT security is the establishment of a set of standards for security in connected devices, standards that will be developed by the National Institute of Standards and Technology. The draft legislation doesn’t set out too many specifics for what those security standards would be, but dictates they will include four separate areas: secure development, identity management, patching, and configuration management. Under the language in the bill, vendors selling IoT devices to federal agencies will have to meet the NIST standards for those areas.
Deciphering the Messages of Apple’s T2 Coprocessor
https://duo.com/labs/research/apple-t2-xpc [duo.com]
2019-02-16 03:32
tags:
bios
hardware
investigation
mac
networking
turtles
To discover and communicate with advertised services, the T2 exposes itself to macOS as a network interface, assigned as en6 on our lab machines. This macOS interface is configured for IPv6 with a universally static local address of fe80::aede:48ff:fe00:1122. The T2 exposes itself at a fixed IPv6 address of fe80::aede:48ff:fe33:4455.
MacOS and the T2 communicate over a typical network stack, with a few notable exceptions. Ethernet frames are encapsulated within Mobile Broadband Interface Model (MBIM) packets for transmission over what we can therefore infer is a USB-based interface. For simple application-level messages, one MBIM frame will typically contain a single message, but for larger data transfers, multiple Ethernet frames will be encapsulated within each packet. This is somewhat ironic, as often a data transfer segment will be split into MTU-sized chunks at the TCP layer, only to be combined into a single packet at the MBIM layer.
Above the TCP/IP layer, macOS and the T2 use the HTTP/2 protocol to open, and often maintain, persistent connections between different applications
Critical Kubernetes Bug Gives Anyone Full Admin Privileges
https://duo.com/decipher/critical-kubernetes-bug-gives-anyone-full-admin-privileges [duo.com]
2018-12-05 21:12
tags:
auth
cloud
exploit
linux
networking
security
virtualization
An authenticated user can also send specially crafted network requests to the Kubernetes application programming interface (API) server and create a connection to the backend server. The API server’s job is to determine if the requests are valid, and to instruct other components to carry out the instructions for valid requests. With the flaw, the API server is tricked into connecting to the backend server as itself and not as the user, and with the highest level of permissions. Once the connection is established, the user can send arbitrary requests—authenticated with the API server’s Transport Layer Security (TLS) credentials—directly to the backend server. The user can run any API request against the kubelet API of the node where a targeted pod is running, such as listing all pods on the node, running commands inside pods, and getting the output of those commands.
The authorization is coming from inside the house!
Also, from the discoverer: https://rancher.com/blog/2018/2018-12-04-k8s-cve/
Secure Boot in the Era of the T2
https://duo.com/labs/research/secure-boot-in-the-era-of-the-t2 [duo.com]
2018-12-05 00:24
tags:
bios
hardware
mac
security
Today, we are continuing our series on Apple’s new T2 platform and examining the role it plays in Apple’s vision of Secure Boot. The T2 was first introduced with the release of the iMac Pro and has now found its way into every new 2018 Macbook Pro. This article covers the security properties and technical implementation details of what makes this platform unique.
Part 1: Usability Is Security
https://duo.com/blog/part-1-usability-is-security [duo.com]
2018-11-30 05:53
tags:
auth
development
security
ux
Windows Now Supports Password-Less Authentication With Security Keys
https://duo.com/decipher/windows-now-supports-password-less-authentication-with-security-keys [duo.com]
2018-11-23 20:41
tags:
auth
update
windows
The company on Tuesday announced the change, which is the result of years of preparation and changes to Windows, with the eventual goal of eliminating passwords altogether. And it’s not just Windows that has benefited from this strategy either. In September, Microsoft enabled support on its Azure cloud platform for password-less authentication through the Microsoft Authenticator app.
Building Windows Offline
https://duo.com/blog/building-windows-offline [duo.com]
2018-11-15 17:57
tags:
auth
windows
As in duo auth for an offline Windows system.
When our customers came to us with a desire to support offline multi-factor authentication for Windows, we started off by focusing on the fundamental technical problem to be solved. How can we trust enrollment and continued authentication from a device that is offline?
What's Happening With RFID Blocking Gear?
https://duo.com/decipher/labs-presents-whats-happening-with-rfid-blocking-gear [duo.com]
2018-08-28 22:38
tags:
defense
hardware
life
opsec
security
wifi
There are dozens and dozens of RFID protection products, which claim they can stop evil doers from stealing your identity and essentially ruining all life as we know it. We bought some of these products at random and tested them to see how effective they really are.
How iOS 11.4.1 Stops USB Attacks and Bad Emojis
https://duo.com/decipher/how-ios-1141-stops-usb-attacks-and-bad-emojis [duo.com]
2018-07-13 18:04
tags:
hardware
iphone
opsec
release
security
Known as USB Restricted Mode, the setting prevents any USB accessory from communicating with an iOS device that hasn’t been unlocked in the past hour. The feature is included in iOS 11.4.1 and it’s designed to prevent attackers or thieves who get physical access to a locked device from being able to dump the phone’s contents to a computer over USB. Restricted Mode is enabled by default.
