Tag Archives: Two factor Authentication

Are your Security Self-Services Secure?

27 January 2021

In the Fox IT blog post “Abusing cloud services to fly under the radar“[1], Wouter Jansen reports on a threat actor who got illegal access to the networks of high-tech and aviation companies and stayed undetected for more than 3 years. The post gives a great introduction to the MITRE ATT&CK framework, absolutely recommendable.

In section Initial access we read: “From this portal it was possible to launch the web-based VPN. The VPN was protected by two-factor authentication (2FA) by sending an SMS with a one-time password (OTP) to the user account’s primary or alternate phone number. It was possible to configure an alternate phone number for the logged in user account at the company portal” (my emphasis).

This describes a well-known issue with self-services: Once successfully authenticated against the company network a second factor often can be changed without enhanced authentication. Self-Services are designed with best user experience and responsiveness in mind, IT security often plays a subordinate role.

From my point of view, exchange of the second factor should always be approved by a line manager or his proxy. This may take a while, but it makes life much harder for an attacker. In addition, the likelihood of detection goes up.

Here is some food for thought: Are your security self-services designed with security in mind?

Have a great week!

References

  1. Jansen W. Abusing cloud services to fly under the radar [Internet]. Fox-IT International blog. 2021 [zitiert 26. Januar 2021]. Verfügbar unter: https://blog.fox-it.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/

Two-factor authentication hackable?

13 May 2018

Report “Two-factor authentication hackable” (1) published by Doug Olenick’ on May 10, 2018 at SC Media US is really frightening.

Two-factor authentication (TFA) is a great means to secure users of web services against phishing attacks. I’m aware that TFA with SMS or authenticator apps is not 100% secure because the login is not bound to the service, which means that TFA is prone to Man-in-the-Middle attacks. But the title of the report suggests that TFA is no longer secure at all.

A closer look at the report shows that Doug Olenick describes a Man-in-the-Middle attack initiated by a fake URL in an e-mail. The URL points to a web services which acts as a proxy for LinkedIn in this case. The proxy collects the users account details and the session cookie. Since the session cookie contains all details required to login to LinkedIn the attacker can hijack the users account without being requested of the password and the second factor.

For details about the attack see Kuba Gretzky’s post “Evilginx – Advanced Phishing with Two-factor Authentication Bypass” (2).

What can we learn from these reports?

TFA is vulnerable against phishing and Man-in-the-Middle attacks. User awareness and anti-phishing training become not obsolete once TFA with authenticator app or SMS is rolled out in an organization.

Although TFA is vulnerable this should not stop you from implementing TFA.

FIDO U2F Key (6)

FIDO U2F Key (6)

If you want to get it right the first time implement TFA with hardware keys, e.g. FIDO U2F keys. With hardware keys the user login is bound to the original service, which means that only the real site can authenticate with the service. For details see the FIDO alliance (3) homepage or the Yubico (4) homepage. For a great user story see report “Google Eliminates Account Takeover with the YubiKey” (5).

Have a great week.

  1. Olenick D. Two-factor authentication hackable [Internet]. SC Media US. 2018 [cited 2018 May 13]. Available from: https://www.scmagazine.com/network-security/two-factor-authentication-hackable/article/765135/

  2. Gretzky K. Evilginx – Advanced Phishing with Two-factor Authentication Bypass [Internet]. BREAKDEV. 2017 [cited 2018 May 13]. Available from: http://breakdev.org/evilginx-advanced-phishing-with-two-factor-authentication-bypass

  3. FIDO Alliance. https://fidoalliance.org/ [Internet]. FIDO Alliance. [cited 2018 May 13]. Available from: https://fidoalliance.org/

  4. U2F – FIDO Universal 2nd Factor Authentication [Internet]. Yubico. [cited 2018 May 13]. Available from: https://www.yubico.com/solutions/fido-u2f/

  5. Yubico.com. Google Eliminates Account Takeover with the YubiKey [Internet]. Yubico. [cited 2018 May 13]. Available from: https://www.yubico.com/about/reference-customers/google/

  6. Picture Credits: Amazon.de. [cited 2018 May 13]. Available from: https://www.amazon.de/Yubico-Y-123-FIDO-U2F-Security/dp/B00NLKA0D8

 

A lesson in Phishing and Two Factor Authentication

13 August 2017

The post ‘Hackers Hijack Popular Chrome Extension to Inject Code into Web Developers’ Browsers’ published on August 3, 2017 by Graham CLULEY at the Tripwire blog ‘The State Of Security‘ gives another good reason for the use of Two Factor Authentication.

