In episode 278 of the Defensive Security Podcast, Jerry Bell and Andrew Kalat discuss various recent cybersecurity topics. The episode starts with light-hearted banter about vacations before diving into the main topics. Key discussions include a new vulnerability in YubiKey that requires sophisticated physical attacks, resulting in a low overall risk but sparking debate about hardware firmware updates for security keys. Another key topic is Verkada being fined for CAN-SPAM Act violations and lack of proper security measures, including exposing 150,000 live camera feeds. The hosts also explore reports showing diverging trends in security budgets and spending, with some organizations reducing budgets while overall industry spending increases. They highlight the need for effective use of security products and potential over-reliance on third-party services. The episode also delves into the growing threat of deepfake scams targeting businesses, emphasizing the need for robust authentication policies and awareness training to mitigate risks. Finally, the hosts reflect on the broader challenges of balancing security needs with budget constraints in an evolving threat landscape.

Links:

https://www.bleepingcomputer.com/news/security/new-eucleak-attack-lets-threat-actors-clone-yubikey-fido-keys/

https://www.bleepingcomputer.com/news/security/verkada-to-pay-295-million-for-alleged-can-spam-act-violations/

https://www.cybersecuritydive.com/news/iran-cyberattacks-us-critical-infrastructure/725877/

https://www.theregister.com/2024/09/05/security_spending_boom_slowing/ vs https://www.cybersecuritydive.com/news/infosec-spending-surge-gartner/726081/ https://www.cybersecuritydive.com/news/deepfake-scam-businesses-finance-threat/726043/

Transcript

Jerry: All right, here we go. Today is Saturday, September 7th, 2024. And this is episode 278 of the defensive security podcast. And my name is Jerry Bell. And joining me today as always is Mr. Andrew Kalat.

Andrew: Good evening. Jerry, how are you? Kind sir.

Jerry: Doing fantastic. How are you?

Andrew: I’m great. Just got back from a little vacation, which was lovely. Saw a lot of Canada, saw some whales, saw some trains. It was

Jerry: Did you see any moose?

Andrew: Oddly we did not see a single moose, which was a bummer. We crossed from Toronto to Vancouver on a train and didn’t see a single moose.

I saw a metric crap ton of ducks though. I couldn’t believe literally in the thousands. I don’t know why.

Jerry: The geese are ducks. Cause

Andrew: We saw a

Jerry: geese are pretty scary.

Andrew: We were sealed away from them, so we were protected.

Jerry: I don’t know.

Andrew: hard to

Jerry: I don’t know. I w I wouldn’t I wouldn’t bet my life on that.

Andrew: But yeah, we saw a decent chunk of gooses, but mostly ducks.

Jerry: Good deal.

Andrew: Indeed. I’m good. Now, catching back up on work.

Jerry: And you’re back.

Andrew: And you are apparently the Southern Command Center.

Jerry: I am for another another day or two.

Andrew: Nice. Never sucks to be at the beach.

Jerry: It definitely does not. No, no bad days at the beach.

Andrew: Nice.

Jerry: All right. A reminder before we get started that the thoughts and opinions we express in the show are ours and do not represent those of our employers.

Andrew: Past, present, or future.

Jerry: That’s right. So our first topic or first story from today comes from bleeping computer. And this one was a bit of a, Oh, what’s the best, a bit controversial, best way to say it, controversial on on the social media sites over the past week. And the title is new leak. I’m not even going to try to pronounce that attack.

Let’s threat actors, clone, Yubikey, Fido keys.

Andrew: Shut down the internet. Shut

Jerry: Shut it down, just throw away your Yubikeys, it’s over.

Andrew: And apparently it can happen from 12 miles away with trivial equipment, right?

Jerry: No, actually, they the bad actor here actually has to steal it and it takes some pretty sophisticated knowledge and equipment. But apparently the equipment they allege are about, costs about 11, 000. However, the the YubiKey actually has to be disassembled, like they actually have to take the protective cover, protective covering off, and they have to instrument it and, and then they’re able to leverage a vulnerability in an Infineon chip that’s contained in these YubiKeys to extract the private key. And so it’s not a, it’s not a trivial attack. You have to lose physical possession of the token for some period of time. But if you were, The victim of this, it is possible for someone, some adversary, who was willing to put in the time and effort could clone your key unbeknownst to you, and then find a way to reconstitute Packaging and slide it back into your drawer, and you would be none the wiser.

Andrew: All seriousness, I think this has a very low likelihood of impacting the average listener to our show or the average person who cares about such things. But if you’re a very high profile target and, some sort of state intelligence service wanted to kidnap you and steal your YubiKey and then gain access to things before those sorts of permissions got revoked in some way, shape or form, I guess that could be viable, but this doesn’t seem like something that would happen to the average person.

Jerry: Oh, a hundred percent. And I still think, despite some of the the initial banter about this, you’re much better off using. I’m sure there are definitely certain use cases where you would be concerned about this, but for the average person, I think, like you said, it’s it’s really not a big deal.

So this does impact the YubiKey 5 series. And I think also the HSM 2 up through that was released, I think it was in May of 2024. The challenge is that you can’t actually update firmware on Yubikeys. That was a security decision.

Andrew: yeah, that seems like a wise security decision if you ask me.

Jerry: Yeah, it’s, I have observed quite a few people who who are now trying to find alternate. Security keys because they’ve been that they feel a little dejected by the fact that you can’t update the firmware on them. But I think it’s important to understand that. That actually is a very important security function, right?

The ability to not muck with the firmware on these keys is very important.

Andrew: right, otherwise a piece of malware could be doing that too.

Jerry: Exactly.

Andrew: Which not be all that happy

Jerry: No. Sad in fact.

Andrew: get the sort of knee jerk reaction to, I want to be able to update this to patch for flaws and such, but keep in mind that everything like that can be used by a bad actor just as easily, if not more easily.

Be careful what you wish for.

Jerry: Yeah. Now what’s interesting is this All of the hoopla around this is about Yubikeys, but the chip, the Infineon chip is actually used by multiple different types of security products, including some EFI. So the secure boot which, I guess at this point, it’s got his own problems already.

And then I believe even after, since this particular article has been written, that there are some other. Actual security keys, similar to YubiKeys that have been identified as also using this Infineon chip. So almost certainly going to be vulnerable in the same way

Andrew: But I guess, nothing to really panic about. But boy, this got a lot of press. A lot of social media traction.

Jerry: it really did. So anyway, I thought it was important to discuss because again, for most people, this is really not a big deal. YubiKey themselves rated the vulnerability as a A CVSS score of 4. 9 to give you an idea. And I think that, that seems right to me.

Andrew: Did it get a mascot?

Jerry: It did not get a mascot. There was some attempts some valiant attempts made.

Andrew: What about a jingle?

Jerry: I haven’t seen a jingle yet either, but it did get a name

Andrew: All right

Jerry: and it has a website. So

Andrew: geez. Okay, so mild panic then. If it’s got a name and a website, that equals mild panic. But got a mascot and a jingle, I’m full on panic.

Jerry: that, what else are you going to, what are you going to do? If it’s got a jingle, you gotta panic.

Andrew: what the tough part is, this is probably like getting traction, perhaps at executive levels who may not have the time or the knowledge to dig into the details and that they’re probably freaking out in certain C suites, but

Jerry: Yeah.

Andrew: send them our show. Tell them these two random guys on the internet said not to freak out.

Jerry: Yeah. I can’t put anything on the internet. That’s not true. That’s right. But, I was I was thinking it’s been a while since YubiKey or UBI has re