This Month in Cybersecurity - November 2023

:wave: Welcome to this edition of “This Month in Cybersecurity - November 2023.” Together, let’s explore a topic that affects us all: cybersecurity and privacy in the digital age.

In this edition, Passbolt adopts a different approach to the news roundup, refining the focus to spotlight the most significant articles in cybersecurity and data privacy from November. From the controversy surrounding the EU’s eIDAS regulations to vulnerabilities in the cryptographic keys safeguarding SSH connections, the Okta Security breach, and Microsoft’s Windows Hello fingerprint vulnerability, we’ve curated compelling stories for your exploration. Let’s jump straight into the insights!

1. EU Rules for Digital Identities and Trust Services face backlash

The proposed update to the EU’s Electronic Identification, Authentication and Trust Services (eIDAS) regulation is facing strong opposition from organisations, including Mozilla, Cloudflare, Fastly, and the Linux Foundation. The amendment mandates web browsers to recognize new authentication processes for websites applying for Qualified Website Authentication Certificates (QWACs). Critics argue that the changes may weaken internet security by removing browsers’ power to authenticate websites, hindering adaptability to emerging technologies, introducing a more centralised system, and potentially enabling global surveillance. As of November 8, over 500 scientists, researchers, and NGOs have signed an open letter opposing the amendment.

Date: Nov 8, 2023
Source: Infosecurity Magazine
Author: Kevin Poireault
Tag: Data Privacy, Data Protection

2. In a first, cryptographic keys protecting SSH connections stolen in new attack

Researchers have uncovered a vulnerability in the cryptographic keys used to secure computer-to-server SSH traffic. The vulnerability occurs when there are errors during the signature generation that takes place when a client and server are establishing a connection, where computational errors can compromise a large portion of RSA cryptographic keys. The researchers demonstrated the ability to calculate the private portion of almost 200 SSH keys observed over seven years. While the percentage of affected connections is small, the finding is surprising as most SSH software has deployed countermeasures for decades. The vulnerability affects RSA keys, with about 1 billion out of 3.2 billion signatures examined potentially exposing the private key of the host.

Date: Nov 13, 2023
Source: Ars TECHNICA
Author: Dan Goodin
Tag: Vulnerability, Tech

3. Okta Security Breach Report: 134 clients impacted, including Cloudflare and 1Password

The Okta security breach, which occurred from late September to mid-October, impacted 134 out of the company’s 18,400 clients. The attackers accessed HAR files containing session tokens of these clients, leading to five instances of successful session hijacking. The source of the breach appears to be an employee’s Okta-managed laptop where the Google password was saved. While the impact is relatively minimal, Okta has taken remediation measures, including blocking employees from accessing personal Google profiles with Chrome on managed devices. The company is also dealing with another recent breach at a third-party contractor, where health-related records of employees were accessed.

Date: Nov 16, 2023
Source: CPO Magazine
Author: Scott Ikeda
Tag: Data breach, Password Security

4. Microsoft’s Windows Hello fingerprint authentication bypassed on Dell, Lenovo and Surface laptops

Researchers have successfully bypassed Windows Hello on Dell, Lenovo, and Microsoft laptops, revealing vulnerabilities in fingerprint scanning technology. The bypass involved enrolling a fingerprint via Linux on the Dell Inspiron 15, reverse engineering a custom TLS stack on the Lenovo ThinkPad T14s, and exploiting weaknesses in the Microsoft Surface Type Cover’s fingerprint sensor by ELAN. The researchers found that some laptops, including the Lenovo ThinkPad T14s and Microsoft Surface Type Cover, did not utilise Microsoft’s Secure Device Protection Protocol (SDCP), making them more susceptible to attacks. While the likelihood of these specialised attacks is low, users may enhance security by disabling Windows Hello or considering an upgrade to a more secure laptop.

Date: Nov 22, 2023
Source: XDA Developers
Author: Adam Conway
Tag: Vulnerability, Authentication

5. Kubernetes secrets of Fortune 500 companies exposed in public repositories

Cybersecurity researchers have identified publicly exposed Kubernetes configuration secrets, posing a risk of supply chain attacks, with encoded secrets uploaded to public repositories, impacting top blockchain companies and Fortune-500 firms. Leveraging the GitHub API, Aqua Security found 46% of 438 potentially valid credential records contained access to image registries, with nearly 50% of manually set passwords deemed weak. The findings highlight the need for stringent organisational password policies, and while some credentials were temporary, encrypted, or limited in privileges, misconfigurations remain a significant security concern for container environments.

Date: Nov 24, 2023
Source: The Hacker News
Author: Newsroom
Tag: Cloud Security, Data Protection


As we conclude the “This Month in Cybersecurity - November 2023 Edition,” we trust you found these news articles insightful and informative. Our commitment is to ensure everyone stays well-informed about the ever-evolving landscape of cybersecurity and data privacy. :tada:

Your engagement is valuable, so feel free to share any news articles that you come across in the ‘In the News’ category of the Passbolt community forum.

Together, let’s stay connected and well-informed about the realm in digital security.

1 Like