Share this page!

Daniel Cuthbert Profile picture
Twitter logo
7 Jan, 5 tweets, 1 min read
Sometimes you come across research that just blows you off your feet. This is that type of research

ninjalab.io/a-side-journey…
Simply put, Victor and Thomas performed a side-channel attack that targeted the Google Titan Security Key’s secure element (the NXP A700X chip)
Ok sure, side-channels are all the rage but they achieved this by observing local electromagnetic radiations made during ECDSA signatures (the core cryptographic operation of the FIDO U2F protocol)
Sounds super fancy but so what?

Well, an attacker can create a clone of a legitimate Google Titan Security Key.

now this doesn’t mean U2F is broken, anything but, but the research is truly wow factor.

Kudos @victorlomne and Thomas!!
The fact remains that using physical tokens such as Titan and others will put you above most when it comes to security. Use them when you can, they really do make a difference.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Daniel Cuthbert

Daniel Cuthbert Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @dcuthbert

Daniel Cuthbert Profile picture
10 Jan
@eBay scams are pretty easy to spot and often follow a tried and tested methodology.

A short thread on how you can spot them and not be caught out.
First up, if it sounds too good to be true, it generally is.

This scam is huge on @eBay and sadly happens more frequently than you'd think. Here are some telltale signs:

#1 The price is too good, very random in nature, and doesn't reflect market pricing. This is to draw you in Image
#2 The seller's account may have a lot of feedback, but what I'm seeing is account takeover being used. This is often where someone's details have been breached elsewhere and the scammers take over accounts. Just checking feedback no longer works.
Read 18 tweets
Daniel Cuthbert Profile picture
8 Jan
I've just come across this very cool app for @github actions that could make life very cool for those who want to automate compliance and security checks

github.com/SvanBoxel/orga…
One huge limitation of GitHub actions right now is that you can't specify actions for every repo in an organisation, which means multiple actions like so
But @svanboxel has developed an app that means you can create a centrally managed workflow and it's pretty damn sexy

What this means is that no matter what new repo appears, you can automate checks

enforce: true
enforce_admin: true

for example, stop secrets from being pushed
Read 4 tweets
Daniel Cuthbert Profile picture
27 Dec 20
This is a thread for @Matt_Gerlach on how one could better work with data collected from pihole. However, it could also be useful for anyone else who wants to better understand how pervasive the global tracking world is and to do something about it. #privacy #surveillance.
First up, adblockers do not work anymore. The industry has moved on a lot (they use the same ones you do, don't kid yourself that this industry isn't blackhat af and do dodgy thing)

It's better to cut the snake's head off rather than make it dance to your beat.
Tools you need:

1: pi-hole.net
2: raspberry pi (any will do, just needs some network interface
3: blocklists, you can use mine to start github.com/danielcuthbert…
Read 34 tweets
Daniel Cuthbert Profile picture
4 Oct 20
Based off @wimremes's request yesterday about what you need, equipment-wise, for a hardware lab, I thought maybe it useful to start a thread for the basics (well some bits aren't that basic and ill highlight them when they appear)

First a disclaimer, this is my personal lab
I surround myself with super-intelligent people who are far better at this than me. I'm lucky in that they've educated me and we also have a friggin' amazing commercial lab in the office where I learned a lot.
Before you start building/hacking/prototyping anything, you need to ask yourself this simple one question:

What is it you want to achieve?

This sets the basis for the rest of the thread.

Do you want to extract firmware from ICs and memory?
Do you want to prototype stuff?
Read 25 tweets
Daniel Cuthbert Profile picture
11 Sep 20
Arnaud Montagard's images of America are just to die for. They remind me of William Eggleston and do nothing to stop my desire to do a proper road trip from coast to coast avoiding the main roads. ImageImageImageImage
As expected with such a compelling body of work, his first book is sold out and I'm a bit gutted but you snooze and you lose. Image
For now, his website will suffice

arnaudmontagard.com

Brilliant eye #photography
Read 5 tweets
Daniel Cuthbert Profile picture
29 Aug 20
Slack, used by millions and millions for mission-critical design chats, DevOps, security, mergers, and acquisitions, hell the list is endless.

The flaws found by this researcher result in the execution of arbitrary commands on user's computer.

The TL;DR is wow
For all that effort, they got awarded $1750

Seventeen Hundred and FIFTY bucks.

@SlackHQ firstly the flaws are a rather large concern, I mean validation is hard but come on, then pay properly, please.

Because this would be worth much more on exploit.in
Full bug details here

hackerone.com/reports/783877

Good work oskars!
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @dcuthbert has new unrolls!

Check out other threads from @dcuthbert!

Read all threads by @dcuthbert