Stuart Schechter published a good primer on the security issues surrounding two-factor authentication.
While it’s often an important security measure, it’s not a panacea. Stuart discusses the usability and security issues that you have to think about before deploying the system.
cate • August 22, 2018 6:25 AM
There are many bad 2FA.It is becoming a buzz word, e.g. Synology doesn’t give paper codes. If your phone breaks, you must format your NAS. It is not about convenience (or lack of it), but just marketing without knowing what it is security
Roger A. Grimes • August 22, 2018 7:17 AM
All other things considered equally, MFA is always better than 1FA. But that doesn’t mean MFA is unhackable. I’ve thought of at least 13 different ways to hack MFA. I covered 11 of the ways a few month ago (https://www.csoonline.com/article/3272425/authentication/11-ways-to-hack-2fa.html), but I’m up to 13 or 14 ways now in my latest presentations. I presented on the 13 ways to hack 2FA at Black Hat in LV two weeks ago, and I’ve done a ton of webinars on the subject lately. If you’ve wanting to evaluate non-password-based authentication solutions, check out this awesome whitepaper (https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/QuestToReplacePasswords.pdf).
John • August 22, 2018 8:33 AM
All other things considered equally
There’s your problem right there.
Clive Robinson • August 22, 2018 8:41 AM
@ Roger A. Grimes,
All other things considered equally, MFA is always better than 1FA.
Oh if only that were true.
I am aware of an external auditor signing off on “two passwords” entered in succession as being 2FA…
As anyone with a briefcase with two three wheel combination locks can work out, they are considerably less secure than a briefcase with a single six wheel combination lock.
So a brut force password search only takes 2N rather than N^2 searches with that 2FA arrangement.
Yes it can be argued that this is an edge case and the auditor should not have let it pass. But we live in a real world where these things can and worse do happen.
Thus we have the problem of organisations taking the least costly approach to 2FA and thus hitting those edge and corner cases almost as the first option. We then have auditors or others in a similar checking position giving the edge and corner cases a pass. Then we have knowledgable attackers treating the edge and corner cases as a prefrence as they are the low hanging fruit.
Hence we have more successfull attacks than you would otherwise think would happen against 2FA.
When you then consider that as you are finding new attacks are being developed all the time, what was 2FA or better suddenly has less than older simpler password security.
You can see this with SMS TANs on Smart Phones that the banking app is also on. Once the attacker has a RAT on the phone getting at the TAN is no harder than reading a password off of a yellow postit note underneath the PC keyboard, and your bank balance disappears to the Cayman Islands or some such shortly there after.
To be frank we now know of so many attacks against MFA systems we realy need to regard it not as a security measure, but just a technique or framework in which security measures can be placed. Importantly such that the security measures can be changed at very short notice as new atacks come to notice.
Like passwords MFA will never realy be secure because change happens quickly and often for stupid reasons (RSA tokens). But as of yet we realy don’t have anything to replace them, thus we have to try to work with what we have got and just try and stay on top of attacks, whilst not doing stupid things.
Clive Robinson • August 22, 2018 9:16 AM
There is of course a reason to avoid some types of 2FA…
Those that invade your privacy or anonymity.
Google might not know your phone number, but if you sign up to an SMS or similar recovery mechanism you’ve given them for free a very valuable piece of information they can use to profit by you. Any time somebody is profitting from you, you are effectively loosing, maybe not immediately, but that sort of data once out of your control can never be regained.
But due to others selling what is in effect “tracking data” your movments Google may not have known about because you only used it from a work computer, suddenly become available, to anyone with sufficient funds to buy it…
Whilst you might think “who cares about me” most times adults are also voters, the recent Facebook and Cambridge Anaylitica election rigging accusations should make you realise that every one “is a person of interest” to be targeted for political gain. When you consider that US Presedential election spending is now going to be well over 5USD per voter per runner, getting a tailored message campaign to you for 50cents is a real bargain…
Winter • August 22, 2018 10:02 AM
My understanding was that 2FA protected not against weak passwords, but against key loggers.
Even a random 256 character password is trivially compromised when entered on a system with a keylogger. The second factor, if produced on a DIFFERENT system, can protect your account even if the computer you use is compromized.
