Welcome to the first edition of the newsletter. Thank you for being here from the start. Let’s dive right in…

Hammer Time

Researchers are using the rowhammer RAM attack to generate unique device fingerprints.

Rowhammer was originally an attack to obtain sensitive data or escalate privileges. By "hammering" on certain memory locations, it triggered DRAM modules to leak information between adjacent memory cells.

It turns out, this type of attack can be used to profile the RAM module and generate a unique fingerprint. The researchers from the University of California can produce a 99% accurate device ID in under 10 seconds.

• Research paper "Centauri: Practical Rowhammer Fingerprinting": https://arxiv.org/abs/2307.00143.

• Background info on rowhammer: https://en.wikipedia.org/wiki/Row_hammer.

Nice Key - Did You Make That Yourself?

Perhaps not surprising, but using your system time to generate cryptocurrency keys isn't a good idea.

Unfortunately, this is exactly what a popular blockchain wallet was doing. The oddly named "Milk Sad" vulnerability was discovered recently in the Libbitcoin Explorer (bx) tool. Attackers have been exploiting the vulnerability to drain funds from wallets.

In short, the attack works because keys that should have 128+ bits of security were only being generated with 32 bits of security. A powerful computer can generate every possible key within a day or so. Whoops.

• Further info on the vulnerability: https://milksad.info/.

Google Forges Ahead

Google continues to release quantum-safe solutions. This time, in FIDO2.

FIDO2 is a standard for replacing passwords with authentication tokens, typically stored in hardware that you own (e.g. a mobile phone).

In this latest work, Google combined traditional elliptic curve cryptography with one of the soon-to-be-standardised PQC algorithms: Dilithium.

In their announcement blog (see comment below), Google describes Dilithium as "recently standardised". However, final standards are expected in 2024.

• The Google announcement: https://security.googleblog.com/2023/08/toward-quantum-resilient-security-keys.html.

• Learn more about FIDO2: https://fidoalliance.org/fido2/.

The Clouds Have Ears

Wow. 1 in 10 GitHub authors leaked a secret in 2022 🤯

Some eye-watering stats were revealed at a recent BSides Las Vegas talk. Apparently, more than 5 in every 1,000 commits contained a secret of some description.

Particularly prone to exposure were Google API keys, which were almost 10% of all secrets found.

Look out for the talks by Mackenzie Jackson and Dwayne McDaniel when they come out on YouTube. (I noted these stats from a media article - link below).

• Media article about the talk: https://www.scmagazine.com/news/more-hardcoded-credentials-than-ever-and-sloppy-coding-is-to-blame.

Can You Type a Little Louder?

Is someone listening to your password?

Researchers used machine learning to identify which keys were being pressed based on the clacking sounds from the keyboard.

Using audio captured over a Zoom call, keystrokes were identified with an accuracy of 93%. Using a smartphone microphone, the accuracy increased to 95%.

Something to think about when you're typing sensitive information in a public space...

• Research paper: https://arxiv.org/abs/2308.01074.