Yubikey Linux FDE UEFI Secure Boot tutorial

July 13, 2018 ~ hucktech ~ Leave a comment

YubiKey Full Disk Encryption

Tutorial to create full disk encryption with YubiKey, encrypted boot partition and secure boot with UEFI, using Arch Linux.

This repository contains a step-by-step tutorial to create a full disk encryption setup with two factor authentication (2FA) via YubiKey. It contains:

+ YubiKey encrypted root (/) and home (/home) folder on separated partitions
+ Encrypted /boot partition
+ UEFI Secure boot (self signed boot loader)

https://github.com/sandrokeil/yubikey-full-disk-encryption-secure-boot-uefi

https://sandrokeil.github.io/yubikey-full-disk-encryption-secure-boot-uefi/

more on WebUSB and recent YubiCo vuln

June 17, 2018June 17, 2018 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2018/06/14/yubico-vs-security-researchers/

here’s a bit more on WebUSB and recent YubiKey vuln, latter blog post has great background on WebUSB tech.

I tried to order my thoughts and the events of the crazy last two days of WebUSB vulnerabilities, actions of @Yubico, and disclosure madness in a blogpost:https://t.co/w1iX212bPC

— Markus Vervier (@marver) June 16, 2018

http://pwnaccelerator.github.io/2018/webusb-yubico-disclosure.html

Since we are talking a lot about credit today, here is some research by @flx1101 on WebUSB. It was published last year and should have scared everyone: https://t.co/0vP8NGFRrP

— Markus Vervier (@marver) June 15, 2018

https://labs.mwrinfosecurity.com/blog/webusb/

https://developers.google.com/web/updates/2016/03/access-usb-devices-on-the-web

From intro paragraph of Google’s intro to WebUSB (emphasis theirs):

“[…]But most importantly this will make USB safer and easier to use by bringing it to the Web.”

LOL

PS: Anyone here a Wikipedia editor? This page needs an entry for WebUSB:

https://en.wikipedia.org/wiki/Category:USB

and perhaps a dedicated page for WebUSB not just:

https://en.wikipedia.org/wiki/Google_Chrome

Besides WebUSB and Wireless USB, what other scary OOB interfaces to USB exist?! I really need to spend more time learning USB properly…

YubiCo -vs- security researchers

June 14, 2018 ~ hucktech ~ 1 Comment

Sorry, these tweets are not in chronological order.

https://www.yubico.com/2018/06/webusb-and-responsible-disclosure/

Security advisory YSA-2018-02

So @Yubico releases an advisory that is:

1. based on our work
2. does not give any credit besides "the researchers"
3. apparently applies a bounty for a replication of our work on March 5 (according to the advisory)https://t.co/mKthHffymf

— Markus Vervier (@marver) June 13, 2018

Yeah, nice credit: "They used a YubiKey NEO because they were unable to access an authenticator over USB HID over WebUSB on the Linux computer they used for testing."

Hey @Yubico: maybe we also used the CCID interface because it allowed to reprogram the Yubikey NEO via WebUSB?

— Markus Vervier (@marver) June 13, 2018

_Even_ if they had reported it before what kind of dick move is it to talk to us, asking about source for the PoC, then never contacting us again and sending in bug reports behind our back. And sending us some Yubico starter set as "thank you".

— Markus Vervier (@marver) June 13, 2018

You acted unprofessionally taking credits for research and work that isn’t yours.

When @marver and me had a private chat with your CSO Jesper Johansson, he was begging us to get the source code of the exploit. We even sent demo videos because the Yubico team COULD NOT REPLICATE https://t.co/H83zie9u7K

— antisnatchor (@antisnatchor) June 14, 2018

You even got 5K USD and donated to a dubious project. And of course if people on twitter wouldn’t let us know that you published such an elite updated on your elite research on your elite devices, the post would have been published WITHOUT ANY CREDITS to us. Classic. Thanks!!!

— antisnatchor (@antisnatchor) June 14, 2018

It is remarkable how @Yubico in one simple vulnerability post has managed to ensure that even fewer people are going to follow the “responsible disclosure” route.

Burn researchers, don’t credit, wrongly analyse their work, back-pedal.#golfclap

— Arrigo Triulzi (@cynicalsecurity) June 14, 2018

It gets even better, we showed this also in our @offensivecon talk and also again in a private call with the @Yubico CISO: "For instance, Yubico was able to use it to obtain a PGP signature from a PGP enabled YubiKey over WebUSB." (from the advisory)..

— Markus Vervier (@marver) June 13, 2018

In light of recent events we are publishing the talk from OffensiveCon 2018 by @marver and @antisnatchor Oh No, Where's FIDO?
A Journey into Novel Web-Technology and U2F Exploitation.https://t.co/RMS7SPiSQ8

— offensivecon (@offensive_con) June 14, 2018

You can attack even more than just U2F with WebUSB. In the video you can see us accessing the SmartCard interface of a YubiKey with PGP via WebUSB. If we would have got a slot at @defcon or @BlackHatEvents this year there would have been a lot more. 😉 https://t.co/yUeJ1TCnVT

— Markus Vervier (@marver) June 14, 2018

I remember times when we'd consider it only as a _joke_ if someone said: "WebUSB"…

Now eagerly awaiting "WebSMM"! https://t.co/NiSHwOWgKx

— Joanna Rutkowska (@rootkovska) March 2, 2018