Now, not everything called 2FA is really 2FA. And the second factor too can be compromized.
Still, even text messages as 2FA are better than just a password. But every user should contemplate whether they are good enough.
Yargh • August 22, 2018 11:17 AM
“Let’s examine three risks that might make even rational, safety-concious users reluctant to turn on two-factor authentication.
Rational?
dbCooper • August 22, 2018 11:27 AM
@ Clive, OT from 2fA
You’re comment “most times adults are also voters” is not really accurate for those of us in the USA. Most unfortunate in my view as the US system relies on the participation of an informed electorate.
I was raised to believe voting was not just a privilege, it is an obligation. Sadly, the US rarely gets more than 60% turnout, and some amount of those seem to be less than informed.
echo • August 22, 2018 11:30 AM
I’m feeling irritated various corporations have used 2FA as an excuse and a lot of deliberate design of their interfaces and marketing to try and obtain my telephone numbers. The result is I don’t use 2FA.
I’m also very unhappy with Googles attempt to hijack tokens and turn them into another way of owning people.
You can also add similar techniques by companies trying to evade or trample over GDPR responsibilities.
There is alos the unspoken doctrine of “they” (the corporations and security state) don’t care about our security only who has exclusive ownership of it (i.e. their security).
I’m sure a lot of politicians on a purely personal level agree in principle with or are smart enough to get it but the layer of party politics, and greed, and ego and personal weakness and perhaps even fatigue is a very deep layer in the way.
Hmm • August 22, 2018 12:21 PM
@Yargh
“…Attackers might steal your security key when you are in a public place, such as when you are at a restaurant or coffee shop, and replace it with a lookalike…”
Rational?”
Absolutely rational. Yubikeys are cheap. If you can swap one out and the mark is none the wiser, you have a window of operation before the mark will even look and when they do they’ll find themselves locked out. They’ll probably think their key “died” or something rather than explore other “rational” possibilities, unimaginable though we consider them at the time.
If really slick you could perhaps dupe it somehow and return it before they realized it was gone.
I don’t know how feasible that is for Yubikeys but if there’s money in that, someone can do it.
PeaceHead • August 22, 2018 2:15 PM
@echo:
I also think that companies are trying to do phishing disguised as offering secondary security options. I see this happening A LOT.
I’m glad the article mentioned the realism to consider in terms of physical property theft, and breaking and entering, and unauthorized “borrowing” of physical property.
About a day after I posted up my tune including audio samples of news audio explaining how {former NSA employees hacked the DNC’s servers using CIA vault 7 malware, and that the malware is designed to leave false digital fingerprints to make it look like Russians or anybody else, and that RUSSIANS MOST LIKELY DID NOT HACK THE DNC NOR THE ELECTIONS IN ANY CAPACITY}. .. a day after that post was made, my residence was broken into via a window, my wallet was borrowed, a few personal items were sabotaged, and I was prevented from distributing several hard copies of the source video file (even though it’s publicly available online!!!!!).
Let me say that again: about a day after I posted up this:
https://hearthis.at/protozone/voiceprint (listen to the whole thing, it’s deep)
https://www.youtube.com/watch?v=kR-WCDa4NSc (ignore the title, that’s not the main idea)
I was a victim of physical theft, sabotage, and unauthorized entry to my personal place of residence. All this, for sharing info that was already public, and which ought to be further publicized en masse to keep us out of war.
My point is this: the physical realm is always the most important. Luckily I wasn’t poisoned this time around. (Yes, I’ve been poisoned before). Luckily I was physically assaulted. (Yes, I’ve been physically assaulted before, both serrepticiously and overtly many times). Luckily this time the property vandalised wasn’t severe unlike previous times. Luckily I wasn’t abducted. (Yes, I’ve even been abducted several times and detained against my will and denied several human rights).
Unfortunately, even after I reported the theft of and unauthorized usage of my wallet and implicitly it’s contents, nobody I spoke with seemed to initiate any kind of response nor contingency even when it affected their businesses and practices.
On a slightly different topic: Now is a great time in life to become a Luddite and get off the grid as much as possible. Most of the digital element is all lies upon lies inside of a house of cards built in the sky and sold to the highest automatic bidder.
