This week in computer security - Page 21 - RPGWatch Forums
|
Your donations keep RPGWatch running!
RPGWatch Forums » General Forums » Tech Help » This week in computer security

Default This week in computer security

May 26th, 2022, 17:41
With that Twatter story, just to add to that a bit about 2FA (2 factor authentication), because that's how they got these phone numbers; by making a texted authentication necessary for "security". There's a bit of debate around 2FA, with some saying it's a scam, and others saying that's stupid FUD, because it's great for security.

The thing is, in principle it is great for security… but it can be implemented in a disingenuous way that is also about getting valuable identifying information, like your phone number.

Texting a verification to a phone number is actually a terrible way of doing 2FA. There are completely open source solutions (like Aegis) that work using a system called TOTP. The idea of that app is that the two systems - you and the system you're logging into - don't need to communicate or know anything about each other, as long as you have exchanged encryption keys. Then, both parties can agree on codes based on their key and the current time, without communicating at all.

That's where 2FA is a great idea pretty much everywhere, and these buggers know that very well.
--
"I cannot define the real problem, therefore I suspect there's no real problem, but I'm not sure there's no real problem."
Richard Feynman
Last edited by Ripper; May 26th, 2022 at 18:25.
Ripper is offline

Ripper

Ripper's Avatar
Бажаю успіху

#401

Join Date: Nov 2014
Posts: 11,439
Mentioned: 122 Post(s)
+1:

Default 

May 26th, 2022, 23:00
Originally Posted by Ripper View Post
There are completely open source solutions (like Aegis) that work using a system called TOTP. The idea of that app is that the two systems - you and the system you're logging into - don't need to communicate or know anything about each other, as long as you have exchanged encryption keys. Then, both parties can agree on codes based on their key and the current time, without communicating at all.
It's just too bad they allow biometrics instead of a password. That's mixing real authentication and (error-prone) identification.
Redglyph is offline

Redglyph

Redglyph's Avatar
SasqWatch

#402

Join Date: Aug 2020
Location: Good old Europe
Posts: 5,090
Mentioned: 92 Post(s)

Default 

May 26th, 2022, 23:18
Originally Posted by Redglyph View Post
It's just too bad they allow biometrics instead of a password. That's mixing real authentication and (error-prone) identification.
Sure, but that's an extra level of authentication on top - to unlock the app itself. The biometrics play no part in the authentication between parties, just add an extra hurdle for someone having physical access to your phone, over reading a confirmation texted code.
--
"I cannot define the real problem, therefore I suspect there's no real problem, but I'm not sure there's no real problem."
Richard Feynman
Ripper is offline

Ripper

Ripper's Avatar
Бажаю успіху

#403

Join Date: Nov 2014
Posts: 11,439
Mentioned: 122 Post(s)

Default 

May 27th, 2022, 11:19
Originally Posted by Ripper View Post
Sure, but that's an extra level of authentication on top - to unlock the app itself. The biometrics play no part in the authentication between parties, just add an extra hurdle for someone having physical access to your phone, over reading a confirmation texted code.
I'm not using it so maybe I misunderstand, but from what they explain it's more than just unlocking the app (FAQ on their Github):

Why doesn't Aegis support biometric unlock for my device, even though it works with other apps?

The reason for this is pretty technical. In short, since you're not entering your password when using biometric unlock, Aegis needs some other way to decrypt the vault. For this purpose, we generate and use a key in the Android Keystore, telling it to only allow us to use that key if the user authenticates using their biometrics first. Some devices have buggy implementations of this feature, resulting in the error displayed to you by Aegis in an error dialog.
Of course, I suppose it's an option and it's up to the user to allow biometrics anyway. So it's just a minor quirk, I think apps should make the risks more clear. Their system is certainly better than most others.
Redglyph is offline

Redglyph

Redglyph's Avatar
SasqWatch

#404

Join Date: Aug 2020
Location: Good old Europe
Posts: 5,090
Mentioned: 92 Post(s)

Default 

May 27th, 2022, 11:38
I'm using Authy, because it is available on Android and iOS. I understand that Aegis is not, so that would be a miss.
--
In the beginning the Universe was created. This has made a lot of people very angry and been widely regarded as a bad move. Douglas Adams
There are no facts, only interpretations. Nietzsche
Some cause happiness wherever they go; others whenever they go. Oscar Wilde
Myrthos is offline

Myrthos

Myrthos's Avatar
Cave Canem
Administrator
RPGWatch Team

#405

Join Date: Aug 2006
Location: Netherlands
Posts: 10,689
Mentioned: 219 Post(s)

Default 

May 27th, 2022, 11:42
Originally Posted by Redglyph View Post
I'm not using it so maybe I misunderstand, but from what they explain it's more than just unlocking the app (FAQ on their Github):

Of course, I suppose it's an option and it's up to the user to allow biometrics anyway. So it's just a minor quirk, I think apps should make the risks more clear. Their system is certainly better than most others.
I think that's just an FAQ to answer why someone can't use the biometrics on their particular phone. When you set up the app, it asks if you want to encrypt the local database, and you can choose no encryption, biometrics, or a password. Then you have to enter your password or biometric scan when you use the app, as an extra layer of security on your device. The encryption of the local database (or not) has no bearing on the nature of the cryptographic exchange for logins.

