Information Technology

FBI is seeking certain people of interest. See notice at the end of this article.
When hostile actors penetrated the Capitol Building on January 6, they gained access to individual chambers and offices and remained  at large within the Capitol complex for well over two hours.
We have reports that items were stolen. One report comes from acting US Attorney for DC, Michael Sherwin, who stated “items, electronic items were stolen from senators’ offices, documents and … we have to identify what was done to mitigate that.”  My local Senator, Jeff Merkley (D-Ore.), reported that at least one laptop had been stolen. 
Also: Best VPNs
Amid stolen laptops, lost data and potential espionage, the cybersecurity consequences of this attack will take months to sort out. Here’s a look at the cybersecurity issues.  

National security issues
While surveillance undoubtedly tracked many of the hundreds who made it inside the building, we cannot assume we know the exact second-by-second movements of everyone who gained entrance. That means there is absolutely no knowing what actions were taken against digital gear inside the building.
Passwords, documents, access codes, and confidential or secret information may have been stolen. We also need to assume that some computers may have been compromised, with malware loaded onto them. Since malware is key to any systemic penetration, we must assume that bad actors have gained some persistent, hidden, ongoing access to Capitol Building systems.
In all likelihood, only a small number of machines were probably compromised. But given the sensitive nature of information stored on digital gear inside the Capitol, and given that it may be impossible to quickly ascertain which devices were compromised, federal IT personnel must assume that ALL the digital devices at the Capitol have been compromised.

The situation is actually worse than it may appear at first. According to a USA Today timeline, Congress reconvened at 8pm on January 6. It’s likely that staff computer use began mere minutes after Congress reconvened. Obviously, there was no way to completely lift and replace thousands of machines instantly. Therefore, from that moment until now, members and their staff have been using digital devices that may have been compromised. That means that all communications, files, and network connections from and to those devices may have also been compromised.
Physical access raises the stakes
If the Capitol’s computers were penetrated by a traditional malware-driven hack followed by a breach over the Internet, mitigation could have been moderately straightforward, if not inconvenient and painful. Systems could have been scanned for malware, and — in the most sensitive cases — hard drives could have been zeroed or replaced.
But there were hundreds of unauthorized people in the building, people who were photographed having gained access to the desks and private offices of members. These people could have gone anywhere within the building.
We also have to assume that there were some foreign actors who entered the building by blending into the crowd. Yes, I know this sounds paranoid, but hear me out. We know that Russia and other nations have been conducting cyberattacks against America for some time.
We also know that the final congressional certification of ballots for the 2020 presidential election was Constitutionally mandated for January 6 — and because of the heated rhetoric, it was all but a certainty that there would be crowds and unrest.
It is therefore highly likely that enemy (or frenemy) actors were likewise aware of the potential for unrest around the Capitol Building. While the specific details of exactly what would unfold in what order on January 6 was impossible to predict, there’s good reason to expect that international handlers would find it prudent to keep small squads of agents on standby. That way, if the opportunity presented itself, they could surreptitiously insert those agents into the situation.
Therefore, we have to assume that some of the people who penetrated Capitol Hill were probably foreign actors. And from that observation, we have to expect one or more of those foreign actors who made it inside took some physical action against machines normally out of reach.
Physical access is more than stealing computers
Once an enemy agent gains physical access, a lot can happen. And by a lot, I mean stealth attacks that will require the Capitol’s IT teams to use a scorched Earth remediation effort. First, let’s be aware that malware often doesn’t show itself until a set period of time or trigger happens. So machines that seem perfectly fine may well be Trojan horses.
It is possible that machines were opened and thumb drives or even extra drives were placed inside machines, which were then sealed back up. With a power screwdriver, it’s possible to open up the skins of a tower PC, shove a USB stick into an open internal port, and seal the thing back up in a minute or two. These might never be detected.