Since phishing emails become better and better it is not surprising that even professionals can be tricked.

Thus I can fully accept the developer’s answer ‘I stupidly fell for a phishing attack on my Google account.’ to the question ‘Any idea how this could have happened?’.

But I cannot understand why the Google account was not secured with Two Factor Authentication (TFA), in particular because Google’s Push Notification makes life with TFA really easy.

With TFA enabled, this cyber attack could have been prevented.

Have a great week, and activate TFA for your Google account.

Cybersecurity is just too much trouble for the general public, claims study

8 October 2016

In report ‘Cybersecurity is just too much trouble for the general public, claims study’ published on 6 October at the Tripwire state-of-security blog, Graham Cluley cites from the NIST study Security Fatigue:

“Participants expressed a sense of resignation, loss of control, fatalism, risk minimization, and decision avoidance, all characteristics of security fatigue. The authors found that the security fatigue users experience contributes to their cost-benefit analyses in how to incorporate security practices and reinforces their ideas of lack of benefit for following security advice.”

We should not be surprised ‘that the public is suffering from “security fatigue” and a feeling of helplessness when it comes to their online security’. Most of the advice for end users in the information security domain is just puzzling. Let me make this clear with an example.

Renowned German Stiftung Warentest assessed 15 e-mail providers in the October 2016 edition of the Test magazine. Focus of the assessment was data privacy, ‘the protection of customers and emails against unwanted looks’. And, of course, usability. Table 1 below shows the Stiftung Warentest quality ranking.

Provider Quality Ranking (1)
Mailbox.org Tarif Mail 1.4
Posteo 1.4
Mail.de Plusmail 2.2
GMX Topmail 2.3
Web.de Club 2.3
Web.de Freemail 2.5
GMX Freemail 2.6
Telekom Freemail 2.6
Freenetmail Basic 2.7
Telekom Mail / Cloud M 2.7
1&1 Mail Basic 3.1
AOL Mail 3.1
Yahoo Mail 3.2
Microsoft Outlook.com 3.3
Google Gmail 3.4

Table 1: Stiftung Warentest rankings

(1)    Quality Ranking: 0.5 .. 1.5: Very good, 1.6 .. 2.5: Good, 2.6 .. 3.5: Average

At a first glance, the table suggests that it is sufficient to use one of these providers (all were rated from very good to average) and security is guaranteed.

Unfortunately, this assessment is very misleading. Email encryption is just one aspect of information security. It protects against cyber criminals, state-sponsored attackers or insider attacks because the information is not readable unless the attacker has access to the encryption key.

If an attacker is able to compromise a user’s account, e.g. through a password phishing attack, he might have full access to all emails, although they are encrypted.

To secure an account against phishing with frequent password changes and the use of individual passwords for different services, is not sufficient. And usability is bad, even if password managers are used. Two-Factor Authentication (TFA) or one-time passwords are the tools of choice to enhance security against phishing attacks.

Table 2 shows the Stiftung Warentest results updated with details about TFA availability.

Provider Quality Ranking (1) TFA available With soft token With SMS With hard token
Mailbox.org Tarif Mail 1.4 (2) Yes Yes Yes
Posteo 1.4 Yes Yes  
Mail.de Plusmail 2.2 Yes Yes Yes
GMX Topmail 2.3 No
Web.de Club 2.3 No
Web.de Freemail 2.5 No
GMX Freemail 2.6 No
Telekom Freemail 2.6 No
Freenetmail Basic 2.7 No
Telekom Mail / Cloud M 2.7 No
1&1 Mail Basic 3.1 Undef. (2)
AOL Mail 3.1 Yes Yes
Yahoo Mail 3.2 Yes   Yes  
Microsoft Outlook.com 3.3 Yes Yes Yes
Google Gmail 3.4 Yes Yes Yes Yes

Table 2: Rankings updated with details about TFA

(1)    Quality Ranking: 0.5 .. 1.5: Very good, 1.6 .. 2.5: Good, 2.6 .. 3.5: Average

(2)    It was not possible to determine whether TFA is available from the provider’s homepage

Only 7 of the 15 email providers allow the use of a second factor. The limitation to one aspect of information security creates puzzling results and a false sense of security. It is therefore no wonder that consumers show the ‘characteristics of security fatigue’.

