Welcome to the fourth edition. Over 100 subscribers are now reading this each week! Thank you all for the support and interest. Now, let’s dive right in…
What’s a Little Log Data between Friends?
Last month, hackers stole a key from Microsoft and broke into government email accounts. We now know how it happened.
In a recent report (link below), Microsoft provides a deep dive into the multiple flaws that led to this attack.
In summary:
The key was dumped into a log file after a service crashed.
Usually keys are stripped out of log files automatically. But there was an error in that code, which meant the key wasn't removed.
A Microsoft engineer's account was later compromised. That account had access to the debug logs, and thus the key.
The email system had an authentication error, which allowed attackers to forge credentials using the stolen key.
The attackers logged into 25 email accounts (including government agencies) and read emails like any other user.
The sophistication of this attack is mind-boggling. It should serve as a warning that even highly secure companies like Microsoft can make mistakes, and intelligent attackers will patiently take advantage.
Kudos to Microsoft for being so transparent about the attack. It helps everyone for this kind of information to be shared.
Microsoft's analysis: https://msrc.microsoft.com/blog/2023/09/results-of-major-technical-investigations-for-storm-0558-key-acquisition/
Prime Cock-Up
Every week there's a face-palm moment in the cryptocurrency world. Here's how a startup lost $38M and filed for bankruptcy…
The startup was called Prime Trust. It helped fintech companies launch cryptocurrency-related products and services.
One of the services they offered was custody of assets. This meant you could store your cryptocurrency in accounts managed by Prime Trust.
Following best practice, these accounts were secured as offline "cold" wallets. Small hardware devices were used to securely store the cryptographic keys that grant access to the accounts.
In 2020, the company migrated these accounts to a different provider. And threw away the old wallets. (Cue ominous music).
Sometime later, the company accidentally gave an old account address to their customers. Dutifully, the customers started depositing millions of dollars of funds. As far as they were concerned, the destination address was alive and kicking.
Except it wasn't. And now more than $38M is locked up forever in an account nobody has access to. This was enough to sink the company into administration.
Stories like this are a necessary reminder that cryptocurrency is the Wild West. Nobody is going to bail you out if you get things wrong. Tread carefully!
Link to a blog that broke the news, with links to the legal filings: https://www.404media.co/crypto-startup-prime-trust-files-for-bankruptcy-after-losing-password-to-38-9-million-crypto-wallet/.
#NoFilter
Google and Deep Mind are developing new techniques to watermark AI-generated images.
In theory, these watermarks can help unwitting audiences discern between fake images and the real deal.
The approach, known as SynthID, is resistant to basic forms of image manipulation. This includes adding filters, resizing images, and loss of quality through compression.
The companies have shared very little information on how this process actually works. This makes sense, since the gory details would likely help people circumvent the protections.
I'm not optimistic these tools will make a difference in the battle against fake news. Naughty folks will just use image generators that don't have watermarks embedded in them.
But the idea is pretty cool, and would have been a fun paper to read (if they ever publish one).
Link to the Deep Mind announcement: https://www.deepmind.com/blog/identifying-ai-generated-images-with-synthid.
Tor and IPFS, Sitting In a Tree…
If you're building distributed, privacy-focused services, you might want to explore Veilid.
The open-source framework is like the love-child of Tor and the InterPlanetary File System (IPFS). It was launched by the Cult of the Dead Cow at DEF-CON this year.
I have no association with this project, so please take a close look if you plan to use it yourself.
View project information: https://veilid.com
See-ed Phrases
Has the stolen data from LastPass been cracked? Some security experts think so.
A spate of cryptocurrency thefts has occurred with one common denominator - the victims were security professionals who should have been hard targets.
The researchers interviewed several victims, and they had all kept their backup “seed phrases” in LastPass. These phrases would allow a criminal to drain funds from an account.
As we know, correlation is not causation. So take this with the usual pinch of salt.
This excellent write-up from Krebs on Security goes into the gory details.
https://krebsonsecurity.com/2023/09/experts-fear-crooks-are-cracking-keys-stolen-in-lastpass-breach/.