As was foretold, we've added advertisements to the forums! If you have questions, or if you encounter any bugs, please visit this thread: https://forums.penny-arcade.com/discussion/240191/forum-advertisement-faq-and-reports-thread/

[Computer Security Thread] CVEs, or "Crap! Vulnerabilities! Eughhhhh..."

1585961636495

Posts

  • MugsleyMugsley DelawareRegistered User regular
    I have a bunch of questions about password managers, mostly due to my unique situation.

    Work computer: cannot add extensions to any browser, cannot install a local app, etc.

    For the time being, I can have my phone at my desk, but that will be changing "soon."

    If I incorporate a password manager in any way, how will it affect me logging into my accounts at work? Will I have to manually enter gibberish any time I want to check my credit card balances, or log into Mint?

    We'll just start there. Basically I'm having concerns about how much friction will be involved if I incorporate a password manager (I have an old version of 1Password I bought ages ago that I may or may not give a shot; or I'll start fresh with either Keepass or Bitwarden)

  • OrcaOrca Also known as Espressosaurus WrexRegistered User regular
    Mugsley wrote: »
    I have a bunch of questions about password managers, mostly due to my unique situation.

    Work computer: cannot add extensions to any browser, cannot install a local app, etc.

    For the time being, I can have my phone at my desk, but that will be changing "soon."

    If I incorporate a password manager in any way, how will it affect me logging into my accounts at work? Will I have to manually enter gibberish any time I want to check my credit card balances, or log into Mint?

    We'll just start there. Basically I'm having concerns about how much friction will be involved if I incorporate a password manager (I have an old version of 1Password I bought ages ago that I may or may not give a shot; or I'll start fresh with either Keepass or Bitwarden)

    If you can't install applications on your computer or add extensions to your browser, your only real option is your phone (this is what I use, but more because I don't want IT to have access to literally everything I have with a password). If you can't use a phone...I don't have much to offer you except maybe a small booklet? :p

  • TetraNitroCubaneTetraNitroCubane The Djinnerator At the bottom of a bottleRegistered User regular
    edited April 2019
    I know I've brought this up before, but with the use of a password manager, isn't that basically increasing your attack surface?

    If I have a password manager on my phone, and I'm using 2FA through my phone, basically if my phone gets compromised I've lost everything - Because now the baddies have both my complete set of passwords via the password manager, and access to all my 2FA codes.

    Obviously none of us aim to get compromised, but considering the current trends I'd presume that mobile malware is going to be on the rise (particularly via drive-by attack, and to say nothing of the insufficient protection available for android).

    If you don't have a password manager on your phone, then at the very least your accounts should stay safe.

    But at the same time, NOT using a mobile app for a password manager seems like it's going to be a tremendous pain in the ass.

    TetraNitroCubane on
    VuIBhrs.png
  • Inquisitor77Inquisitor77 2 x Penny Arcade Fight Club Champion A fixed point in space and timeRegistered User regular
    edited April 2019
    Are you even allowed to surf non-work stuff if your job is going to restrict installations and even your phone in that manner?

    An alternative would be to write down the passwords you need on paper, and changing them whenever you throw away or lose them. The nice thing about password managers is that changing your password is super easy should something happen.

    Also, enabling two-factor authentication and having a hardware key fob adds another layer of security for these kinds of situations.

    Inquisitor77 on
  • Jebus314Jebus314 Registered User regular
    I know I've brought this up before, but with the use of a password manager, isn't that basically increasing your attack surface?

    If I have a password manager on my phone, and I'm using 2FA through my phone, basically if my phone gets compromised I've lost everything - Because now the baddies have both my complete set of passwords via the password manager, and access to all my 2FA codes.

    Obviously none of us aim to get compromised, but considering the current trends I'd presume that mobile malware is going to be on the rise (particularly via drive-by attack, and to say nothing of the insufficient protection available for android).

    If you don't have a password manager on your phone, then at the very least your accounts should stay safe.

    But at the same time, NOT using a mobile app for a password manager seems like it's going to be a tremendous pain in the ass.

    To some extent that is true even without a password manager. Unless you're saying you only log into your accounts on your computer and never use your phone, since a compromised phone could just wait and record your passwords rather than stealing your password database.

    Personally I just keep my lastpass phone app logged out. If I need to log into something I'll open it, log in with the main password, then copy the password I need, then log out. It's definitely more of a pain but then at least the default state is that my passwords are not accessible if someone gets access to my phone.

    "The world is a mess, and I just need to rule it" - Dr Horrible
  • DisruptedCapitalistDisruptedCapitalist I swear! Registered User regular
    Seems like the way things are going these days it's more secure to just put your passwords on a post-it note on your monitor assuming your building is mostly secure and you can trust your family/roommates. I mean, I'd even figure that your average smash-and-grab meth addict would have their brain too addled to be wasting their time trying to log into your computer with your passwords.

