A Warning About Two Factor Authentication

I have been a strong advocate for two factor authentication and still am, but I ran across a situation yesterday that made me realize that there is something that you need to consider when you implement two factor.

The situation that I encountered was a user that was using text messages for two factor authentication and those text messages were going to his cell phone.  Without understanding the implications, the user cancelled that cell phone and lost control of the phone number.  When that happened, the user lost the ability to sign into the account protected by that phone number.

This is very similar to forgetting your password, but most vendors have made recovering your lost password easy – too easy in my opinion, but we are used to it.  I have to admit, I have used it.  Typically they send an email to the registered email address and you can reset your password.  If a hacker gets into your email they too can reset any password, which is why I say that it too easy.

The problem/question is if you lose access to your phone number (and notice I didn’t say your phone, but rather your phone number because if you lose your phone but still control the number, you can move that number to any new phone and still get those text messages), does the vendor have a mechanism to recover access to the account.

Lets say you protect your bank account with two factor.  Likely, you can go into the bank in person, show a banker your government issued picture ID and they can remove the two factor requirement or change the phone number.  MAYBE.  Worst case, you can go into that same bank and close your account, take your money and open a new account.

But what if the account is Facebook.  There is no Facebook store to go into to do the same thing and closing your Facebook account will cause you to be disconnected from everyone.  Of course, possibly, losing access to Facebook might give you a lot of time back in your day.

OK, so now I scared you out of using two factor authentication.  Let me see if I can make you OK with two factor.

First, if the web site allows it, you should create a backup authentication option.  For example, many companies will allow you to get your second factor via text message OR phone call. Or possibly via text message OR email.  If they allow that, then make sure that you set that up.  That way, if you lose access to your phone number, you can still log in after receiving the code via phone call or email.  DO NOT make the phone number the same phone number that you get your text messages from.  Remember that the issue is that you lost control of that phone number.  Use a home phone or work phone or spouse’s phone or just something different.

Next, make sure that you keep track of what those second methods are.  Sometimes a web site will display an option showing you how you can receive the second factor.  If it does, pay attention and make sure that you still have access to it.

Do not release your phone number unless you are sure that anything that you are using it for has been accounted for.  If you have to change your phone number for some reason, look at all the accounts that use it to protect and disable two factor before you get rid of that number and then turn it back on with the new number.

Talk to your phone carrier and add a password to your mobile phone account.  While hackers can sometimes social engineer their way around that, it makes it more difficult.  That will reduce the odds that you will lose access to that phone number.

Finally, ask the vendor what their policy is for resetting two factor authentication.  Even Google has a method to do this.  It is a bit of a pain and it can take a couple of days, but it is possible.

As two factor becomes more popular, vendors are going to have to deal with this  new reality, but it will take some time.

Finally, if you use two factor authentication apps like Facebook Authenticator, those are more portable.  As long as you don’t lose access to your Facebook account, you can still access authenticator – from any phone – as long as your access to Facebook is not protected solely by a two factor authentication to that lost phone NUMBER.

I know, something else to worry about.  I think as long as you set up two different methods to receive that second factor, you are pretty safe.  Just keep it in mind.

 

Facebooktwitterredditlinkedinmailby feather

Amazon Inside Delivery Security Already Compromised

Remember a few weeks ago when Amazon said they had a solution to packages being stolen off people’s porches?  It involved a remote control door lock and a security camera.  Many people – not just security people – winced at the idea.  After all, what could possibly go wrong?

Well just a couple of weeks later we now know the FIRST answer to that question.

That Internet enabled camera was connected to the door lock via the Zigbee wireless protocol and via WiFi to the Internet.  Neither of those channels are terribly secure.

Researchers have now demonstrated that from a computer within WiFi range (probably even a phone) running a simple program, the camera can either be disabled or left with the last image frozen on the screen.  The viewer (the homeowner) would either see a blank screen or perhaps the closed door from just before the rogue delivery person enters the house and robs you blind.

The hack is incredibly simple and a well known attack.  The crook sends the camera a “deauth” command, kicking it off the WiFi network (which is why, at the very least, you want that camera to be hard wired to the Internet.  That is not as cheap, easy or pretty as doing it via WiFi.  If you send that command, the camera will keep getting kicked off or really will never get back online.  The camera/server, for some stupid reason, does not generate an alarm warning the user that the house may be burgled, but rather it just shows the last frame that it captured.

At this point the delivery person/burglar opens the door again, moves outside of the field of view of the camera and stops attacking the camera.  Now the crook sends a lock command and everything looks like it should look.

After stealing all your stuff, the bad guy exits the house via a different exit (door or window).

