And speaking of Facebook, along with Github they’ve announced a new two-factor lockout recovery process: in a nutshell, Github can store your recover codes “inside” your Facebook account, allowing you to use Facebook to recover a lost Github second factor. The protocol is something they’re calling Delegated Account Recovery.
If you buy a Yubikey to use with Facebook, check out The Yubikey Handbook: it’s is a free ebook covering all sorts of things you can do with your key. I was especially interested in the chapter on using Yubikeys with Docker Content Trust; I’ve not seen this process well-documented before.
Have you ever wondered how BGP hijacking actually takes place? Zach Julian at Biship Fox has A BGP Hijacking Technical Post-Mortem. For some background, see also Zach’s article from 2015 giving an Overview of BGP Hijacking .
HTTPS accounts for a majority of web requests:
Unfortunately, as HTTPS adoption grows, network monitoring and A/V software increasingly tries to intercept (terminate and re-encrypt) HTTPS traffic. Many of those tools get it wrong, opening up users to risk. The Security Impact of HTTPS Interception [PDF] shows that the problem is worse than you might think: “62% of traffic that traverses a network middlebox has reduced security and 58% of middlebox connections have sever vulnerabilities.”
How I Would Hack Your Network (If I Woke Up Evil). Real-world attacks don’t really look the way they’re presented on TV.
This is a weekly roundup of interesting infosec related links, inspired by Geek Feminism’s linkspam tradition.
If you’d like to suggest a link for a future roundup, post it to Pinboard tagged with securitylinkspam and I’ll find it there.