    "Simple, real stupidity beats artificial intelligence every time." -Mustrum Ridcully in Terry Pratchett's Hogfather p. 142 (HarperPrism 1996)
  • OrcaOrca Also known as Espressosaurus WrexRegistered User regular
    I know I've brought this up before, but with the use of a password manager, isn't that basically increasing your attack surface?

    If I have a password manager on my phone, and I'm using 2FA through my phone, basically if my phone gets compromised I've lost everything - Because now the baddies have both my complete set of passwords via the password manager, and access to all my 2FA codes.

    Obviously none of us aim to get compromised, but considering the current trends I'd presume that mobile malware is going to be on the rise (particularly via drive-by attack, and to say nothing of the insufficient protection available for android).

    If you don't have a password manager on your phone, then at the very least your accounts should stay safe.

    But at the same time, NOT using a mobile app for a password manager seems like it's going to be a tremendous pain in the ass.

    Unless you're going to go through the effort of having a dedicated device for your password manager...yeah? There aren't a great set of options here. Security is always diametrically opposed to convenience (c.f. my complaints about iOS, the need for passwords in the first place, etc.). For my expected threat profile, for my willingness to actually follow through, a password manager on my phone that has a datastore vulnerable to offline attack when Dropbox gets pwned is the best compromise available to me.

    I'm not going to carry around a booklet, and not keeping a dedicated device just for passwords.

    I mean, if you really want 2FA to be safe, you don't use your phone, you use a dedicated device that is fully offline and so only vulnerable if it gets stolen. But seemingly nobody supports that, and it's inconvenient, so...

  • MugsleyMugsley DelawareRegistered User regular
    Orca wrote: »
    Mugsley wrote: »
    I have a bunch of questions about password managers, mostly due to my unique situation.

    Work computer: cannot add extensions to any browser, cannot install a local app, etc.

    For the time being, I can have my phone at my desk, but that will be changing "soon."

    If I incorporate a password manager in any way, how will it affect me logging into my accounts at work? Will I have to manually enter gibberish any time I want to check my credit card balances, or log into Mint?

    We'll just start there. Basically I'm having concerns about how much friction will be involved if I incorporate a password manager (I have an old version of 1Password I bought ages ago that I may or may not give a shot; or I'll start fresh with either Keepass or Bitwarden)

    If you can't install applications on your computer or add extensions to your browser, your only real option is your phone (this is what I use, but more because I don't want IT to have access to literally everything I have with a password). If you can't use a phone...I don't have much to offer you except maybe a small booklet? :p

    Yes, we can surf externally with a proxy in between. It lets me get to most places (hence why I'm posting here from work) but there are many others I cannot access.
    ----
    So I need an explanation then. I set things up with a password manager. I go to log into [X Site] that is using a random, 12-character password at work. I have my phone. Do I have to physically type said password in, using the list the phone gives me? I was under the impression you basically used some sort of "token" (for lack of a better word) that lets you use secure passwords that you don't have to remember.

    Or am I understanding this wrong, and you have to physically type in the shitty password?

  • twmjrtwmjr Registered User regular
    Mugsley wrote: »
    Orca wrote: »
    Mugsley wrote: »
    I have a bunch of questions about password managers, mostly due to my unique situation.

    Work computer: cannot add extensions to any browser, cannot install a local app, etc.

    For the time being, I can have my phone at my desk, but that will be changing "soon."

    If I incorporate a password manager in any way, how will it affect me logging into my accounts at work? Will I have to manually enter gibberish any time I want to check my credit card balances, or log into Mint?

    We'll just start there. Basically I'm having concerns about how much friction will be involved if I incorporate a password manager (I have an old version of 1Password I bought ages ago that I may or may not give a shot; or I'll start fresh with either Keepass or Bitwarden)

    If you can't install applications on your computer or add extensions to your browser, your only real option is your phone (this is what I use, but more because I don't want IT to have access to literally everything I have with a password). If you can't use a phone...I don't have much to offer you except maybe a small booklet? :p

    Yes, we can surf externally with a proxy in between. It lets me get to most places (hence why I'm posting here from work) but there are many others I cannot access.
    ----
    So I need an explanation then. I set things up with a password manager. I go to log into [X Site] that is using a random, 12-character password at work. I have my phone. Do I have to physically type said password in, using the list the phone gives me? I was under the impression you basically used some sort of "token" (for lack of a better word) that lets you use secure passwords that you don't have to remember.

    Or am I understanding this wrong, and you have to physically type in the shitty password?