The attacker could also trigger the deauth right as the driver is leaving and since kicking the camera off WiFi would also disable the lock since it piggybacks off the WiFi camera, the driver would think he locked the door when he did not.  Hopefully, the driver will verify that the door is actually locked before he leaves.

These attacks require a great deal of patience to implement, so they are not high risk and Amazon plans to issue a patch, although a deauth is a valid thing to do. Maybe they will generate an alert.

Amazon also says that they will call a customer if the lock remains unlocked (at least unlocked in the mind of the computer) for more than a few minutes – assuming they can reach the customer and assuming the customer is close to the house.  If the door is unlocked and the customer is in another city or state, what good does a call do?

And, attacks often become more sophisticated over time.  This is only the very first attack.

Stay tuned, this game is not over yet.

Information for this post came from Wired.

Facebooktwitterredditlinkedinmailby feather

Feds Talk About Using Software Bugs Against You

Under President Obama, the feds created this non binding policy document called the Vulnerability Equities Process.  This came after Snowden disclosed a long assumed fact that the spy organizations were hoarding bugs to use against whomever they wanted to rather than telling the developers about them so that they could be fixed.  Of course, we are hardly alone in doing that.  Every country likely does that.

The policy was kind of loose and since it wasn’t a law, people sometimes followed the directive and sometimes didn’t – but of course, we never knew anything about it.  It was one of those “We’re from the government, we’re here to help you – trust us”.

Even the government admitted that the policy wasn’t super effective, but nothing changed.  This week they rolled out – with not much fanfare (it was released by a mid level White House bureaucrat) – Vulnerability Equities Process 2, the sequel.

One thing this new document did was explain at least some of the process, who is involved and what the guidelines are.  It also says that the government needs to report on an annual basis some statistics – how many bugs were hoarded and how many shared with the vendors.

Of course this is still just a policy document, so it really carries very little weight and no penalty at all.

This new document comes on the heels of a Freedom of Information Act LAWSUIT.  Maybe just a coincidence, but more likely, the government probably felt more dirty laundry would come out during discovery and trial and if they dribbled out a little bit of information, maybe the lawsuit will go away.  Stay tuned on that count.

The board that decides these things consists of representatives from 10 agencies including the CIA, Defense, Justice, Treasury and other agencies.

The board is supposed to consider how broadly the product affected is being used, how easy it might be for someone else like the Chinese to discover the same bug and what the consequences might be if the Chinese, for example, did discover some bug that the government is hoarding.

The new policy says that the executive branch has to generate both a classified and unclassified report to Congress.  We will see when the first report happens and what it looks like.

One hole in this policy the size of an 18 wheeler is that if a bug is disclosed to the government by a white or black hat hacker under an NDA (which is pretty common), then they don’t have to go through the process.  I guess it would be nice to have a stat on how many bugs slipped through that loophole and whether the government is suggesting to people who want to share a bug with them “hey, I think you should do this under an NSA.  Oh, oops, I meant NDA.”

 

Information for this post came from Dark Reading.

Facebooktwitterredditlinkedinmailby feather

The Active Cyber Defense Certainty Act – What COULD Go Wrong

Most of the time we feel pretty helpless when it comes to going after hackers.  There is a good reason for that  – for the most part, we are helpless.  The hackers operate under their own rules and law enforcement really isn’t equipped to deal with them.  It is hard enough for the cops to catch burglars and murderers (how many of those cases go unsolved every year), but when it comes to cyber crimes, I would hazard a guess that 999 out of every 1,000 go unsolved.

Enter ACDC, the Active Cyber Defense Certainty Act.  This bill would allow businesses, within certain parameters to hack back at the hackers to destroy stolen information and try to unmask the hackers as long as they don’t do damage.

There was a recent case where this was tried with no success and I think this is going to be the normal situation – no success.

London Bridge Plastic Surgery is a high end plastic surgery practice in England – they do plastic surgery on the rich and the famous, including the Royals.   They were hacked and the hackers shared graphic photos of their patients with the media.  So far, I don’t think they have published those photos.

Apparently, the chief surgeon fancies himself a bit of an amateur hacker and sent the hackers a word document with a link to a file on their server with the hopes of getting the hacker’s IP address from this.

Not surprisingly, the hackers detected this attempt and publicly scolded the doctor who said that he didn’t do it.  The hackers now say that they are going to punish the doctor for attempting to uncover them, although they have not said what that might be.

In the end, you run the risk of upsetting folks who may have backdoors into your system and, in this case, claim to have terabytes of your sensitive data, which they could easily dump on the web.

So if ACDC passes and you choose to hack the hackers, understand that the hackers might be smarter than you and there could be serious consequences for you, your company, your data and your clients.

