Tag Archives: MFA

Do You Like Multi-Factor Authentication?

Do you use multi-factor authentication? Google says that less than 10 percent of its users use MFA. They were concerned that if they made people use MFA they would leave. Not sure what they would leave to? Who else offers as compelling a suite of software. For free. Or at least just for stealing all of your information.

Google announced this week that by the end of this year they are going to automatically enroll 150 million Google users and 2 million YouTube creators in two factor authentication.

Google is not telling you which method of MFA you are going to use. You can use an app on your phone. Or you can get it emailed to you. Or a hardware token. Or even via text message.

If you sign up for a new account, you will automatically be enrolled in two factor authentication.

Given that Google has, probably, a billion users, they are being selective in terms of which 150 million users are being auto-enrolled.

On the other hand, if you want to post stuff on YouTube, MFA is not optional.

So, if you have been hesitant to use MFA, you might want to try it now. Before it gets turned on for you.

What is not clear is whether you can turn it off once it has been turned on. My guess is that you can, just like you can now, but it sounds like Google is going to be persistent.

Credit: Bleeping Computer

Multi-Factor Authentication is NOT a Silver Bullet

As hackers got better, so did developers. Multi-Factor authentication, a technique which requires something that you know, like a password and something that you have, like an SMS message on your phone, makes the lives of crooks harder, but far from impossible to attack and here is why.

One way this is done is via social engineering. In this situation, the hacker who wants to take over an account contacts the user and spins a story about something – maybe they are from the user’s cell carrier and there is a problem, but first I need to authenticate you, so I am going to send you a text message. Unfortunately, users sometimes fall for this and when they do, what is really happening behind the scenes is the hacker gets the user on the phone, gets them committed and at that point, logs on to the user’s account. The system sends the user a one time SMS password and the user gives that password to the hacker who logs in and does whatever.

One fairly effective way to thwart this is to literally hang up on the supposed phone company or law enforcement or whatever caller, look up the correct number for the organization securely – DO NOT use any number the hacker gives you – and explain the situation when you call them. Note that you do not want to try and reason with the hacker or explain what you are doing. JUST. HANG. UP! Not perfect, but improves your odds a lot.

Another way to get around multi-factor authentication is to use what are called “legacy protocols”. These are older protocols that do not support MFA. For example, let’s say you use Office 365 and require MFA. Hackers can get around this requirement by using older protocols such as POP, SMTP or MAPI or older applications such as iOS Mail for iOS 10 and older. Since these apps and protocols don’t support MFA, if the hacker has your password, he or she can get in and send or receive data.

IF POSSIBLE without crippling the business, disable these older protocols and older apps. Every platform is different in terms of if or how this disabling works.

Some platforms, like Office 365, have a feature specifically designed to block these older protocols and apps. For Office 365, this is called Conditional Access, but even that is not perfect.

The best way to disable these feature is IF YOU CONTROL THE SERVER, turn off the protocol. You can’t do this in the case of most cloud applications.

Still, understanding the issue and potential options to protect your company is important. Work with your vendors and suppliers to understand the risks and potential responses. Read Abnormal Security’s blog post for more information.

Security News Bites for the Week Ending July 31, 2020

Many Cyberspace Solarium Commission Recommendations Likely to Become Law

The Cyberspace Solarium Commission was a blue ribbon commission that made recommendations to Congress earlier this year on improving government cybersecurity. It appears that many of their recommendations are being added to the National Defense Authorization Act, which is “must pass” bill to fund the military. President Trump has said that he will veto it because it directs the Pentagon to rename bases named after Confederate Generals. Stay tuned; that sausage is still being made. If they do remain in the bill, that would be a great thing. Credit: CSO Online

Fintech “Dave” Exposed 7.5 Million Customers’ Data

Fintechs, those Internet firms that act as an intermediary between your financial institutions and you, are not regulated in the same way that say, banks are. Fintech Dave (yes, that is their name) exposed data on 7.5 million customers as a result of a breach at one of their vendors. One more time, vendor cyber risk management is an issue and Dave will wind up with the lawsuits and fines. While credit card data was not exposed, passwords, which were very weakly encrypted, were compromised. Credit: Dark Reading

IRS “Recommends” 2FA – Makes it Mandatory Next Year

IRS is “Recommending” Tax Pros Use Multi-factor Authentication, especially when working from home. They say that most of the data thefts reported to the IRS this year by tax pros could have been avoided if they used multi-factor authentication. Starting in 2021, this will be mandatory for all providers of tax software. The IRS seems to recommend two factor apps like Google Authenticator over SMS messages which are easier to hack. Credit: Bleeping Computer

5G is Here – Sort Of

The article says “After years of hype, 5G making progress in the US”. While true, there is less to the statement than most people would like. Last week AT&T joined T-Mobile in claiming that have deployed 5G nationwide. While this is a true statement, they are doing it using the low frequency band. They are doing this because they can cover the country with an order of magnitude less cell sites. Unfortunately, this also means that the speed that you will see after you fork over a thousand bucks for a new 5G phone is basically the same as the speed you currently have with your current phone without spending the money on the new phone and new plan. For details, read the article in USA Today.