    In the scenario where you are accessing a site on a computer without the extension/password manager application installed then yes -- you would need to type in the password you presumably retrieved from your phone.

  • DrascinDrascin Registered User regular
    edited April 2019
    furlion wrote: »
    Drascin wrote: »
    Darkewolfe wrote: »
    Ultimately this just shows that you NEED to use unique passwords for every system. You need to. Need to.

    I mean, we also need to do away with the current password system. But in the meantime it is not tenable to reuse passwords.

    The thing is that EVERYTHING needs a password. I can't remember fifty different passwords that I also should change every time a breach happens. Reuse is suicidal, but also your options are basically either constant reuse or resetting your password every time you go into a thing you don't use every day, cause you sure as heck ain't gonna remember the long password for that thing you set up last week.

    I need to look into how password managers work, and how the whole thing works if you need to constantly access stuff from a lot of computers that aren't your own, but also the fact that I'd need to manually change fuck knows how many passwords to get it set up is kind of a barrier.

    Password managers are in fact the solution to your problem. Most of them are quick to setup, easy to use, and robust. They are a necessity in this day. The one I use, Keepass, is free and will generate passwords for you. It also has an Android app that I keep synced using Dropbox. I am sure others here will recommend more.

    I'm... reluctant about an android app. My phone is probably the biggest weakpoint in my already porous security. It's easily lost, easily stolen, necessarily constantly connected and unreliably updated, probably more vulnerable than my computer (due to said inconsistent security updating and generally phones seeming an easy attack surface) and I don't keep any kind of complex unlock mechanism because having to input any kind of long key over a hundred times a day to constantly unlock the lockscreen grated on my nerves. So for my peace of mind what I do is not keep basically anything sensitive there (throwaway google account, no actual data beyond phone numbers, etcetera) and generally only log in to places that are not terribly sensitive (I will log into this forum on my phone, I sure as heck ain't logging in into my bank). If I lose my phone tomorrow it's a pain, but it's not an absolute disaster.

    Drascin on
    Steam ID: Right here.
  • a5ehrena5ehren AtlantaRegistered User regular
    Drascin wrote: »
    furlion wrote: »
    Drascin wrote: »
    Darkewolfe wrote: »
    Ultimately this just shows that you NEED to use unique passwords for every system. You need to. Need to.

    I mean, we also need to do away with the current password system. But in the meantime it is not tenable to reuse passwords.

    The thing is that EVERYTHING needs a password. I can't remember fifty different passwords that I also should change every time a breach happens. Reuse is suicidal, but also your options are basically either constant reuse or resetting your password every time you go into a thing you don't use every day, cause you sure as heck ain't gonna remember the long password for that thing you set up last week.

    I need to look into how password managers work, and how the whole thing works if you need to constantly access stuff from a lot of computers that aren't your own, but also the fact that I'd need to manually change fuck knows how many passwords to get it set up is kind of a barrier.

    Password managers are in fact the solution to your problem. Most of them are quick to setup, easy to use, and robust. They are a necessity in this day. The one I use, Keepass, is free and will generate passwords for you. It also has an Android app that I keep synced using Dropbox. I am sure others here will recommend more.

    I'm... reluctant about an android app. My phone is probably the biggest weakpoint in my already porous security. It's easily lost, easily stolen, necessarily constantly connected and unreliably updated, probably more vulnerable than my computer (due to said inconsistent security updating and generally phones seeming an easy attack surface) and I don't keep any kind of complex unlock mechanism because having to input any kind of long key over a hundred times a day to constantly unlock the lockscreen grated on my nerves. So for my peace of mind what I do is not keep basically anything sensitive there (throwaway google account, no actual data beyond phone numbers, etcetera) and generally only log in to places that are not terribly sensitive (I will log into this forum on my phone, I sure as heck ain't logging in into my bank). If I lose my phone tomorrow it's a pain, but it's not an absolute disaster.

    You don't have to put the manager on your phone if you don't need it there. It would just be a browser extension on your PC - then you just remember one strong password to login to that and it generates/fills passwords for everything else.

  • LD50LD50 Registered User regular
    Orca wrote: »
    I know I've brought this up before, but with the use of a password manager, isn't that basically increasing your attack surface?

    If I have a password manager on my phone, and I'm using 2FA through my phone, basically if my phone gets compromised I've lost everything - Because now the baddies have both my complete set of passwords via the password manager, and access to all my 2FA codes.

    Obviously none of us aim to get compromised, but considering the current trends I'd presume that mobile malware is going to be on the rise (particularly via drive-by attack, and to say nothing of the insufficient protection available for android).

    If you don't have a password manager on your phone, then at the very least your accounts should stay safe.

    But at the same time, NOT using a mobile app for a password manager seems like it's going to be a tremendous pain in the ass.