KingA • August 22, 2018 2:17 PM
If the 1st FA is strong, there is no need for other source
of supplementary authentication.
This was my philosophy for a long time… my 1FA is good and I don’t give it away, so no need for a 2nd.
But after watching snookered customer support reps let someone in to an account with a good story and minimal amount of data, I no longer care how strong my 1FA is, I will take a 2nd whenever I can. 🙁
-king
bill • August 22, 2018 2:38 PM
Brian Krebs has a story detailing arrest of AT&T employee charged with SIM swapping to take over cell phones: https://krebsonsecurity.com/2018/08/alleged-sim-swapper-arrested-in-california/
AJWM • August 22, 2018 3:39 PM
@ KingA
And that 2nd AF prevents snookered account reps from falling for another sob story how, exactly?
tim • August 22, 2018 4:32 PM
This article is an excellent piece on the consumer interaction with 2FA.
The vast majority of commentators here could learn something if they actually read the article and stopped spouting off debunked nonsense.
(required) • August 22, 2018 7:12 PM
“(Yes, I’ve been poisoned before). Luckily I was physically assaulted. (Yes, I’ve been physically assaulted before, both serrepticiously and overtly many times). Luckily this time the property vandalised wasn’t severe unlike previous times. Luckily I wasn’t abducted. (Yes, I’ve even been abducted several times and detained against my will and denied several human rights).”
@Peacehead – Surreptitiously. I know because I spent the time on that word recently.
The rest of what you say sounds kinda nuts. Who are you insinuating stole your wallet for politics?
I’m piqued.
guesstimate • August 22, 2018 7:22 PM
@Wael
Such as?
and
True, but the effect is minor as there are other security controls in place, typically. For example password strength policy.
I would suggest that a database compromise could be one potential answer for both of these, with the 2FA providing a false sense of security?
Wael • August 22, 2018 7:39 PM
@(required),
Aha, a MISTAKE! It was a matter of time! Crucify this man!
I also have an incredible amount of spelling mistakes in my comment. Crucify me first! The funny thing is it looks fine just before I click the submit button!!!
@guesstimate,
I would suggest that a database compromise could be one potential answer for both of these, with the 2FA providing a false sense of security?
Elaborate with something like a sequence of ‘events’… I am not following!
guesstimate • August 22, 2018 8:03 PM
@Wael
Also
So the steps are: Steal the token, replace it with a look-alike, the rogue token captures the PIN or passphrase used to unlock the “hardware token”, send the captured PIN / PF to the offender, and bang! they have access to the accounts… There are controls to mitigate that, for example device wipe, deactivation, etc… But this is an attack that can happen.
Steps one and two are sufficient to attack a previously uncompromised computer if the look-alike acts as an HID if there is no OS warning or after a careless click of the OK button. Although this is true of any USB device, so may not be an additional vulnerability of 2FA
(required) • August 22, 2018 8:15 PM
“The funny thing is it looks fine just before I click the submit button!”
It is the way of things.
Wael • August 22, 2018 8:22 PM
@guesstimate,
4. Provider has backend database compromised exposing all customer data
Got it!
This is a different security problem. Customers’ authentication security level are independent of backend protection mechanisms, if you ignore administrator remote access vulnerabilities arising from misapplying authentication mechanisms, 2FA included.
Steps one and two are sufficient to attack a previously uncompromised computer
Probably true in the case of a typical USB device. Not true in case of a device that accepts the PIN independently of the computer, for example a dedicated input device isolated from the OS and attached directly or indirectly through a different channel (out of band, with respect to the attacked computer) to the USB or smart card.
guesstimate • August 22, 2018 8:39 PM
@Wael
Agreed on both counts (I obviously didn’t read the original you were responding to;)
Wael • August 22, 2018 8:55 PM
@guesstimate,
(I obviously didn’t read the original you were responding to;)
At ease, gangesta! Neither did I 🙂
Clive Robinson • August 22, 2018 9:49 PM
@ Wael,
You may remember that some years ago @Nick P and myself had a series of chats about extetnal tokens.
Part of the conversations was about how a token would be used with a PC etc. I favoured a system that “went through the user” and he was looking towards USB or some other electronic interface.