Also: http://www.willhackforsushi.com/presentations/iOS-USB-Restricted-Mode.pdf
Apple iMac Pro and Secure Storage
https://duo.com/blog/apple-imac-pro-and-secure-storage [duo.com]
2018-06-08 15:19
tags:
auth
crypto
defense
hardware
mac
security
storage
systems
Given all of these changes, we wanted to explore how the T2 coprocessor was being used by Apple and how it currently fits into the larger system security model, as well as how this may evolve in the future. What follows is the first part of this exploration where we describe how the T2 coprocessor is used to implement Secure Boot on the iMac Pro, as well as comparing and contrasting this Secure Boot approach to those that have been present in Apple’s iDevices for a number of years.
An Oral History of the L0pht
https://duo.com/decipher/an-oral-history-of-the-l0pht [duo.com]
2018-03-27 20:27
tags:
interview
networking
retro
security
series
Duo Finds SAML Vulnerabilities Affecting Multiple Implementations
https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations [duo.com]
2018-03-08 18:38
tags:
auth
exploit
security
text
turtles
web
XML Canononononicalizizization: Easier Spelt Than Done
Bluetooth and Personal Protection Device Security Analysis
https://duo.com/blog/bluetooth-and-personal-protection-device-security-analysis [duo.com]
2018-01-25 14:28
tags:
opsec
security
tech
wifi
Looking at the ROAR, Wearsafe and Revolar personal protection devices - commonly used by women for personal safety but increasingly by other segments of the population including protesters, human rights workers, and the like - we discovered a few flaws or “gotchas” involving Bluetooth for the Wearsafe and Revolar (ROAR looked good):
While it wasn’t nearly as easy to remotely track a Revolar owner, it is still possible to track the owner of either the Revolar or Wearsafe device from a distance via Bluetooth with inexpensive antennas that extend the scanning range.
SANS Holiday Hack 2017 Writeup
https://duo.com/blog/sans-holiday-hack-2017-writeup [duo.com]
2018-01-12 10:00
tags:
exploit
investigation
networking
security
web
Stealing from Santa. For shame.
Understanding Bluetooth Security
https://duo.com/blog/understanding-bluetooth-security [duo.com]
2018-01-10 09:15
tags:
networking
security
standard
tech
wifi
It should be noted that this entire blog post started because I needed to explain LE Privacy in a forthcoming blog post and the “appendix” kept growing until I simply split it off into its own thing.
Developing a Solution to Dynamic Binning for Security Reports
https://duo.com/blog/developing-a-solution-to-dynamic-binning-for-security-reports [duo.com]
2017-12-12 20:37
tags:
visualization
The visualization started out with a finite set of relative time ranges (e.g. the last 24 hours or 7 days). Eventually, the interface evolved to allow users to specify custom time ranges. There were several interesting challenges that arose with custom time ranges, specifically around how the data should be visualized and binned.
Web Authentication: What It Is and What It Means for Passwords
https://duo.com/blog/web-authentication-what-it-is-and-what-it-means-for-passwords [duo.com]
2017-12-02 21:46
tags:
auth
browser
security
web
The new standard known as Web Authentication, or WebAuthn for short, is a credential management API that will be built directly into popular web browsers. It allows users to register and authenticate with web applications using an authenticator such as a phone, hardware security keys, or TPM (Trusted Platform Module) devices. This means with devices like a phone or a TPM, where a user can provide us with biometric verification, we can use WebAuthn to replace traditional passwords. Aside from user verification, we can also confirm ‘user presence.’ So if users have a U2F token like a Yubikey, we can handle that second factor of authentication through WebAuthn API as well.
Phish in a Barrel: Hunting and Analyzing Phishing Kits at Scale
https://duo.com/blog/phish-in-a-barrel-hunting-and-analyzing-phishing-kits-at-scale [duo.com]
2017-11-01 15:04
tags:
auth
investigation
malware
security
web
Phishing is a business, and business is booming. To make phishing campaigns more efficient, attackers will often reuse their phishing sites across multiple hosts by bundling the site resources into a phishing kit. These kits are uploaded to a (typically compromised) host, the files in the kit are extracted, and phishing emails are sent pointing to the new phishing site. Sometimes, however, the attackers get lazy and leave the phishing kits behind, allowing anyone—including security researchers—to download them.
Bluetooth Hacking Tools Comparison
https://duo.com/blog/bluetooth-hacking-tools-comparison [duo.com]
2017-10-24 15:38
tags:
hardware
investigation
wifi
Are you wondering what the best Bluetooth scanner is? Or what the most commonly used Bluetooth software is? We’ve wondered that too.