When Stuxnet destabilized the Natanz centrifuges in IRan, the worm was delivered via USB drives smuggled into the facility. In the case of Capitol security, hundreds of people were inside the Capitol building. An effective attack would simply be to leave random, generic USB drives in various drawers and on various desks. Without a doubt, someone would see the drive, assume it was one of their own, and plug it in. Malware delivered.
There are other physical attacks possible. We’ve talked previously about a USB charger with a wireless keylogger. We’ve written about the Power Pwn, a device that looks like a power strip but which hides wireless network hacking tools. We’ve discussed how a man-in-the-middle attack was launched against EU offices, siphoning Wi-Fi traffic to an illegal listener.
With hundreds of people inside the Capitol Building, devices like these could have been left in place. It could take weeks or months to discover them, especially if they were left as if they were clutter, to be used by random staffers when they need a spare piece of hardware.
What must be done
There are some IT best practices that can reduce the risk. Network micro-segmentation can prevent malware from crossing between zones, for example. But no network-based security practice can completely mitigate a physical attack.
The Capitol Building must be completely scrubbed. All machines must be scanned. Any desktop PC that is not hermetically sealed must be opened and the internals carefully inspected. USB drive slots must be locked, so Capitol Hill staffers can’t plug in random USB drives. The building must be repeatedly scanned on a room-by-room, floor-by-floor basis for radiant signal broadcast.
Congressional staffers must be educated about what to look for, about best practices, and about taking extra care even if it takes extra time.
Every single digital device within the Capitol grounds must be considered suspect. It’s essential that a strong security standing be maintained even after active machines have been tested and scanned, because we need to be on the lookout for delayed threats and attacks that are hiding, waiting for their opportunity to trigger access.
Espionage Act violations
Finally, everyone who participated in the attack, particularly those who penetrated the building, must be prosecuted to the fullest extent of the law and possibly even charged with Espionage Act violations. While some of the participants may have been characterized as “patriots” or angry “fine people,” the fact is that their actions may have provided cover for acts of espionage by our nation’s enemies.
I can hear what you’re saying. “But David, isn’t it being a little paranoid to think other countries would take advantage of our own internal disputes?” Okay, fine. Nobody would say that. Instead, there’d be a lot of fist waving and yelling at me. But for our purposes, let’s go with the civil version.
And no, it’s not a little paranoid. Russia did meddle with the 2016 election. It’s part of basic tradecraft to incite anger and disagreements among a target’s population. We know Russian meddling has contributed to the anger and rage we’re all feeling — although our own politicians certainly leveraged off of it for their own selfish interests.
The Capitol Building attack was absolutely rage and anger based. Given that sowing unrest is a major part of Russia’s playbook, it’s entirely likely that they were very aware of the significance of the January 6 date and were quite prepared to capitalize on it to the fullest extent. And all that brings us to espionage — conducted by foreign actors, but very likely aided and abetted by duped or complicit Americans strung out on a rage high.
Those who stormed Capitol Hill may have violated 18 U.S. Code § 792 – Harboring or concealing persons. This code is simple, stating, “Whoever harbors or conceals any person who he knows, or has reasonable grounds to believe or suspect, has committed, or is about to commit, an offense.” If a case can be made that any of the attackers might merely suspect an external agent would breach the building with them, they’re in violation of this statute.
They may have also violated 18 U.S. Code § 793 – Gathering, transmitting or losing defense information. This is one of the big ones, opening with “Whoever, for the purpose of obtaining information respecting the national defense with intent or reason to believe that the information is to be used to the injury of the United States, or to the advantage of any foreign nation…” Stopping or overturning an election can definitely be considered “to the injury of the United States,” and again, if any of this information is disclosed to a foreign power — even via a photo on Twitter, it’s a serious violation.
It goes on to list a vast array of government resources that, if breached, would be in violation, including “…building, office, research laboratory or station or other place connected with the national defense owned or constructed, or in progress of construction by the United States or under the control of the United States, or of any of its officers, departments, or agencies…” Clearly, the Capitol Building falls under this, especially since congressional committees do deal with highly classified information.
People who commit crimes under these codes “shall be fined under this title or imprisoned not more than ten years, or both.”
It’s with 18 U.S. Code § 794 – Gathering or delivering defense information to aid foreign governments that things start to get serious. The statute begins with “Whoever, with intent or reason to believe that it is to be used to the injury of the United States or to the advantage of a foreign nation,” and, again, blocking the Constitutionally-mandated certification of an election is injurious to the United States.
But here’s where it gets dicey for those who broke in on January 6. The statute continues:

…communicates, delivers, or transmits, or attempts to communicate, deliver, or transmit, to any foreign government, or to any faction or party or military or naval force within a foreign country, whether recognized or unrecognized by the United States, or to any representative, officer, agent, employee, subject, or citizen thereof, either directly or indirectly, any document, writing, code book, signal book, sketch, photograph, photographic negative, blueprint, plan, map, model, note, instrument, appliance, or information relating to the national defense…

Special feature

Cyberwar and the Future of Cybersecurity
Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.
Read More

This statute is very broad, essentially saying that even if delivery is made to someone not officially recognized as a foreign national, or even delivery is made indirectly (say via a friend, an eBay auction, pictures on Instagram, etc.), it’s in violation. So those pictures we saw of desks with documents, screens with email, etc? If any one item in any of those pictures was confidential or classified, and could be seen by a foreign agent, this clause is triggered.
The punishment? Well, let’s let the statute speak for itself: “shall be punished by death or by imprisonment for any term of years or for life.” Ouch!
Let’s be clear here. Most of the attackers were Americans. And as despicable as their actions were — and breaking into and interrupting a Constitutional practice is despicable, regardless of which side of the aisle you’re on — most of them most likely thought they were acting on behalf of the US, not with intent to injure it.
The law often takes into account intent. But when it comes to espionage, the law has a very large hammer. The United States does not take kindly to espionage. With thousands of people in the crowd outside the building and hundreds who broke in, there was no way for those committing the crime to know who their fellow mob members might be at the time. Providing cover for enemy agents, even if it could be argued it was done through naivety or stupidity, is still providing cover for enemy agents. 
This is going to play out for months or years, both in our courts and within the United States Intelligence Community. If any secured information resulting from this breach winds up in any foreign hands, the stakes will go up immeasurably and those good ol’ boys from middle America wearing dad jeans and baseball caps or goat horns, face paint, and fur bikinis may well find themselves subject to the full might and wrath of the United States Government — the very government they tried to overthrow.
You can help
InfraGard posted a recent alert that I’m now sharing with you. The Federal Bureau of Investigation’s Washington Field Office is seeking the public’s assistance in identifying individuals who made unlawful entry into the US Capitol Building on January 6, 2021, in Washington, D.C.
In addition, the FBI is offering a reward of up to $50,000 for information leading to the location, arrest, and conviction of the person(s) responsible for the placement of suspected pipe bombs in Washington, D.C. on January 6, 2021. 
At approximately 1:00 p.m. EST on January 6, 2021, multiple law enforcement agencies received reports of a suspected pipe bomb with wires at the headquarters of the Republican National Committee (RNC) located at 310 First Street Southeast in Washington, D.C.
At approximately 1:15 p.m. EST, a second suspected pipe bomb with similar descriptors was reported at the headquarters of the Democratic National Committee (DNC) at 430 South Capitol Street Southeast #3 in Washington, D.C.
Anyone with information regarding these individuals, or anyone who witnessed any unlawful violent actions at the Capitol or near the area, is asked to contact the FBI’s Toll-Free Tipline at 1-800-CALL-FBI (1-800-225-5324) to verbally report tips. You may also submit any information, photos, or videos that could be relevant online at fbi.gov/USCapitol. You may also contact your local FBI office or the nearest American Embassy or Consulate.

Disclosure: David Gewirtz is a member of InfraGard, a partnership between the Federal Bureau of Investigation (FBI) and members of the private sector for the protection of U.S. Critical Infrastructure.
You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV. More

Singapore is urging citizens to go green and tap digital payment platforms when they dish out monetary gifts to celebrate the upcoming Lunar New Year. This will help reduce carbon emissions currently estimated to be some 330 tonnes as a result of the annual customary practice. 
The Monetary Authority of Singapore (MAS) on Monday said the use of e-hongbaos, apart from being more environmentally friendly, also would facilitate remote gifting amidst safe distancing measures in the ongoing COVID-19 pandemic. In addition, e-gifters would not need to join the queue for physical bank notes. 