I pointed out that using an electronic interface presented risks for various reasons.
1, It kept the human out of the authentication loop.
2, The interface could put malware in the token.
3, The mechanics of conectors had a quite short life.
4, The interface may not be available on the PC being used.
In the time since, non of the above have changed, in fact they have got worse in some cases.
And to be honest the increase in “aps” for phones and PCs suggests the “server side” managment do not want the users to use hardware tokens unless there is some extra benifit to them.
Which in effect pushes things towards “single sign on” services. Which increases not just the “security risk” via the “all eggs in one basket” problem. It opens up privacy risks as the SSO service can have an interface that leaks information about other online services you use and if you are currently logged on to them or not[1].
But of the four risks listed above the last two are usually obvious to the user, thus can provoke them into taking other actions that weaken their security.
Thus for the ordinary user the use of quality tokens is being depreciated by service side suppliers in general. As the suppliers favour “faux security tokens” such as your mobile phone with an applet.
Which means in turn ordinary users get a false impression of tokens and their risks and advantages.
I would argue that even of those who work in the computer seurity industry, few could actually evaluate security risks and advantages of token use correctly or appropriately. For what is on the face of it a simple process of authenticating a user there are a whole load of other issues when it is set in a larger ecosystem that the Intetnet is. Which in some respects still gives the old fashioned password system when properly used advantages.
[1] Even if the SSO service interface does not leak information on other online services you use, those services can have interfaces that can leak such information that the service you are currently using can interrogate.
Wael • August 22, 2018 10:56 PM
@Clive Robinson,
You may remember that some years ago @Nick P and myself had a series of chats about extetnal tokens.
I do, vividly! It was before I became active on this forum, although I read it from the start. This is one of them.
Part of the conversations was about how a token would be used with a PC etc.
I am for anything that works well. I remember that you talked about “through the user”, but my searches went in vain. Can’t recollect any keywords. But you also talked about getting the human out of the chain because of human mistakes, and I agree to that too. No system is “idiot-proof”.
I pointed out that using an electronic interface presented risks for various reasons.
It’s important to segregate user authentication from device authentication. The two are needed and the two should not be mixed up.
Which in effect pushes things towards “single sign on” services. Which increases not just the “security risk” via the “all eggs in one basket” problem.
That’s a dilemma most people face these days. I, for example, have many accounts (like everyone else) and passwords. I also change the passwords frequently (I haven’t been persuaded that keeping a long-living password is more secure than frequently changing it) and used to be able to keep all in memory. Not any more. Now I tried many password managers, dashlane being the latest. But how do I trust that the developers:
I don’t have the time to reverse engineer, monitor traffic, look at extensive reviews (which I may or may not trust.) So my solution is to write my own application, which I never had the time for.
I would argue that even of those who work in the computer security industry, few could actually evaluate security risks and advantages of token use correctly or appropriately.
Roger that! The few who can’t evaluate security risks are wearing a prophylactic. I have seen wonders – more than what @Bong-Smoking Primitive Monkey-Brained Spook has seen in his wildest hallucinations 🙂
de la Boetie • August 23, 2018 3:56 AM
Whatt’s interesting – and dismal – is the glacial progression of U2F authentication. Not perfect of course, but substantially better than most alternatives. Cheap and relatively privacy respecting.
The problem of course is that the incentives for the providers are opposed to that of the user – namely that the “free” services want you by your known eyeballs, and therefore really want to authenticate you by the smartphone (they own you then), or with biometrics (ughhh) – even if those are much worse and have obvious flaws.
Larry • August 23, 2018 5:10 AM
I’m confused! While I’m not a total tech dummy(I recently got my Comptia IT Fundamentals Certification),I’m certainly not as knowledgeable as most posters here or Bruce of course. I have strong passwords & use a password manager. Is 2FA a good idea or not?
Is a code to my dumb phone better than no 2F?
I was thinking of getting a Ubikey to use with Lastpass.Is that even a good idea?
Clive Robinson • August 23, 2018 6:12 AM
@ wael,
I remember that you talked about “through the user”, but my searches went in vain. Can’t recollect any keywords. But you also talked about getting the human out of the chain because of human mistakes, and I agree to that too. No system is “idiot-proof”.