    Unless you're going to go through the effort of having a dedicated device for your password manager...yeah? There aren't a great set of options here. Security is always diametrically opposed to convenience (c.f. my complaints about iOS, the need for passwords in the first place, etc.). For my expected threat profile, for my willingness to actually follow through, a password manager on my phone that has a datastore vulnerable to offline attack when Dropbox gets pwned is the best compromise available to me.

    I'm not going to carry around a booklet, and not keeping a dedicated device just for passwords.

    I mean, if you really want 2FA to be safe, you don't use your phone, you use a dedicated device that is fully offline and so only vulnerable if it gets stolen. But seemingly nobody supports that, and it's inconvenient, so...

    Your phone is more secure than a physical token. If someone steals your token, they have your token. If someone steals your phone, they have to get into it before they can use the token.

    This is assuming you're not using sms or voice call for 2fa. Don't use sms or voice calls for 2fa.

  • MugsleyMugsley DelawareRegistered User regular
    twmjr wrote: »
    Mugsley wrote: »
    Orca wrote: »
    Mugsley wrote: »
    I have a bunch of questions about password managers, mostly due to my unique situation.

    Work computer: cannot add extensions to any browser, cannot install a local app, etc.

    For the time being, I can have my phone at my desk, but that will be changing "soon."

    If I incorporate a password manager in any way, how will it affect me logging into my accounts at work? Will I have to manually enter gibberish any time I want to check my credit card balances, or log into Mint?

    We'll just start there. Basically I'm having concerns about how much friction will be involved if I incorporate a password manager (I have an old version of 1Password I bought ages ago that I may or may not give a shot; or I'll start fresh with either Keepass or Bitwarden)

    If you can't install applications on your computer or add extensions to your browser, your only real option is your phone (this is what I use, but more because I don't want IT to have access to literally everything I have with a password). If you can't use a phone...I don't have much to offer you except maybe a small booklet? :p

    Yes, we can surf externally with a proxy in between. It lets me get to most places (hence why I'm posting here from work) but there are many others I cannot access.
    ----
    So I need an explanation then. I set things up with a password manager. I go to log into [X Site] that is using a random, 12-character password at work. I have my phone. Do I have to physically type said password in, using the list the phone gives me? I was under the impression you basically used some sort of "token" (for lack of a better word) that lets you use secure passwords that you don't have to remember.

    Or am I understanding this wrong, and you have to physically type in the shitty password?

    In the scenario where you are accessing a site on a computer without the extension/password manager application installed then yes -- you would need to type in the password you presumably retrieved from your phone.

    Thank you for that clarification.

  • furlionfurlion Riskbreaker Lea MondeRegistered User regular
    LD50 wrote: »
    Orca wrote: »
    I know I've brought this up before, but with the use of a password manager, isn't that basically increasing your attack surface?

    If I have a password manager on my phone, and I'm using 2FA through my phone, basically if my phone gets compromised I've lost everything - Because now the baddies have both my complete set of passwords via the password manager, and access to all my 2FA codes.

    Obviously none of us aim to get compromised, but considering the current trends I'd presume that mobile malware is going to be on the rise (particularly via drive-by attack, and to say nothing of the insufficient protection available for android).

    If you don't have a password manager on your phone, then at the very least your accounts should stay safe.

    But at the same time, NOT using a mobile app for a password manager seems like it's going to be a tremendous pain in the ass.

    Unless you're going to go through the effort of having a dedicated device for your password manager...yeah? There aren't a great set of options here. Security is always diametrically opposed to convenience (c.f. my complaints about iOS, the need for passwords in the first place, etc.). For my expected threat profile, for my willingness to actually follow through, a password manager on my phone that has a datastore vulnerable to offline attack when Dropbox gets pwned is the best compromise available to me.

    I'm not going to carry around a booklet, and not keeping a dedicated device just for passwords.

    I mean, if you really want 2FA to be safe, you don't use your phone, you use a dedicated device that is fully offline and so only vulnerable if it gets stolen. But seemingly nobody supports that, and it's inconvenient, so...

    Your phone is more secure than a physical token. If someone steals your token, they have your token. If someone steals your phone, they have to get into it before they can use the token.

    This is assuming you're not using sms or voice call for 2fa. Don't use sms or voice calls for 2fa.

    SMS is literally the only thing some companies use though. Like Sony for instance, at least for my psn account.

    sig.gif Gamertag: KL Retribution
    PSN:Furlion
  • LD50LD50 Registered User regular
    furlion wrote: »
    LD50 wrote: »
    Orca wrote: »
    I know I've brought this up before, but with the use of a password manager, isn't that basically increasing your attack surface?