Security News for the Week Ending March 13, 2020

9 Years of AMD Processors Vulnerable to 2 New Side-Channel Attacks

AMD processors from as early as 2011 to 2019 carry previously undisclosed vulnerabilities that open them to two new different side-channel attacks, according to a freshly published research.

Known as “Take A Way,” the new potential attack vectors leverage the L1 data (L1D) cache way predictor in AMD’s Bulldozer micro-architecture to leak sensitive data from the processors and compromise the security by recovering the secret key used during encryption. Source: The Hacker News

And… AMD is Not Alone This Week  – Intel has Unpatchable Flaw

And the “chip wars” continue.

All Intel processors released in the past 5 years contain an unpatchable vulnerability that could allow hackers to compromise almost every hardware-enabled security technology that are otherwise designed to shield sensitive data of users even when a system gets compromised.

The flaw, if exploited (only theoretical this week) would allow hackers to extract the root encryption key in the Intel Mangement Engine – which is the same for all chips in a particular processor family.  That potentially would nullify all DRM and all whole disk encryption, among other things.  Source: The Hacker News

President Signs Bill To Help Rural Telecom Carriers Replace Chinese Equipment

The President signed the Secure and Trusted Communications Networks Act this week.  The bill mandates that US telecom carriers rip and replace any “suspect foreign network equipment”.  It requires the FCC to set up a compensation fund to help rural telecom carriers do this;  the bigger carriers are on their own – which will likely be reflected in your bill as a fee or surcharge.

Carriers have to provide a list of equipment and estimated costs to replace it by April 22.  Sometime after that, we will have a better estimate of the cost.

For some reason which is not clear to me, the bill will not cover the cost of replacing equipment purchased after August 14, 2018.  It appears that telcos do not need to replace new Chinese equipment.

The requests and status of replacement activities will be posted on the FCC’s website.

The law authorizes the FCC to spend $1 billion in this year’s budget to do this.

The bill also allows companies that won spectrum bids in the last auction to abandon their builds and get their money back for the spectrum if they determine that they can’t build out what they promised without using suspect gear.

It would also appear that if the telco buys or has bought Chinese gear without a government subsidy, they can continue to use it.  Source: Engadget

Microsoft Says: 99.9% of Compromised Accounts did NOT use Multi-Factor Authentication

Microsoft tracks 30 billion login events every day.

They say that roughly 0.5% of all accounts get compromised every month.  That translated to around 1.2 million accounts compromised in January.



Multi Factor Authentication – Not Perfect

Hackers have figured out how to attack Office 365 and Google G-Suite accounts protected by Multi Factor Authentication (MFA).

No, this is not a bug in some software and no it is not hyper-sophisticated attack.

In fact, it is very old school.

First, as best I understand, it is a limited attack so it is not a full compromise.

It is a perfect example of security vs. convenience.

OK, I will end the suspense.

Both Microsoft and Google support IMap for email.  IMap doesn’t support multi-factor authentication.

The bad guys use password spray attacks against millions of accounts from a large number of compromised machines.

If they get in, they use that compromised email account as a landing spot to launch attacks against other users in the same organization since they are now (pretending to be) a trusted insider.

If the company has enabled geo-fencing then the attackers might be able to use a proxy or VPN to get inside the fence, but that is more time and more work.

So does that mean that MFA is useless?

Actually not at all.

First of all, if you can, disable all legacy insecure protocols (protocols that do not support MFA), do so.

Next, if you can, enable geo-fencing.  This will make things harder for the bad guys.

For systems that support it, enable improbable login.  This will detect logins that don’t make sense, even if they are inside the geo-fence.

Enable maximum logging and alerting.  Again we are trying to make it hard for the bad guys so they will go somewhere else.

While none of this is perfect, not having MFA enabled definitely makes life easier for the hacker.  Make it harder and unless you are a specific target, the hacker will move on.

Source: Proofpoint .