Skip to main content
You, me, and a key
To:Brew Readers
IT Brew // Morning Brew // Update
How did you even get in here?
September 06, 2024 View Online | Sign Up

IT Brew

Amazon Web Services DevOps

Friends, it’s Friday! Are America’s malls…back?

In today’s edition:

Key, cracked

Remote control

Cyber meets security

—Brianna Monsanto, Tom McKay, Eoin Higgins, Patrick Lucas Austin

CYBERSECURITY

Hot ‘n’ cloned

A USB drive with "not ransonware" written on masking tape with binary code floating above it in the form of a skull and crossbones Francis Scialabba

A security researcher at NinjaLab has pulled the cloak off of a vulnerability found in the secure elements of older YubiKey devices that would allow an attacker to clone the hardware authentication gadget.

The side-channel vulnerability was found in the cryptographic library of Infineon Technologies, which is used in the YubiKey 5 series among other devices. The vulnerability—which was discovered by NinjaLab co-founder Thomas Roche and dubbed “EUCLEAK” in a Sept. 3 research paper—went unnoticed for 14 years and is due to a non-constant-time modular inversion that would enable an attacker to extract YubiKey’s security key.

In a Sept. 3 security advisory, Yubico acknowledged the security issue and said the vulnerability was moderate. According to the global cybersecurity company, affected devices include:

  • YubiKey 5 Series versions prior to 5.7
  • YubiKey 5 FIPS Series prior to 5.7
  • YubiKey 5 CSPN Series prior to 5.7
  • YubiKey Bio Series versions prior to 5.7.2
  • Security Key Series all versions prior to 5.7
  • YubiHSM 2 versions prior to 2.4.0
  • YubiHSM 2 FIPS versions prior to 2.4.0

Yubico added that the vulnerability primarily impacts Fast IDentity Online (FIDO) use cases because the FIDO standard “relies on the affected functionality by default.”

Read the rest here.—BM

   

PRESENTED BY AMAZON WEB SERVICES DEVOPS

Secure app delivery? Check

Amazon Web Services DevOps

Development cycles are getting faster and faster. But with greater speed comes greater risk if the proper security, reliability, and scalability needs aren’t covered. No pressure, DevOps teams.

But it is a big ask. Organizations need cloud governance solutions that give development and security teams the visibility needed to boost software development lifecycle (SDLC) efficiency and safety.

Join AWS and DevOps Institute on Sept. 18 for a webinar to check out how DevSecOps tools like Snyk and Harness work with Amazon Q. Say hello to automated workflows that give app development a boost without sacrificing your org’s security. You’ll learn about:

  • leveraging AWS Cloud to build, deploy, + scale apps with confidence
  • utilizing Amazon Q Developer’s real-time code suggestions, CLI completions, and natural language-to-bash translation
  • securing your CI/CD pipeline

Register here.

CYBERSECURITY

Seizing the means of production

PCK oil refinery Hannibal Hanschke/Getty Images

It’s no secret that cybersecurity for industrial and operational technology (OT) tends to be less secure than their IT counterparts…or that remote-access tools are a major weak point in general.

At DEF CON 32 in Las Vegas, SySS researcher Moritz Abrell went for a twofer, disclosing vulnerabilities in an industrial remote-access gateway advertised as having state-of-the-art security.

HMS marketing materials state 500,000+ devices are connected to Ewon products, and the Ewon Cosy+ is the most secure unit yet—making it an ideal choice for Abrell’s research, he told the audience.

“The goal was to find vulnerabilities in the software or firmware using a pure black-box approach,” Abrell said. “Surprisingly, this was quite easy.”

Abrell discovered flaws that allowed him to bypass blacklisted parameters and upload custom VPN configuration files, as well as a cross-site scripting vulnerability in a logging page that exposed administrative passwords in plain text.

Read more here.—TM

   

IT STRATEGY

Stereo IT

The White House Andrey Denisyuk/Getty Images

If you make sure you’re connected, the writing’s on the wall—and the White House is aiming to ensure there are no stumbles or falls.

The Office of the National Cyber Director (ONCD) released its Roadmap to Enhancing Internet Routing Security on September 3. Security vulnerabilities related to Border Gateway Protocol (BGP) traffic diversion are of concern; according to the report there is “growing evidence of sophisticated attacks that purposefully manipulate BGP to subvert other foundational protocols.”

“We aim for this roadmap to mitigate a longstanding vulnerability and lead to a more secure internet that is vital to our national security and the economic prosperity of all Americans,” White House National Cyber Director Harry Coker, Jr. said in a statement.

See through you. Put together in a partnership between the office, other federal partners, and private sector experts and stakeholders, the ONCD report recommends that network operators focus on risk planning, monitoring, and contracting requirements. The office also calls for publication of Route Origin Authorizations (ROA) in the Resource Public Key Infrastructure (RPKI).

“Operators should use their risk-based cybersecurity risk management plan to prioritize the publication of ROAs for address prefixes they assess as high-value or high-risk first,” cautions the report.

Keep reading here.—EH

   

TOGETHER WITH GARTNER

Gartner

Time to book it. Attention, attention: Calling all IAM pros. Gartner is hosting a summit on all things IAM: program management, access management, IGA—you name it. They’re also gonna spill the deets on AI and innovative tech. It’s set to take place Dec. 9–11 in Grapevine, Texas. Save your spot.

PATCH NOTES

Picture of data with "Clean Me" written on it + bottle of cleaner in front of it, Patch Notes Francis Scialabba

Today’s top IT reads.

Stat: 90%. That’s the cut RansomHub is offering affiliates. (The Record)

Quote: “I think he is realizing Brazilians are not going to take to the streets because X is suspended.”—Nina Santos, Brazilian National Institute of Science & Technology for Digital Democracy researcher, on Elon Musk’s X Brazil debacle (Wired)

Read: How “agentic” AI could be the technology’s next step. (the New York Times)

Speedy + secure: As development cycles speed up, DevOps teams face new security and scaling challenges. Join AWS on Sept. 18 for a webinar on building and securing powerful pipelines at scale. Register now.*

*A message from our sponsor.

SHARE THE BREW

Share IT Brew with your coworkers, acquire free Brew swag, and then make new friends as a result of your fresh Brew swag.

We’re saying we’ll give you free stuff and more friends if you share a link. One link.

Your referral count: 2

Click to Share

Or copy & paste your referral link to others:
itbrew.com/r/?kid=9ec4d467

         
ADVERTISE // CAREERS // SHOP // FAQ

Update your email preferences or unsubscribe here.
View our privacy policy here.

Copyright © 2024 Morning Brew. All rights reserved.
22 W 19th St, 4th Floor, New York, NY 10011

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

A mobile phone scrolling a newsletter issue of IT Brew