    If I have a password manager on my phone, and I'm using 2FA through my phone, basically if my phone gets compromised I've lost everything - Because now the baddies have both my complete set of passwords via the password manager, and access to all my 2FA codes.

    Obviously none of us aim to get compromised, but considering the current trends I'd presume that mobile malware is going to be on the rise (particularly via drive-by attack, and to say nothing of the insufficient protection available for android).

    If you don't have a password manager on your phone, then at the very least your accounts should stay safe.

    But at the same time, NOT using a mobile app for a password manager seems like it's going to be a tremendous pain in the ass.

    Unless you're going to go through the effort of having a dedicated device for your password manager...yeah? There aren't a great set of options here. Security is always diametrically opposed to convenience (c.f. my complaints about iOS, the need for passwords in the first place, etc.). For my expected threat profile, for my willingness to actually follow through, a password manager on my phone that has a datastore vulnerable to offline attack when Dropbox gets pwned is the best compromise available to me.

    I'm not going to carry around a booklet, and not keeping a dedicated device just for passwords.

    I mean, if you really want 2FA to be safe, you don't use your phone, you use a dedicated device that is fully offline and so only vulnerable if it gets stolen. But seemingly nobody supports that, and it's inconvenient, so...

    Your phone is more secure than a physical token. If someone steals your token, they have your token. If someone steals your phone, they have to get into it before they can use the token.

    This is assuming you're not using sms or voice call for 2fa. Don't use sms or voice calls for 2fa.

    SMS is literally the only thing some companies use though. Like Sony for instance, at least for my psn account.

    You use what you've got. SMS is better than nothing. Just don't trust it to protect anything particularly vulnerable.

  • TetraNitroCubaneTetraNitroCubane The Djinnerator At the bottom of a bottleRegistered User regular
    Jebus314 wrote: »
    I know I've brought this up before, but with the use of a password manager, isn't that basically increasing your attack surface?

    If I have a password manager on my phone, and I'm using 2FA through my phone, basically if my phone gets compromised I've lost everything - Because now the baddies have both my complete set of passwords via the password manager, and access to all my 2FA codes.

    Obviously none of us aim to get compromised, but considering the current trends I'd presume that mobile malware is going to be on the rise (particularly via drive-by attack, and to say nothing of the insufficient protection available for android).

    If you don't have a password manager on your phone, then at the very least your accounts should stay safe.

    But at the same time, NOT using a mobile app for a password manager seems like it's going to be a tremendous pain in the ass.

    To some extent that is true even without a password manager. Unless you're saying you only log into your accounts on your computer and never use your phone, since a compromised phone could just wait and record your passwords rather than stealing your password database.

    Yeah, this is actually my strategy. I never log into anything on my phone that's sensitive, because I don't trust over-the-air networks with sensitive information. And furthermore I consider my phone an attack vector I'm not allowed to control appropriately. I essentially use the 2FA on my phone via Google Auth and don't log into things like my bank account unless I'm on a wired connection via a computer I trust.
    Orca wrote: »
    I mean, if you really want 2FA to be safe, you don't use your phone, you use a dedicated device that is fully offline and so only vulnerable if it gets stolen. But seemingly nobody supports that, and it's inconvenient, so...

    I did hear something a while back about essentially a physical 2FA key - one that operates via USB or somesuch - but I've never seen anyone support anything like that. Heck, it's beyond me why some sites don't even use Google Authenticator, so I suppose wanting for something more is rather unrealistic at this point.
    furlion wrote: »
    LD50 wrote: »
    This is assuming you're not using sms or voice call for 2fa. Don't use sms or voice calls for 2fa.

    SMS is literally the only thing some companies use though. Like Sony for instance, at least for my psn account.

    *Glares intensely at one of the largest banks in the world*.

    You'd think financial institutions would be more concerned about security, but a great many of them still lean on SMS 2FA.

    VuIBhrs.png
  • furlionfurlion Riskbreaker Lea MondeRegistered User regular
    Jebus314 wrote: »
    I know I've brought this up before, but with the use of a password manager, isn't that basically increasing your attack surface?

    If I have a password manager on my phone, and I'm using 2FA through my phone, basically if my phone gets compromised I've lost everything - Because now the baddies have both my complete set of passwords via the password manager, and access to all my 2FA codes.

    Obviously none of us aim to get compromised, but considering the current trends I'd presume that mobile malware is going to be on the rise (particularly via drive-by attack, and to say nothing of the insufficient protection available for android).

    If you don't have a password manager on your phone, then at the very least your accounts should stay safe.

    But at the same time, NOT using a mobile app for a password manager seems like it's going to be a tremendous pain in the ass.

    To some extent that is true even without a password manager. Unless you're saying you only log into your accounts on your computer and never use your phone, since a compromised phone could just wait and record your passwords rather than stealing your password database.