TFA with soft tokens is under normal conditions activated within seconds, and very easy to use. From my point of view, service providers should create the needed attention and force the use of TFA. It is not sufficient to notify the users of new waves of phishing attacks.

Have a good weekend.

AppGuard is an important part of a comprehensive security stack

16 July 2016

In the past weeks I tried hard to get an idea of the capabilities of Blue Ridge Networks AppGuard. To be honest, I would not like to miss AppGuard anymore. AppGuard creates the really good feeling that, under certain conditions, many cyber-attacks are simply rendered ineffective.

AppGuard is a perfect means against all kind of Trojans and downloaders, in particular zero days. Characteristic for this kind of malware is that the malware directly drops a malicious program or downloads a malicious program from the attacker’s server and executes it afterwards. This includes e.g. most of the known Ransomware.

The User Space and MemoryGuard concept just blocks this kind of malware out-of-the-box, provided that the User Space concept is not undermined by a user who is working with high privileges permanently. In fact, if the user works with privileges which allow the Trojan program to store files outside the User Space, the concept will no longer work.

It is strongly recommended to work with the least possible privileges under normal conditions. For the case higher privileges are requested, set up an extra account with the required privileges and supply the credentials of this account if UAC requests higher privileges.

More advanced malware may try to use the Windows auto-elevation feature to acquire higher privileges and to compromise AppGuard. To protect from auto-elevation attacks just set UAC to ‘Always notify me’.

This works even in the case of a gaming computer, where e.g. WOW and TeamSpeak are heavily used. Why shouldn’t it work on a standard system?

In addition, it is strongly recommended to disable macro execution in all kind of office software, e.g. Microsoft Office, OpenOffice or LibreOffice.

Memory Guard protects against all kind of zero-day drive-by downloads, PuP (Potentially unwanted Programs) or file-less malware.

My comprehensive security stack

My comprehensive security stack. Click to enlarge.

 

AppGuard does not protect against any kind of password phishing attacks. Although popular internet browsers block many malicious URLs through URL reputation, e.g. SmartScreen Filtering in Internet Explorer or Firefox, this will not protect in the case of zero-days.

To reduce the likelihood of credential theft, turn on Two-Factor Authentication (TFA) for as many as possible internet services you use. If TFA cannot be enabled, choose a strong password and take care, means:

User awareness is the basic part of the entire security stack!

To put it succinctly: The proposed security stack will dramatically reduce the risk of cyber-attacks. Blue Ridge Networks AppGuard is an important component of this stack, in particular for the protection against all kind of zero-days.

Have a good weekend.

IRS Suspends Identity Protection Tool after Fraudulent Logins

12 March 2016

The IP PIN is an effective means to solve the identity theft problem that caused the IRS data breach in 2015. An IP PIN is not as good as a physical second factor, e.g. a FIDO security key or a grid card, but better than easy to break identity verification questions. Moreover, IP PINs are easy to rollout by mail, and the effort for implementation is moderate.

Unfortunately, sometimes they get lost and must be recovered. This means that we need a method for the unambiguous identification of a person. For this the IRS uses easy-to-guess identity verification questions. On Krebs on Security we read:

‘The problem, as Wittrock’s case made clear, is that IRS allows IP PIN recipients to retrieve their PIN via the agency’s Web site, after supplying the answers to four easy-to-guess questions from consumer credit bureau Equifax. These so-called knowledge-based authentication (KBA) or “out-of-wallet” questions focus on things such as previous address, loan amounts and dates and can be successfully enumerated with random guessing. In many cases, the answers can be found by consulting free online services, such as Zillow and Facebook.’

One could get crazy!

Dear IRS,

the White House wants YOU to #TurnOn2FA! For more details, please see the Cybersecurity National Action Plan published on 9 February 2016:

‘Empower Americans to secure their online accounts by moving beyond just passwords and adding an extra layer of security.  By judiciously combining a strong password with additional factors, such as a fingerprint or a single use code delivered in a text message, Americans can make their accounts even more secure.’

Have a good weekend.