The problem with the user not being in the security chain is that an attacker can end run an application and put a shim in the device drivers. Thereby the user only sees what the attacker wants them to see. It’s the same problem we see with all those ultra crypto-secure apps, that the NSA, GCHQ etc would just shim the screen and device drivers with a tee that sends them a copy of the plain text.
Thus if you use a token with a USB interface the security chain goes from the suspect PC directly into the Token. The user can not see the traffic and thus catch a bug in the tokens software being excercised by the attacker.
If however the PC screen displays a transaction request secure checksum, and the user types it into the token, thrn reads the reply from the tokens LCD screen and types that into the PC two things have happened.
Firstly the user has not “clicked through” secondly the bandwidth of the human is very small thus any malware etc would not pass through them without notice.
The problem though is also the human limited bandwidth. To be secure generally takes a lot of bits and thus bandwidth. Thus how to reduce the need for lots of bits…
Originaly I thought along the lines of “what are humans good at that computers are bad at” and came up with the idea of using captcher as a way to do it. Unfortunately as I later found out somebody else was employing chinse student age people to sit there all day and solve captchers for cents… So a quick mea culpa on that one 🙁
The conclusion I’ve come to is humans on average are not up to the task of being secure to the level that will survive even a few milliseconds of modern hardware,processing time. Which is much the same you have with loops of 10,000 hashes etc.
Wael • August 23, 2018 7:51 AM
@Clive Robinson,
The problem with the user not being in the security chain is that an attacker can end run an application and put a shim in the device drivers. […] Thus if you use a token with a USB interface the security chain goes from the suspect PC directly into the Token.
Not if the USB token is properly designed, e.g. immutable read only code, plus other protection mechanisms (some like to call them security controls!). The problem is we are not privy to details of design specs or implementation flaws.
If however the PC screen displays a transaction request secure checksum, and the user types it into the token, thrn reads the reply from the tokens LCD screen and types that into the PC two things have happened.
What percentage of the population will read the transaction details, let alone understand them? I don’t believe that’s a viable solution for the population. It may be good for an engineer, or a developer.
Unfortunately as I later found out somebody else was employing chinse student age people to sit there all day and solve captchers for cents
At least they can find jobs 🙂 I wonder what that experience would like on a resume!
Interviewer: Tell me about Captchas!
Candidate: I know all about them, dawg! I was the best in the industry. I solve them at the rate of 10k / hr.
Interviewer Impressive. How will this help us?
Candidate: Ummm. You know Captchas are really hard for humans to ‘solve’, right?
Interviewer Yea! It takes me at least 3 tries to go through them. Very annoying. I wonder who came up with this dumb and irritating idea! They’re everywhere on the Interwebz
Candidate: I can help anybody at your respected establishment to solve them! That’ll save some time, right? Who came up with them? I guess someone who thought humans are good at something that computer are not?
Interviewer What about this previous job you have? That’s a first — never seen this before!
Candidate: Well, I was a narrator for bad mimes (Steven Wright.)
Interviewer Me likes it! I’ll give you 10% above your current salary! That’s about 4 cents an hour.
Candidate: Wooo hooo.
Originaly I thought along the lines of “what are humans good at that computers are bad at”
Very soon computers (hardware and algorithms) are going to surpass humans in everything. Well, almost. I doubt they’ll have better sense of humor 😉
Wael • August 23, 2018 12:40 PM
Attention, @tim…
Nice paper but needs more organization. Mr. Oh-so-perfect likes to find anything to criticize — boosts my dwindling ego a bit 🙂
The second factors you can use to identify yourself include authenticator apps on your phone
You don’t use it to identify yourself. You use it to present a proof of who you claim to be. Splitting hairs, but important nonetheless!
they also introduce new risks. One risk is that you could be locked out of your account when you lose your second factor, which may be when you need it the most.
Yes, true!
Another is that if you expect second factors to protect you from those attacks that they can not prevent, you may become more vulnerable to the those attacks.
Such as?
You may be unable to recovery your second factor if your security key …
Either a spelling mistake or my grammatical skills are deteriorating like everything else. I only corrected this so @Tim knows I read the whole shebang. Well, almost.