    Yeah, this is actually my strategy. I never log into anything on my phone that's sensitive, because I don't trust over-the-air networks with sensitive information. And furthermore I consider my phone an attack vector I'm not allowed to control appropriately. I essentially use the 2FA on my phone via Google Auth and don't log into things like my bank account unless I'm on a wired connection via a computer I trust.
    Orca wrote: »
    I mean, if you really want 2FA to be safe, you don't use your phone, you use a dedicated device that is fully offline and so only vulnerable if it gets stolen. But seemingly nobody supports that, and it's inconvenient, so...

    I did hear something a while back about essentially a physical 2FA key - one that operates via USB or somesuch - but I've never seen anyone support anything like that. Heck, it's beyond me why some sites don't even use Google Authenticator, so I suppose wanting for something more is rather unrealistic at this point.
    furlion wrote: »
    LD50 wrote: »
    This is assuming you're not using sms or voice call for 2fa. Don't use sms or voice calls for 2fa.

    SMS is literally the only thing some companies use though. Like Sony for instance, at least for my psn account.

    *Glares intensely at one of the largest banks in the world*.

    You'd think financial institutions would be more concerned about security, but a great many of them still lean on SMS 2FA.

    Realistically, most of their customers don't really need to worry. Most people don't make enough money to be targeted by an attacker sophisticated enough to bother with them. And almost every form of 2fa can be bypassed completely using phishing. You only need enough security to raise the barrier high enough that anyone interested in stealing your stuff will not bother. Because if someone wants it bad enough, there is almost literally not enough security in the world to keep them from getting it.

    sig.gif Gamertag: KL Retribution
    PSN:Furlion
  • MugsleyMugsley DelawareRegistered User regular
    Orca wrote: »
    I mean, if you really want 2FA to be safe, you don't use your phone, you use a dedicated device that is fully offline and so only vulnerable if it gets stolen. But seemingly nobody supports that, and it's inconvenient, so...

    I did hear something a while back about essentially a physical 2FA key - one that operates via USB or somesuch - but I've never seen anyone support anything like that. Heck, it's beyond me why some sites don't even use Google Authenticator, so I suppose wanting for something more is rather unrealistic at this point.


    Are you thinking of TitanKey; which I believe Google was pushing at one point?

    furlion wrote: »
    LD50 wrote: »
    This is assuming you're not using sms or voice call for 2fa. Don't use sms or voice calls for 2fa.

    SMS is literally the only thing some companies use though. Like Sony for instance, at least for my psn account.

    *Glares intensely at one of the largest banks in the world*.

    You'd think financial institutions would be more concerned about security, but a great many of them still lean on SMS 2FA.

    Financial institutions are still more concerned about minimizing operating expenses at all costs. So they do the bare minimum to meet Federal requirements.

  • a5ehrena5ehren AtlantaRegistered User regular
    edited April 2019
    WebAuth + FIDO2 will be very nice if/when they achieve widespread support.

    I think Google's current internal solution is FIDOv1-based Yubikeys: https://www.yubico.com/products/yubikey-hardware/

    a5ehren on
  • MugsleyMugsley DelawareRegistered User regular
    I would actually be very interested in using a form of Yubikey at work instead of a card with a smart chip. There's also rumors of a card-less solution but I'm not sure how much traction it actually has; or if it's just musings. It's basically a cell phone app that "learns your activity patterns" and confirms to a server (somewhere) that you are you and you're allowed to log into a given system. Except that there are some areas that don't permit mobile devices in workspaces.

  • Inquisitor77Inquisitor77 2 x Penny Arcade Fight Club Champion A fixed point in space and timeRegistered User regular
    a5ehren wrote: »
    WebAuth + FIDO2 will be very nice if/when they achieve widespread support.

    I think Google's current internal solution is FIDOv1-based Yubikeys: https://www.yubico.com/products/yubikey-hardware/

    Yeah it's pretty telling that Google doesn't use their own 2FA solution.

  • furlionfurlion Riskbreaker Lea MondeRegistered User regular
    a5ehren wrote: »
    WebAuth + FIDO2 will be very nice if/when they achieve widespread support.

    I think Google's current internal solution is FIDOv1-based Yubikeys: https://www.yubico.com/products/yubikey-hardware/

    Yeah it's pretty telling that Google doesn't use their own 2FA solution.

    I feel like I am missing something here, what advantage does the key have over an app? Losing the key seems easier, and less noticeable. I assume the key is still vulnerable to the same sort of advanced phishing techniques, but I could be wrong.

    sig.gif Gamertag: KL Retribution
    PSN:Furlion
  • a5ehrena5ehren AtlantaRegistered User regular
    Google now has a way to make your phone act like a FIDO key instead of a just a 2FA number pad: https://blog.google/technology/safety-security/your-android-phone-is-a-security-key/
    furlion wrote: »
    a5ehren wrote: »
    WebAuth + FIDO2 will be very nice if/when they achieve widespread support.

