fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

GitHub Now Supports Security Keys When Using Git Over SSH

GitHub Now Supports Security Keys When Using Git Over SSH

GitHub has added support for securing SSH Git operations using FIDO2 security keys for added protection from account takeover attempts.

Researchers at North Carolina State University (NCSU) found [PDF] two years ago that more than 100,000 GitHub repositories have leaked API tokens and cryptographic (SSH and TLS) keys after scanning roughly 13% of GitHub’s public repositories over almost six months.

Even worse, they also discovered that thousands of new repositories were also leaking secrets daily.

With GitHub’s newly added feature, you can now use portable FIDO2 devices for SSH authentication to secure Git operations and prevent accidental private key exposure and malware initiating requests without your approval.

“Once generated, you add these new keys to your account just like any other SSH key,” GitHub Senior Security Engineer Kevin Jones said.

“You’ll still create a public and private key pair, but secret bits are generated and stored in the security key, with the public part stored on your machine like any other SSH public key. “

While a private key will be stored on your computer, this is only a reference to your physical security key that’s useless without having access to the actual device.

Also Read: The Difference Between GDPR And PDPA Under 10 Key Issues

“When using SSH with a security key, none of the sensitive information ever leaves the physical security key device,” Jones added. “If you’re the only person with physical access to your security key, it’s safe to leave plugged in at all times.”

You can now use FIDO security keys for SSH git operations. Support for ed25519-sk and ecdsa-sk keys has been added to GitHub. https://t.co/E386ZVatoh— Kevin Jones (@vcsjones) May 10, 2021

To further increase your GitHub account’s resilience against takeover attempts, you should replace all previously registered SSH keys with SSH keys backed by security keys.

This guarantees that you are the only one able to manage your projects’ Git data over SSH while your FIDO2 security key is under your control.

Using only SSH keys backed by FIDO2 devices means that you will not have to keep track of all SSH keys you generate since they are useless without access to the security key they are paired with.

Additionally, GitHub automatically removes any inactive SSH keys (unused in over a year) from your account, thus making key management a lot easier if you’re working on multiple devices or you’ve lost one of them.

To switch to the new SSH Git operations workflow today, you need to log in to your GitHub account, generate a new SSH key for a hardware security key, and then add it to your account.

GitHub has also announced in December that it will switch to token-based authentication starting with August 2021, when account passwords will no longer be accepted for authenticating Git operations.

Also Read: PDPA Compliance Singapore: 10 Areas To Work On

GitHub was also one of the first to switch to Web Authentication (WebAuthn) for security keys for two-factor authentication and an early adopter of the FIDO Universal 2nd Factor (U2F) open authentication standard.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us