MAS’ assistant managing director for finance, risk, and currency, Bernard Wee, noted that the adoption of digital payments grew significantly this past year and proved more convenient than cash. “The coming Lunar New Year offers an opportunity for us to build on this momentum to spread the benefits of e-gifting, and to forge new traditions with our families and friends,” Wee said. 
“E- gifting helps to reduce the queues at banks and also helps to reduce the carbon emissions generated by the production of new notes for each Lunar New Year, estimated to be about 330 tonnes currently,” he said. “This is equivalent to emissions from charging 5.7 million smartphones or one smartphone for every Singaporean resident for five days.” 
MAS added that handing out e-hongbaos would reduce the need to print, and waste, new notes since these typically were returned by the public to banks after each Lunar New Year. 
The industry regulator called on fintech companies to develop and offer various e-gifting applications and services to support the move. It added that the Association of Banks in Singapore would actively promote e-gifting this festive season.
In China, messaging platforms such as WeChat have facilitated and seen increasing adoption of e-hongbaos. Tencent in 2019 said 823 million of its WeChat users sent and received the digital monetary gifts in the first six days of the Lunar New Year, which was up 7% from the previous year. 

MAS last November said eligible non-bank financial institutions in Singapore soon would have direct access to the country’s retail payment platforms, PayNow and FAST. This would enable e-wallet users to make funds transfers between bank accounts and across different e-wallets. Currently, e-wallets can be topped up only via credit or debit cards and funds cannot be transferred between e-wallets. 
To plug this gap, MAS said a new API (application programming interface) payment gateway had been developed under guidelines from the Singapore Clearing House Association (SCHA) and Association of Banks in Singapore (ABS), both of which govern FAST and PayNow, respectively. The API would better fit the technology architecture of banks and non-bank financial institutions, MAS said, adding that direct access to the payment platforms would be effective from February 2021.
RELATED COVERAGE More

Getty Images/iStockphoto
A new trend is emerging among ransomware groups where they prioritize stealing data from workstations used by top executives and managers in order to obtain “juicy” information that they can later use to pressure and extort a company’s top brass into approving large ransom payouts.

ZDNet first learned of this new tactic earlier this week during a phone call with a company that paid a multi-million dollar ransom to the Clop ransomware gang.
Similar calls with other Clop victims and email interviews with cybersecurity firms later confirmed that this wasn’t just a one-time fluke, but instead a technique that the Clop gang had fine-tuned across the past few months.
Making the extortion personal
The technique is an evolution of what we’ve been seen from ransomware gangs lately.
For the past two years, ransomware gangs have evolved from targeting home consumers in random attacks to going after large corporations in very targeted intrusions.
These groups breach corporate networks, steal sensitive files they can get their hands on, encrypt files, and then leave ransom notes on the trashed computers.
In some cases, the ransom note informs companies that they have to pay a ransom demand to receive a decryption key. In case data was stolen, some ransom notes also inform victims that if they don’t pay the ransom fee, the stolen data will be published online on so-called “leak sites.”

Ransomware groups hope that companies will be desperate to avoid having proprietary data or financial numbers posted online and accessible to competitors and would be more willing to pay a ransom demand instead of restoring from backups.
In other cases, some ransomware gangs have told companies that the publishing of their data would also amount to a data breach, which would in many cases also incur a fine from authorities, as well as reputational damage, something that companies also want to avoid.
However, ransomware gangs aren’t always able to get their hands on proprietary data or sensitive information in all the intrusions they carry out. This reduces their ability to negotiate and pressure victims.
This is why, in recent intrusions, a group that has often used the Clop ransomware strain has been specifically searching for workstations inside a breached company that are used by its top managers.
The group sifts through a manager’s files and emails, and exfiltrates data that they think might be useful in threatening, embarrassing, or putting pressure on a company’s management — the same people who’d most likely be in charge of approving their ransom demand days later.
“This is a new modus operandi for ransomware actors, but I can say I’m not surprised,” Stefan Tanase, a cyber intelligence expert at the CSIS Group, told ZDNet in an email this week.
“Ransomware usually goes for the ‘crown jewels’ of the business they are targeting,” Tanase said. “It’s usually fileservers or databases when it comes to exfiltrating data with the purpose of leaking it. But it makes sense for them to go after exec machines if that’s what’s going to create the biggest impact.”
Clop already uses this tactic, REvil too, but scarcely
Brett Callow, a threat analyst at cybersecurity firm Emsisoft, told ZDNet that, so far, they’ve only seen tactics like these in incidents involving the Clop ransomware.
“This style of blackmail may be the modus operandi of a particular [Clop] affiliate, and that affiliate could also work for other [ransomware] groups,” Callow told us.
The Emsisoft analyst described this evolution in extortion tactics as “not at all surprising” and “a logical and inevitable progression.”
“Over the last couple of years, the tactics used by ransomware groups have become increasingly extreme, and they now use every possible method to pressure their victims,” Callow said.
“Other tactics include harassing and threatening phone calls to both executives and customers and business partners, Facebook ads, press outreach, and threats to reveal companies’ ‘dirty laundry’.”