    I think Google's current internal solution is FIDOv1-based Yubikeys: https://www.yubico.com/products/yubikey-hardware/

    Yeah it's pretty telling that Google doesn't use their own 2FA solution.

    I feel like I am missing something here, what advantage does the key have over an app? Losing the key seems easier, and less noticeable. I assume the key is still vulnerable to the same sort of advanced phishing techniques, but I could be wrong.

    The apps can be compromised by a screen-reader app if the attacker is sufficiently determined to get malware on your phone, and the protocols themselves aren't quite as complex as FIDO, IIRC.

    I'm not 100% sure on the specifics of the FIDO protocols, but there isn't really any way to break it without physically stealing the key.

  • MugsleyMugsley DelawareRegistered User regular
    "....make sure Bluetooth is turned on for both your phone and the computer you're using to sign in."


    Welp.

  • a5ehrena5ehren AtlantaRegistered User regular
    Yeah. I guess the big improvement over what they do with Smart Lock for Chromebooks is the physical button-press, but it's still kind of a half-ass solution.

  • MugsleyMugsley DelawareRegistered User regular
    Well that and I haven't experienced a desktop motherboard with integrated Bluetooth out of the box. Maybe it's out there, now, though, since the hardware I'm currently dealing with is around 7 years old. I'm not sure something like this is worth buying a BT dongle for, either.

  • DehumanizedDehumanized Registered User regular
    Mugsley wrote: »
    Well that and I haven't experienced a desktop motherboard with integrated Bluetooth out of the box. Maybe it's out there, now, though, since the hardware I'm currently dealing with is around 7 years old. I'm not sure something like this is worth buying a BT dongle for, either.

    Integrated Bluetooth is much more common on laptops for sure, but many mobos have it nowadays. My current desktop has on-board wifi and bluetooth.

  • furlionfurlion Riskbreaker Lea MondeRegistered User regular
    a5ehren wrote: »
    Google now has a way to make your phone act like a FIDO key instead of a just a 2FA number pad: https://blog.google/technology/safety-security/your-android-phone-is-a-security-key/
    furlion wrote: »
    a5ehren wrote: »
    WebAuth + FIDO2 will be very nice if/when they achieve widespread support.

    I think Google's current internal solution is FIDOv1-based Yubikeys: https://www.yubico.com/products/yubikey-hardware/

    Yeah it's pretty telling that Google doesn't use their own 2FA solution.

    I feel like I am missing something here, what advantage does the key have over an app? Losing the key seems easier, and less noticeable. I assume the key is still vulnerable to the same sort of advanced phishing techniques, but I could be wrong.

    The apps can be compromised by a screen-reader app if the attacker is sufficiently determined to get malware on your phone, and the protocols themselves aren't quite as complex as FIDO, IIRC.

    I'm not 100% sure on the specifics of the FIDO protocols, but there isn't really any way to break it without physically stealing the key.

    Ok that helps some. What about an attack that uses a redirect to phishing page that looks identical and hijacks your 2fa and login as you enter them. Can the key prevent that?

    sig.gif Gamertag: KL Retribution
    PSN:Furlion
  • MugsleyMugsley DelawareRegistered User regular
    I'm not sure the best place to post this. My PSU is dying so I'm looking for deals and I found a good deal on a replacement from Seasonic. It turns out that Seasonic has an offer card in their PSU boxes that when you register the PSU and link your Steam account, they send you a fairly substantial Steam GC.

    I can't help but wonder what Seasonic is doing with that data, and to whom they are selling.

  • OrcaOrca Also known as Espressosaurus WrexRegistered User regular
    Mugsley wrote: »
    I'm not sure the best place to post this. My PSU is dying so I'm looking for deals and I found a good deal on a replacement from Seasonic. It turns out that Seasonic has an offer card in their PSU boxes that when you register the PSU and link your Steam account, they send you a fairly substantial Steam GC.

    I can't help but wonder what Seasonic is doing with that data, and to whom they are selling.

    ...huh.

  • a5ehrena5ehren AtlantaRegistered User regular
    furlion wrote: »
    a5ehren wrote: »
    Google now has a way to make your phone act like a FIDO key instead of a just a 2FA number pad: https://blog.google/technology/safety-security/your-android-phone-is-a-security-key/
    furlion wrote: »
    a5ehren wrote: »
    WebAuth + FIDO2 will be very nice if/when they achieve widespread support.

    I think Google's current internal solution is FIDOv1-based Yubikeys: https://www.yubico.com/products/yubikey-hardware/

    Yeah it's pretty telling that Google doesn't use their own 2FA solution.