It's just an extra security measure, if you want it, so that in a worst-case 2FA situation, where someone knows your login password AND has possession of your phone, they now have an extra barrier to get through. That reduces convenience, though, so you have the option of another password, biometrics, or no extra protection.
--
"I cannot define the real problem, therefore I suspect there's no real problem, but I'm not sure there's no real problem."
Richard Feynman
Ripper is offline

Ripper

Ripper's Avatar
Бажаю успіху

#406

Join Date: Nov 2014
Posts: 11,439
Mentioned: 122 Post(s)

Default 

May 27th, 2022, 11:50
Originally Posted by Myrthos View Post
I'm using Authy, because it is available on Android and iOS. I understand that Aegis is not, so that would be a miss.
Yeah, in one sense it makes no difference which app you choose - the important part is the TOTP system, which is implemented in various apps and solutions. Authy is closed source, and I wouldn't trust it not to be participating in the tracking I'm trying to avoid.

But there's many choices, and you can often import and export between them, because TOTP is an open standard.
--
"I cannot define the real problem, therefore I suspect there's no real problem, but I'm not sure there's no real problem."
Richard Feynman
Ripper is offline

Ripper

Ripper's Avatar
Бажаю успіху

#407

Join Date: Nov 2014
Posts: 11,439
Mentioned: 122 Post(s)

Default 

May 30th, 2022, 12:05
A Face Search Engine Anyone Can Use Is Alarmingly Accurate
For $29.99 a month, a website called PimEyes offers a potentially dangerous superpower from the world of science fiction: the ability to search for a face, finding obscure photos that would otherwise have been as safe as the proverbial needle in the vast digital haystack of the internet.

A search takes mere seconds. You upload a photo of a face, check a box agreeing to the terms of service and then get a grid of photos of faces deemed similar, with links to where they appear on the internet. The New York Times used PimEyes on the faces of a dozen Times journalists, with their consent, to test its powers.

PimEyes found photos of every person, some that the journalists had never seen before, even when they were wearing sunglasses or a mask, or their face was turned away from the camera, in the image used to conduct the search.
[. . .]
Unlike Clearview AI, a similar facial recognition tool available only to law enforcement, PimEyes does not include results from social media sites. The sometimes surprising images that PimEyes surfaced came instead from news articles, wedding photography pages, review sites, blogs and pornography sites. Most of the matches for the dozen journalists’ faces were correct. For the women, the incorrect photos often came from pornography sites, which was unsettling in the suggestion that it could be them. (To be clear, it was not them.)

A tech executive who asked not to be identified said he used PimEyes fairly regularly, primarily to identify people who harass him on Twitter and use their real photos on their accounts but not their real names. Another PimEyes user who asked to stay anonymous said he used the tool to find the real identities of actresses from pornographic films, and to search for explicit photos of his Facebook friends.
--
Getting a YouTube video loaded and other BB codes, see this post
Eye is offline

Eye

Eye's Avatar
Eye Watch
Super Moderator

#408

Join Date: Aug 2015
Location: The Netherlands
Posts: 2,611
Mentioned: 86 Post(s)

Default 

June 21st, 2022, 09:01
Time for another PSA it seems Cloudflare is down impacting a wide range of web sites and services. Just in case your wondering why your website isn't starting.

All you get is the usual 500 Internal Server Error. Sounds like another Dox attack.

--
Opinions are like assholes, everybody's got one and everyone thinks everyone else's stinks.
Couchpotato is offline

Couchpotato

Couchpotato's Avatar
Half Rotten Potato

#409

Join Date: Oct 2010
Location: Spudlandia
Posts: 29,116
Mentioned: 167 Post(s)

Default 

June 21st, 2022, 09:15
Cloudflare going down and taking half the internet at least down with it.

Shows how much of the internet is centralized these days. In a war just one hack hits and large swaths of communications will be gone into the shitter just like right now.

It's dangerous to have much of the internet's backbone propped up by Cloudflare.
--
Opinions are like assholes, everybody's got one and everyone thinks everyone else's stinks.
Last edited by Couchpotato; June 21st, 2022 at 09:38. Reason: Fixed one wrong letter.
Couchpotato is offline

Couchpotato

Couchpotato's Avatar
Half Rotten Potato

#410

Join Date: Oct 2010
Location: Spudlandia
Posts: 29,116
Mentioned: 167 Post(s)

Default 

June 21st, 2022, 12:43
Well, they aren't part of the internet backbone. They are more like a gateway combined with a CDN that offers protection from a lot of malicious attacks and can also offer load balancing in the case of an attack. It is just being used by a lot of websites. You can't choose the backbone you are using, but you can choose to use their service or not.
With all the investments they do in providing protection, it would be really strange if they themselves are the victim of such an attack and would not be able to manage that.
--
In the beginning the Universe was created. This has made a lot of people very angry and been widely regarded as a bad move. Douglas Adams
There are no facts, only interpretations. Nietzsche
Some cause happiness wherever they go; others whenever they go. Oscar Wilde
Myrthos is offline

Myrthos

Myrthos's Avatar
Cave Canem
Administrator
RPGWatch Team

#411

Join Date: Aug 2006
Location: Netherlands
Posts: 10,689
Mentioned: 219 Post(s)
RPGWatch Forums » General Forums » Tech Help » This week in computer security
Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

All times are GMT +2. The time now is 19:38.
Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2022, vBulletin Solutions Inc.
vBulletin Security provided by DragonByte Security (Pro) - vBulletin Mods & Addons Copyright © 2022 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging (Lite) - vBulletin Mods & Addons Copyright © 2022 DragonByte Technologies Ltd.
Copyright by RPGWatch