In this week’s security snacks, we have:
- Encrypted SSDs Are Readable Without a Password
- Now You have to Protect USB Cables Too
- Enterprise Security Software from … Netflix!?
Encrypted SSDs Are Readable Without a Password
Data on several types of solid state drives that offer hardware-based disk encryption can be accessed without a password.
This vulnerability only impacts SSD drives where encryption is done via a hardware-based chip, known as self-encrypting drives (SEDs). Researchers have discovered a method to access encrypted data without a password on internal and external SEDs.
In particular, popular drives from Samsung and Crucial are vulnerable. These were the only two vendors’ drives tested though, and researches expect other manufacturers are impacted.
The vulnerabilities stem from multiple flaws. In one instance, attackers exploit the fact that every disk has a master password set by the vendor. Since this password can be changed (or disabled via a Maximum security setting), there is a workaround. However, other vulnerabilities may not be so easy to work around.
To learn more, read this ZDNet article, Flaws in self-encrypting SSDs let attackers bypass disk encryption.
Now You have to Protect USB Cables Too
In the “as if you didn’t have enough to worry about” category, attacks can be launched from inditeUSB cables.
When you plug a phone into an untrusted computer or public charging device, your phone is potentially vulnerable.
One way to power up from untrusted sources safely has been to use a USB condom. They protect your phone by disabling the data wire connections. They allow it to charge by retaining the power wire connections.
Well, everything just got less safe. Security expert MG (@_MG_) has put hacks in USB cables themselves! Now not only is your phone at risk when you plug in, but now your computer is at risk too. He did it early this year with a USB-C cable, and more recently with a Lighting USB cable.
You might be thinking, “No problem, I’ll just use my own cables and for good measure I’ll use a USB condom.”
The bad news: he’s also applied the hardware hack to a USB condom.
The good news is he’s only doing this to raise awareness to help you stay safer.
If you want to know more, read MG’s blog on the topic, BadUSB Cables.
Enterprise Security Software from … Netflix!?
Netflix has released an open-source desktop application for Windows and Mac that checks key health and security settings.
Netflix believes that by working together with the open source community, they get better software. They just released a desktop version of their security checking app called Stethoscope in their Netflix-Skunkworks GitHub.
The describe it as, “A desktop application that checks security-related settings and makes recommendations for improvements without requiring central device management or automated reporting.”
The app is intended for organizations, not individuals. It is read-only, meaning it can’t change settings or fix and non-compliant systems.
To learn more, read the announcement in the Netflix Tech Blog, The New Netflix Stethoscope Native App.