Rules for safe handling of electronic grid cards required to avoid cyber risks

13 February 2016

Electronic Grid Cards are often used for implementing strong or Two Factor Authentication. Although they offer lesser security than e.g. physical grid cards or authenticator apps, they are very popular because the rollout is easy: Just assign the grid card to the user in the authentication system, email the pdf document with the grid card, and off you go.

That sounds good, but without training in proper handling of the grid card this may end up in a security nightmare. Besides processes for e.g. blocking the grid card in the case of loss or theft, rules for proper handling need to defined and communicated to all users:

  • Print the grid card and store the printout in a safe place.
  • If required for convenient access, store the grid card on a secured mobile device.
  • Delete the email after print and empty the mail programs waste bin.
  • Delete the pdf document after print, make sure it is not cached or remains in the computers waste bin.
  • Do not note down passwords on the back of the grid card.

Please note that this list should not be considered as complete.

In particular copies on whatever online storage may pose a risk to a company. A cyber attacker who hijacked a computer may find the online copy and use it when requested to do so, e.g., for safe logon to the company’s web access portal.

Take care.

How to ensure strong passwords and better authentication

30 November 2015

Peter Wood’s ‘Five steps to ensure stronger passwords and better authentication to reduce the threat of business data theft’ published recently on ComputerWeekly.com are really worth reading.

The checklist is a good starting point for a self-assessment, except for the tip on Two-Factor Authentication. I fully agree that privileged accounts and accounts used for remote access must be given special protection. But this will not stop attackers from theft of information once they got access to the company network e.g. through a phishing attack. In this case the attacker acts as an authenticated user with all the authorizations granted to this user.

If Two-Factor Authentication is required even for access to business critical information inside the company network a large bunch of attacks is no longer possible because the attacker has just no access to the second factor, e.g. the user’s smartphone and the authenticator app.

A 27 chars passphrase like ‘1sn’t th1s a good password?’ is definitely much safer than an 8 chars hard to memorize strong password. But the passphrase is as useless as the password once the attacker managed to get access to the network. In this case a second factor could make life more difficult for the attacker. In addition the chance of getting discovered increases dramatically.

Have a good week.

It was about time: Amazon introduces Two Factor Authentication

20 November 2015

Just in time for the Christmas sale Amazon introduced Two Factor Authentication (TFA) this week. Set up is as easy as for WordPress.com: Navigate to the Advanced Security Settings page, choose Authenticator App, Scan the bar code and Verify the Code.

Except if you are a customer from Amazon in Germany. The Advanced Security Settings page is not on available on Amazon.de. The same holds for Amazon.co.uk. Amazon seems to stagger the roll out, with focus on the US market because the Christmas sale starts earlier there.

Hopefully Amazon rolls out TFA in the next days also in Germany. Otherwise there will be no Christmas presents for the kids this year…

Have a good weekend.

TalkTalk warns customers about personal data breach

4 November 2015

When Warwick Ashford’s report about the TalkTalk data breach popped up in my mail box on 23 October I was busy with holiday preparations. Thus I skimmed only through the report. On Saturday morning at the airport I read the report in peace and searched for more information.

UK phone and broadband provider TalkTalk was hacked. The company announced the attack on 21 October on their website. Attackers may have accessed data of in the worst case 4 million customers.

What surprised me was that this was the second attack in this year.

But what really concerns me is the proposed solution:

“Encryption is the only way for organisations to get control and be in a position to mitigate and ultimately accept risk,”aid panellist Frank Weisel, regional sales manager at Vormetric in Germany.

Data encryption as an isolated protection measure is just irrelevant in this and many other cases. Because once the attackers managed to get on the victim’s network they are authorized users. And authorized users have access to the data and the encryption keys.

Whether the initial attack is performed via SQL or command injection, an unpatched server or a phishing attack is of no interest. Only the result counts.

Alan Solomon took the same line some days later in his post “TalkTalk was hacked. But it’s silly to ask if the data was encrypted”.

In my opinion the basic problem comes from the inherently weak user authentication technology. It became again clear to me when I collected my rental car at Funchal airport.

Although the desk operator had my reservation details on his screen I had to authenticate myself with my passport and a valid driver license to get the car key. When it comes to safety Two Factor Authentication (TFA) is taken for granted.

From my point of view it’s time to secure the access to business critical company data with a second authentication factor. For all employees who have a stake in the data, and for every session, and, of course in addition to encryption, patching, secure application development, etc.

This will hinder attackers massively in getting access to a company’s secrets.

Have a good day.