But in a similar interview with Evgueni Erchov, director of incident response and cyber threat intel at Arete IR, it appears that an affiliate of the REvil (Sodinokibi) ransomware-as-a-service operations has already adopted this technique from the Clop gang (or this might be the same Clop affiliate which Callow mentioned above).
“Specifically, the threat actor was able to find documents related to ongoing litigations and the victims’ internal discussions related to that,” Erchov told ZDNet.
“Then the threat actor used that information and reached out directly to executives over email and threatened to release the data of the alleged ‘misconduct by the management’ publicly,” Erchov said.
Allan Liska, a senior security architect at Recorded Future, told ZDNet that they’ve only seen this tactic with Clop attacks, but they don’t rule out other ransomware actors adopting it as well.
“Ransomware gangs are very quick to adopt new techniques, especially those that make ransom payment more likely,” Liska said.
“It also makes sense in the evolution of extortion tactics, as ransomware gangs have gone after bigger targets they have had to try different ways of forcing payment.
“Leaking stolen data is the one everyone is aware of, but other tactics, such as REvil threatening to email details of the attack to stock exchanges, have also been tried,” Liska said.
Not always truthful
However, Bill Siegel, the CEO and co-founder of security firm Coveware, said that in many cases, the data used in these extortion schemes aimed at a company’s management aren’t always truthful or living up to expectations.
“They [the ransomware groups] make all sorts of threats about what they may or may not have,” Siegel told ZDNet.
“We have never encountered a case where stolen data actually showed evidence of corporate or personal malfeasance. For the most part, it is just a scare tactic to increase the likelihood of payment,” Siegel said.
“Let’s remember these are criminal extortionists. They will say or claim all sorts of fantastical things if it makes them money.”
ZDNet would also like to thank security firm S2W Lab for their help on this article. More

The US Cybersecurity and Infrastructure Security Agency (CISA) said today that the threat actor behind the SolarWinds hack also used password guessing and password spraying attacks to breach targets as part of its recent hacking campaign and didn’t always rely on trojanized updates as its initial access vector.
The new developments come as CISA said last month in its initial advisory on the SolarWinds incident that it was investigating cases where the SolarWinds hackers breached targets that didn’t run the SolarWinds Orion software.
Also: Best VPNs
While no details were provided at the time, in an update to its original advisory posted this week, CISA said it finally confirmed that the SolarWinds hackers also relied on password guessing and password spraying as initial access vectors.
“CISA incident response investigations have identified that initial access in some cases was obtained by password guessing [T1101.001], password spraying [T1101.003], and inappropriately secured administrative credentials [T1078] accessible via external remote access services [T1133],” the agency said on Wednesday.
Once threat actors gained access to internal networks or cloud infrastructure, CISA said the hackers, believed to be Russian in origin, escalated access to gain administrator rights and then moved to forge authentication tokens (OAuth) that allowed them to access other local or cloud-hosted resources inside a company’s network, without needing to provide valid credentials or solve multi-factor authentication challenges.
In a report published on December 28, Microsoft said the threat actor’s primary goal was to gain access to cloud-hosted infrastructure, which in many cases was the company’s own Azure and Microsoft 365 environments.
CISA releases Microsoft cloud-specific guidance

To help victims deal with these “to-cloud” escalations, CISA has also published a second advisory today with guidance on how to search Microsoft-based cloud setups for traces of this group’s activity and then remediate servers.
CISA said the guidance is “irrespective of the initial access vector” that the SolarWinds hackers leveraged to gain control of cloud resources and should apply even if the initial access vector was the trojanized Orion app or a password guessing/spraying attack.
The guidance also references Sparrow, a tool CISA released last year during the SolarWinds breach investigation to help victims detect possible compromised accounts and applications in the Azure Microsoft 365 environments.
Security firm CrowdStrike also released a similar tool called CST.

