Skip to content

It’s a PRIVATE key – the hint is in the name! – Naked Security

In a recent Naked Security podcast episode, Doug Aamoth and Paul Ducklin covered a range of topics, including Bluetooth trackers, bothersome bootkits, and even how not to get a job in application security. The podcast also featured a titbit from Tech History, where they talked about VisiCalc, the program that automated the recalculation of spreadsheets. The first story discussed was about a hacker who poisoned a popular application supply chain to get a job in application security. The attacker created new repositories on GitHub and copied legitimate projects in, putting in a message asking for a job in application security. This hack serves as a reminder that the supply chain is only as strong as its weakest link. The hacker didn’t need to hack into GitHub accounts but went for packages that developers haven’t logged in or changed their password for in a while. Doug and Paul gave several tips, including not blindly accepting supply chain updates without reviewing them for correctness and not logging into somebody else’s account without permission and fiddling with things.

The second story was about the MSI motherboard breach, where security keys were leaked. The ransomware crew Money Message put a note on their dark web site saying they had breached MicroStar International (MSI), the well-known motherboard manufacturer. The researchers at Binarly claimed that they have copies of the data, and when they went through it, they found a whole load of private keys buried in that data. Unfortunately, if what they found is correct, it’s quite an eclectic mix of stuff. One of the keys found was an Intel OEM debugging key, which is used for a feature that Intel provides in its motherboard control hardware that decides whether or not you are allowed to break into the system while it’s booting, with a debugger. The only advice given in this case was to be careful about where you get firmware updates from.

In conclusion, the Naked Security podcast covered several interesting topics, including past tech history moments, hacks, and breaches. The stories discussed serve as reminders to be vigilant about cybersecurity and to review supply chain updates for correctness. It’s also essential to be cautious about where you get firmware updates from to avoid potential breaches. As technology continues to advance, it’s essential to live in the present and be mindful of the cybersecurity risks that come with it.

Leave a Reply

Your email address will not be published. Required fields are marked *