Hello, welcome to the Friday, January 8, 2021 edition of the Sandcent, Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Rob today started a series of diaries that he'll be publishing over the next couple days, couple weeks about parsing

and using the national vulnerability database. NIST publishes this database and it's sort of the

authoritative source of vulnerability information and offers a nice structured view of vulnerabilities.

For example, you can query the database by products,

and products are organized using standardized strings or CPEs,

the common platform enumeration.

So many tools, like for example NMAPAP will, for example, create output that includes this

common platform enumeration string, and then you can quickly feed that into the NVD API in order

to retrieve related vulnerabilities.

With Rob's diary, you get some samples in an introduction

into the information that is available via NVD and also tools that allow you to retrieve

and organize the data. And security researchers from Ninja Lab took a closer look at the Google Titan security key.

And while they did find a site channel vulnerability, I think they actually proved that exploitation of this vulnerability is not exactly practical.

If you're not familiar with Google Titan, it's a key that

implements the U2F or Fido2 protocol that can be used for authentication. There are a couple different

versions of it, either with USB, Bluetooth low energy, or with NFC interfaces.

And essentially, a browser, for example, is able to send a challenge to the key that will

then be digitally signed and returned to the browser to prove a particular individual's

identity. And of course, the big advantage of a token like this compared to, let's say, Google Authenticator or other soft tokens is that it should be very hard to impossible to actually copy these security keys.

In order to copy the security key, you need to be able to retrieve a

...