SolarWinds Updates More

Being sensible when it comes to passwords is important, and a crucial step to securing your online life.
However, some of your online accounts — for example, your Google Account or Dropbox — might be so important and contain such a wealth of information that you might want to take additional steps to protect them. There’s no better way to secure your online accounts than to use hardware-based two-factor authentication (2FA). 
Security keys are easy to use, put an end to phishing attacks, cheap, and are less hassle and much more secure than SMS-based two-factor authentication. And the good news these days is that you can get security keys in a variety of formats: USB-A and USB-C, Lightning for iPhone users, and even keys that use Bluetooth.
So, let’s take a look at the best security keys currently available.

All-rounder for the modern system

Now that USB-C is becoming the standard on laptops, desktops, and Android smartphones, it made sense for Yubico to bring USB-C and NFC together into a single key. 
The YubiKey 5C NFC is FIDO-certified and works with Google Chrome and any FIDO-compliant application on Windows, Mac OS, or Linux. Secure your login and protect your Gmail, Facebook, Dropbox, Outlook, LastPass, Dashlane, 1Password, accounts, and more.
YubiKey USB authenticator includes NFC and has multi-protocol support including FIDO2, FIDO U2F, Yubico OTP, OATH-TOTP, OATH-HOTP, Smart card (PIV), OpenPGP, and Challenge-Response capability to give you strong hardware-based authentication.
$50 at Amazon

Probably the best all-round security key

Brings together the ubiquity of USB-A with the versatility of wireless NFC, which gives it broad compatibility across a wide range of devices. The FIDO certification means it works with Google Chrome and any FIDO-compliant application on Windows, MacOS, or Linux, and the NFC makes it compatible with iOS and Android devices.
The YubiKey 5 NFC is FIDO certified and works with Google Chrome and any FIDO-compliant application on Windows, MacOS, or Linux. YubiKey USB authenticator includes NFC and has multi-protocol support including FIDO2, FIDO U2F, Yubico OTP, OATH-TOTP, OATH-HOTP, Smart card (PIV), OpenPGP, and Challenge-Response capability to give you strong hardware-based authentication.
$45 at Amazon

Good choice for Mac users

This is a 2FA security key built around a USB-C plug. If you’re using mostly Macs or modern laptops and desktops, this is a great choice. Also a good choice for those using Android devices. 
The YubiKey 5C is FIDO certified and works with Google Chrome and any FIDO-compliant application on Windows, MacOS, or Linux. The YubiKey USB authenticator has multi-protocol support including FIDO2, FIDO U2F, Yubico OTP, OATH-TOTP, OATH-HOTP, Smart card (PIV), OpenPGP, and Challenge-Response capability to give you strong hardware-based authentication.
$50 at Amazon

Tiny security key is tiny!

The tiniest YubiKey available! No bigger than a fingernail, and it fits discreetly into a USB-A port.
The YubiKey 5 Nano is FIDO certified and works with Google Chrome and any FIDO-compliant application on Windows, MacOS, or Linux. The YubiKey USB authenticator has multi-protocol support including FIDO2, FIDO U2F, Yubico OTP, OATH-TOTP, OATH-HOTP, Smart card (PIV), OpenPGP, and Challenge-Response capability to give you strong hardware-based authentication.
$50 at Amazon

A security key that looks like a flash drive

FIDO2 key is backward-compatible with U2F protocol and works with the newest Chrome browser with operating systems such as Windows, MacOS, or Linux. U2F can be supported and protected on all websites that follow U2F protocols.
Designed with a 360-degree rotating metal cover that shields the USB connector when not in use. Also, crafted from a durable aluminum alloy to protect the Key from drops, bumps, and scratches.
A very reasonably priced security key.
$20 at Amazon

Google offers a range of keys at a decent price

Titan Security Keys include special firmware engineered by Google to verify the key’s integrity and are built on FIDO open standards, so you can use them with many apps and services.
Google offers a range of keys:
USB-C
USB-A
Bluetooth/USB/NFC
They are good quality, although I have had problems with the plastic not being as durable as some keys on the market. 
$25 at Google