    I feel like I am missing something here, what advantage does the key have over an app? Losing the key seems easier, and less noticeable. I assume the key is still vulnerable to the same sort of advanced phishing techniques, but I could be wrong.

    The apps can be compromised by a screen-reader app if the attacker is sufficiently determined to get malware on your phone, and the protocols themselves aren't quite as complex as FIDO, IIRC.

    I'm not 100% sure on the specifics of the FIDO protocols, but there isn't really any way to break it without physically stealing the key.

    Ok that helps some. What about an attack that uses a redirect to phishing page that looks identical and hijacks your 2fa and login as you enter them. Can the key prevent that?

    I think with FIDO that they would have to have the website's private key to generate a challenge that your token would create the correct response to.

    https://fidoalliance.org/how-fido-works/

    I don't really have time to read the whole spec, but it looks like they would have to MITM your registration to be able to access your account (or steal your private key from the server and then MITM your login), which is more difficult than getting you to type 8 numbers into a box within 90 seconds.

  • a5ehrena5ehren AtlantaRegistered User regular
    This is the 2FA overview spec for the first version of FIDO: https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-overview-v1.2-ps-20170411.html

    FIDO2 (part of webauthn) spec is here: https://www.w3.org/TR/webauthn/

  • Descendant XDescendant X Skyrim is my god now. Outpost 31Registered User regular
    What do you folks think of the iCloud Keychain vs. 1Password? I use both because I have a Linux box, but I definitely like the Keychain better. Are there any issues with either?

    Garry: I know you gentlemen have been through a lot, but when you find the time I'd rather not spend the rest of the winter TIED TO THIS FUCKING COUCH!
  • MugsleyMugsley DelawareRegistered User regular
    Oh look, and it's a Facebook family app, too.

  • TetraNitroCubaneTetraNitroCubane The Djinnerator At the bottom of a bottleRegistered User regular
    In other exploit news, Microsoft has recently disclosed a new, wormable security vulnerability in older versions of Windows.
    Microsoft is warning users of older versions of Windows to urgently apply a Windows Update today to protect against a potential widespread attack. The software giant has patched a critical remote code execution vulnerability in Remote Desktop Services that exists in Windows XP, Windows 7, and server versions like Windows Server 2003, Windows Server 2008 R2, and Windows Server 2008. Microsoft is taking the highly unusual approach of releasing patches for Windows XP and Windows Server 2003 even though both operating systems are out of support. Windows XP users will have to manually download the update from Microsoft’s update catalog.

    “This vulnerability is pre-authentication and requires no user interaction,” explains Simon Pope, director of incident response at Microsoft’s Security Response Center. “In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.”

    Windows 8 and 10 aren't impacted by this flaw, but Windows 7 is. Plenty of people are still using Windows 7.

    This is particularly noteworthy, seeing as Microsoft decided it was serious enough that they've released a patch for Windows XP of all things.

    VuIBhrs.png
  • JazzJazz Registered User regular
    XP and 7 but not Vista. That says something too!

  • Inquisitor77Inquisitor77 2 x Penny Arcade Fight Club Champion A fixed point in space and timeRegistered User regular
    Nobody uses Vista.

  • DarkewolfeDarkewolfe Registered User regular
    In other exploit news, Microsoft has recently disclosed a new, wormable security vulnerability in older versions of Windows.
    Microsoft is warning users of older versions of Windows to urgently apply a Windows Update today to protect against a potential widespread attack. The software giant has patched a critical remote code execution vulnerability in Remote Desktop Services that exists in Windows XP, Windows 7, and server versions like Windows Server 2003, Windows Server 2008 R2, and Windows Server 2008. Microsoft is taking the highly unusual approach of releasing patches for Windows XP and Windows Server 2003 even though both operating systems are out of support. Windows XP users will have to manually download the update from Microsoft’s update catalog.

    “This vulnerability is pre-authentication and requires no user interaction,” explains Simon Pope, director of incident response at Microsoft’s Security Response Center. “In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.”

    Windows 8 and 10 aren't impacted by this flaw, but Windows 7 is. Plenty of people are still using Windows 7.

    This is particularly noteworthy, seeing as Microsoft decided it was serious enough that they've released a patch for Windows XP of all things.

    Server 2008 R2 is the most important OS on that list. A lot of companies are still running on that as it's not true end of life till later this year.

    What is this I don't even.
  • JazzJazz Registered User regular
    edited May 2019
    Nobody uses Vista.
    Exactly what I was getting at! :lol:

    I've still got it on an old and somewhat battered laptop I haven't so much as booted up in years :lol:

    Jazz on
Sign In or Register to comment.