Säkerhetspodcasten #233 - Ostrukturerat V.3

Lyssna

• mp3, längd: 01:10:16

Innehåll

• Panelen pratar om att CircleCI är ägt och tappat bort sina hemligheter - men även LastPass roar sig med sådant!
• AWS Elastic Container Registry Public (ECR Public) läckte privata containers men problemet tros hittats av vitmössor innan svarhattarna var framme.
• Auth0 jsonwebtoken rättar massa buggar och rapporteringen om det är komplett kaos i flera olika forum med flera sammanblandningar.
• RSA kan knäckas av en “liten” kvantdator som kör Schnorrs algoritm. Om du orkar vänta för evigt alltså. Schnorr är långsam tydligen…
• GE Historian presenterar lite goa ICS/SCADA/OT sårbarheter…
• Kul reportage om en ond pixel som dödar din Android mobil, länge leve flyttal och matte-buggar!

CircleCI totalägt

• Naked Security: CircleCI – code-building service suffers total credential compromise
• CircleCI security alert: Rotate any secrets stored in CircleCI (Updated Jan 13)

LastPass - tidslinje m.m.

• CyberSecurityDrive: What we know about the LastPass breach (so far)

AWS ECR sårbarhet

• Lightspin: AWS ECR Public Vulnerability

Auth0 JsonWebToken - en bunt sårbarheter och massa CVE- och allvarighets- förvirring

• Naked Security: Popular JWT cloud security library patches “remote” code execution hole
• Unit42: Security Issue in JWT Secret Poisoning (Updated)
• GitHub auth0/node-jsonwebtoken: Merge pull request from GHSA-8cf7-32gw-wr33

RSA vs Kvantdatorer

• RSA crypto cracked? Or perhaps not!
• Factoring integers with sublinear resources on a superconducting quantum processor
• Scott Aaronson: Cargo Cult Quantum Factoring
• Markku-Juhani O. Saarinen - Re: Paper claims to break RSA-2048 with only 372 physical quibits

It should be noted that the paper does not claim that the proposed method is faster than classical factoring methods. When the paper talks about “resources,” it omits “running time”; what is merely claimed is that the quantum circuit is very small.

GE Historian, din cyberfysiska datasjö är trasig (ICS/OT)

GE Historian buggarna: CVE-2022-46732, CVE-2022-46660

• SecurityWeek: Hackers Can Exploit GE Historian Vulnerabilities for ICS Espionage, Disruption
• Team82 Research: Hacking ICS Historians - The Pivot Point from IT to OT
• CISA ICS Advisory: GE Digital Proficy Historian

Relaterat: Rickards gamla going

• SecurityWeek: Vulnerability in ABB Plant Historian Disclosed 5 Years After Discovery

En-pixel attack dödar din telefon

• UniverseIce: WARNING! ! !

WARNING! ! ! Never set this picture as wallpaper

It will cause your phone to crash!

• Mrwhosetheboss: How THIS wallpaper kills your phone.
• Beebom: This Wallpaper May Brick Your Android Phone

Cellbrite och MSAB läckor

• Distributed Email of Secrets Release: Cellebrite (1.7 TB) and MSAB (103 GB)