On the other hand, if you think you are smarter than the hackers then why were they able to hack you?

Information for this post came from The Daily Beast.

Facebooktwitterredditlinkedinmailby feather

Hackers Fool iPhone FaceID for $150

It usually doesn’t take very long.  Whether it is fooling the fingerprint reader or jailbreaking an iPhone, it often comes within hours of a new device or software release.  Maybe, in this case, it says that Apple did good because it took a week to break Face ID.

On the other hand, it only took about $150 to do it.

Wired spent thousands trying to create 3D masks and were unable to fool it,  but some hackers in Vietnam it on a budget.

In Apple’s defense, they did have to spend about 5 minutes videoing the subject to get good data, but if you are going after a politician or a celebrity, getting 5 minutes of HiDef video will not be a problem.

The first thing they did is take the video and make a 3D printed frame for the attack.

Next they added a silicon nose.

Finally, they 2D printed (like on a piece of paper) the user’s eyes and attached them to the mask,

In the demo, when they uncovered the mask, the iPhone X unlocked.

So much for security on your $1,000 phone.

Probably, for the average person, the level of security FaceID provides is adequate.

But remember, the iPhone X is a status symbol, not a phone.  Who is going to buy them are business executives on expense accounts and politicians using other people’s money.   Those are great targets for the bad guys and worth, for sure, spending $150 to compromise their phone.

In fairness to Apple, the researchers have not revealed enough details to enable people to recreate this.

In fairness to the researchers, they have presented previous hacks of Lenovo and Toshiba facial recognition at Black Hat.

So, depending on your level of concern regarding the security of your phone, a good old password is likely best.  Make it reasonably long and avoid the glitz.

For the billionaires who buy an iPhone X, you might want to reconsider your proclivity for convenience over security and steer clear of FaceID.

Your call.

Information for this post came from Wired.

Facebooktwitterredditlinkedinmailby feather

Between Snowden and Shadow Broker, NSA has a Problem

The NSA hasn’t had a great few years.  And it isn’t getting any better.

First it was Snowden and dumping documents on seemingly a weekly basis.  There were two schools of thought regarding Snowden.  Some said he was a hero for disclosing illegal government actions  Others said that he was a traitor for disclosing national security secrets.  The leaks seem to have stopped at this point.  For now!

There are a couple of important distinctions about Snowden.  First, we know who he is and where he is.  Second, he disclosed documentation.  Directions.  Information.

The second major breach is the Shadow Brokers.  Where Snowden leaked documents, Shadow Brokers leaked tools.  Going back to those distinctions, we do not know WHO the Shadow Brokers are or WHERE they are.  These tools are now available on the open market and while some of the flaws these tools exploited have been patched, it doesn’t mean that people have applied those patches.  Remember the WannaCry infection that cost Fedex $300 million and Merck $600 million – so far?  Yup.  One of those tools that was released.  And for which there were patches issued but not applied.  And that was only ONE of the tools.

The New York Times ran a great article on the issue yesterday (see link below) that talks about how these breaches have affected the NSA (and the CIA with its own leaks).

The problem is that with so many employees and contractors, and the ease with which someone can sneak out a gigabyte of data on a device the size of your finger tip, it is a hard problem.

So they have been conducting witch hunts.  Given that they don’t know who or how many bad guys there are, they really don’t have much of a choice, but that certainly doesn’t improve morale.

One of the guys the Times interviewed for the article was a former TAO operative.  TAO is the NSA’s most elite group of hackers.  He said that Shadow Broker had details that even most of his fellow NSA employees didn’t have, so exactly how big is this leak anyway?  And is the leaker still there?  Is the leaker an insider?  Or have the Ruskies totally penetrated the NSA?

And, of course, the NSA has to start over finding new bugs in systems since the vendors have, in many cases, patched the bugs that the NSA tools used.  Then we have that NSA developer in Vietnam who took homework and ultimately fed it to the Ruskies – not on purpose, but the effect is the same.

It just hasn’t been a good couple of years for the NSA or the intelligence community.  On the other hand, as we hear more about the hacking of the elections last year, the Russians seem to be doing pretty well.

One last thought before I wrap this up.

The government, many years ago, decided that OFFENSIVE security was much more important than DEFENSIVE security.  This is why the NSA hordes security vulnerabilities instead of telling the vendors to fix them.  Maybe that is an idea that needs to change.  It certainly does not seem to be working out very well for the American citizens and businesses.

Until that happens, you are pretty much on your own.  Just sayin’.

Information for this post came from a great article in the New York Times.

Facebooktwitterredditlinkedinmailby feather
Visit Us On FacebookCheck Our Feed