Convenience of using your fingerprint unlock devices

Fingerprint reader with advanced fingerprint technology combines superior biometric performance and 360-degree readability as well as anti-spoofing protection.
Login on your Windows computer using Microsoft’s built-in Windows Hello login feature with just your fingerprint. No need to remember usernames and passwords. It can be used with up to 10 different fingerprints, so multiple users can log in to the same computer.
Because the Kensington Verimark Fingerprint Key is FIDO U2F Certified, your fingerprint can protect your cloud-based accounts such as Google, Dropbox, GitHub, and Facebook with FIDO second-factor authentication.
$40 at Amazon

ZDNet Recommends More

Image: US Department of State
Secretary of State Mike Pompeo announced on Thursday the creation of a new bureau inside the US Department of State dedicated to addressing cybersecurity as part of the US’ foreign policy and diplomatic efforts.

Special feature

Cyberwar and the Future of Cybersecurity
Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.
Read More

The new bureau will be named the Bureau of Cyberspace Security and Emerging Technologies (CSET).
“The CSET bureau will lead US government diplomatic efforts on a wide range of international cyberspace security and emerging technology policy issues that affect US foreign policy and national security, including securing cyberspace and critical technologies, reducing the likelihood of cyber conflict, and prevailing in strategic cyber competition,” the State Department said yesterday.
Efforts to get the bureau on its feet began in June 2019, as a replacement for a previous office tasked with addressing cyber-security policies as part of US foreign diplomatic efforts had been shuttered as part of a reorganization in the summer of 2017, under Secretary of State Rex Tillerson.
“The need to reorganize and resource America’s cyberspace and emerging technology security diplomacy through the creation of CSET is critical, as the challenges to US national security presented by China, Russia, Iran, North Korea, and other cyber and emerging technology competitors and adversaries have only increased since the Department notified Congress in June 2019 of its intent to create CSET,” the State Department said yesterday.
State Department facing criticism
However, the move has not been well met by former State Department cybersecurity coordinator Christopher Painter, who criticized the bureau’s creation on Twitter.
“Laughable that this is done @ the 11th hr [during the Trump administration] when this was not adequately resourced or prioritized for 4 yrs,” Painter said.

At this point the new administration should decide how best to structure this issue and where it should be placed. Both Solarium Comm & Cyber Diplomacy Act called for a broader and more integrated scope and a higher level in the Department.
— Chris Painter (@C_Painter) January 7, 2021

The former US official cited the recent Cyberspace Solarium Commission report and the Cyber Diplomacy Act, both of which call for any cybersecurity-related efforts to be integrated at a higher level inside the State Department’s foreign policy, coordinated with other US federal agencies, and not related to an office or bureau.
The initial attempt to set up the CSET in 2019 was also stopped on the same ground, with former Rep. Eliot Engel (D-N.Y.), the chairman of the House Foreign Affairs Committee at the time, claiming that cybersecurity should have a broader role in the US foreign policy, controlled by higher-ranking officials inside the State Department, and not by a bureau.
“This move flies in the face of repeated warnings from Congress and outside experts that our approach to cyber issues needs to elevate engagement on economic interests and internet freedoms together with security,” Rep. Engel said at the time.
“While Congress has pursued comprehensive, bipartisan legislation, the State Department has plowed ahead in its plan to create a bureau with a much narrower mission focused only on cybersecurity.”
The US Government Accountability Office (GAO) also confirmed this in a September 2020 report, writing that the State Department had not involved or even informed other government agencies about its plan to establish CEST.
As Painter pointed out on Twitter, “at this point the new administration should decide how best to structure this issue and where it should be placed.” More

Days after it was revealed Singapore’s law enforcement can access COVID-19 contact tracing data for criminal probes, the government now says it will pass legislation to specify when such access will be permitted. It is doing so to “formalise” its assurance that access to the data will be restricted to serious offences. 
The new law would outline seven categories during which personal data, collected for the purpose of contact tracing, could be used by the police for investigations, inquiries, or court proceedings, according to the Smart Nation and Digital Government Office, which is parked under the Prime Minister’s Office. 
These seven categories would comprise:
Offences involving the use or possession of corrosive substances or dangerous weapons, such as possession of firearms
Terrorism-related offences detailed under the country’s terrorism laws
Crimes in which the victim is seriously hurt or killed such as murder or voluntarily causing grievous hurt
Drug trafficking offences that involve the death penalty
Escape from legal custody where the suspect may cause imminent harm to others
Kidnapping
Serious sexual offences

COVID-19 contact tracing data would not be used for police investigations, inquiries, or court proceedings outside of these seven categories, the Smart Nation Office said in a statement Friday. 
It added that the legislation would be introduced at the next parliament session in February. 
This move comes days after the government’s revelation that data gathered by the country’s contact tracing platform, TraceTogether, can be used for police investigations. The news contradicted previous assertions that the data would only be be accessed if the user tests positive for the virus and months after the contact tracing app was launched last March.
To date, more than 4.2 million residents or 78% of the local population have adopted the TraceTogether app and wearable token, with a recent spike in adoption likely fuelled by the government’s announcement that use of the app or token would be mandatory for entry into public venues in early-2021.

TraceTogether taps Bluetooth signals to detect other participating mobile devices — within 2 metres of each other for more than 30 minutes — to allow them to identify those who have been in close contact when needed.
In defending its decision to allow the police access to the data, the Singapore government said this was necessary to safeguard public safety and interest. It  also revealed that the data already had been tapped at least once to assist in a homicide investigation. 
In its statement Friday, the Smart Nation Office acknowledged it had made an “error” in not stating that data from TraceTogether would not be exempt from the country’s Criminal Procedure Code, which empowered the police to obtain any data for its investigations. 
It said the new legislation would “formalise” the government’s assurances that the use of contact tracing data outside of its primary purpose would be restricted to serious offences.
Minister for Law and Home Affairs K. Shanmugam had said earlier this week that police access to TraceTogether data was restricted to “very serious offences”, given the “national importance” of the contact tracing platform in dealing with the COVID-19 pandemic. “While that requirement is not in the legislation, it will be carefully considered within the police and discretion will be exercised in seeking this information,” Shanmugam said. 
Minister-in-Charge of the Smart Nation Initiative and Minister for Foreign Affairs, Vivian Balakrishnan, also pledged that once the pandemic was over and contact tracing data deemed unnecessary, the TraceTogether programme would be stood down. 
RELATED COVERAGE More

Hardware security keys, such as the Google Titan, have become a cornerstone of enterprise security, adding a much-needed layer of protection on top of the password. But researchers have now shown that it is possible to clone keys — given the key, a few hours, and thousands of dollars.
Researchers from security firm NinjaLab have managed to make a clone of a Google Titan 2FA security key. The process makes use of a side-channel vulnerability in the NXP A700X chip.
Must read: Best security keys in 2021: Hardware-based two-factor authentication for online protection

I’ll let you read up on this, but basically, the process requires having physical access to the key, take hours, involves trashing the casing to get at the chip, thousands of dollars of equipment, custom software, and a lot of know-how.
Oh, and the attacker also needs the target’s account password.
The idea is that after the cloning process, the original key is put back into a new shell and given back to the rightful owner.
This will, as you might expect, be worrying for organizations that rely on 2FA keys. That said, the amount of information, along with free time an attacker needs to accomplish this is high. I mean, needing both the key and the password are themselves high hurdles.

On top of that, getting at the key involves trashing the casing of the original. This means that the replacement needs to be convincing, and in my experience keys take on a distinctive battering after very little use.

So, what can you do to mitigate this attack?
Have strong passwords.
Treat your 2FA keys the same way you’d treat your car or house keys — keep them with you at all times.
Make your keys distinctive — I know someone who puts a spot of glittery nail polish on their key, leaves it to dry, and takes a photo of the unique glittery blob.
If you believe that your key has been compromised, inform your IT department (or, if that’s you, remove the offending key from your accounts).
Google can detect cloned keys using its FIDO U2F counters feature.
I expect that this will result in better, more tamper-resistant keys in the future. I use 2FA keys, and I am surprised how little tamper-resistance Google’s Titan Bluetooth key has — the shell snaps off easily to expose the innards.

Still, the ingenuity of this attack should be applauded. It’s a very impressive hack. More