If your phone is only out of battery, left it at home, or lent to someone else, you may lose access for hours or days.
True, but that’s a price to pay. There is a responsibility on the user to minimize these “events”. Users have responsibilities too.
if you don’t have a backup, losing your second factor can cause you to lose your account forever.
Backups come with their own risks as well, right?
Confidence in two-factor authentication could make you careless
True, but the effect is minor as there are other security controls in place, typically. For example password strength policy.
For example, consider the consequence of carrying a security key, which you plug into the USB slot of your computers at work and home.
This is true, but not common today as for as I know. Typical “something you have tokens”, for example a smart card will require a PIN for authentication to release a token to the device it’s plugged in to. An attacker will also need to capture that PIN… or break it. A little more involved than just stealing a token.
If you plug an attacker’s lookalike device into your computer and allow it to install a driver, it can take control of your computer.
So the steps are: Steal the token, replace it with a look-alike, the rogue token captures the PIN or passphrase used to unlock the “hardware token”, send the captured PIN / PF to the offender, and bang! they have access to the accounts… There are controls to mitigate that, for example device wipe, deactivation, etc… But this is an attack that can happen.
Of the common options, SMS (text) messages is the weakest so adding it should be a last resort.
Yes, one of the weakest and the attack vectors are many. Some were discussed here a while back. I think we talked about that here before NIST said something about it.
An authenticator app will only prevent phishing if you refuse to type the code from your authenticator app into the replica website.
Sounds like there’s a missing control here 😉
Neither an authenticator app nor a security key can prevent an attacker who controls your computer from taking over once you login.
Interesting observation. Can it be mitigated? I think so!
Nice paper, but I would have liked to see a concise summary of conclusions under the what to do section. Bullet points rather than an essay.
So there is also multi-entity authentication! This is a deeply-nested set of links – all relevant. Basically Authenticate the carbon unit and the silicon unit. This is not only defense-in-depth! It’s also defense in depth and width; a two dimensional ‘thing’. What we need is defense in depth, width, and hight. There is a link somewhere in the bowls of this blog about that 😉
PeaceHead • August 23, 2018 1:36 PM
quote: “Who are you insinuating stole your wallet for politics?” –“(required)”
@”(required)”: Actually, if you review what I wrote you’ll see that I didn’t make any insinuations nor accusations towards anyone at all. I was responding to how the article mentioned that physical access to data can effectively override digital security measures. I responded also with a personal incident as supporting information which happens to be directly correlated to informations I learned of indirectly via this website and discussed via this website and discussion page over the past several months.
Please don’t try to put words into people’s mouths. I didn’t start pointing fingers at anyone nor at any organizations. There was zero insinuation.
But I do know that the wallet was borrowed (not stolen). I know where I regularly keep my wallet and where I don’t. I know exactly which window was tampered with and what it looked like before tampering and after tampering and what the differences were. I know the regular contents of my wallet and the unusual contents of my wallet which may have been of temporary interest to the unauthorized “borrower”(s). I’m very familiar with my own regular habits and I’m not the type of person who leaves my most important items around casually.
I’m lucky that I wasn’t killed in my sleep because I’m fairly certain that I was burglarised while I was there in the room sleeping.
The place where the wallet was found again is not anyplace where I usually put it, even when interrupted. I have a specific set of behaviors that I do intentionally when handling stuff like that. So whoever put it back into the room took it out of it’s normal containment, and put where maybe they’d assume I’d not become suspicious–but they were wrong in multiple ways.
Not all security is locks. Some of it is merely detecting tampering. This type of thing has happened to me too much, but still not often enough to be regular. Ironically, everything I’ve got of interest was obtained via the public domain, so they are wasting their time unless they are otherwise typically blocked from public sources of information.
The items of mine which are private, are of course totally mine by property laws and customs. But I’m still likely victimised in terms of how the stolen items could’ve been duplicated and/or damaged and/or used to attempt to impersonate me. This is the crux of the physical access issue.
I’m not going to list the exact contents of my wallet here on the internet.
More importantly, the physical access of my wallet and it’s contents coincide exactly with when I posted up information which goes against the flow of the ubiquitous propaganda mechanisms. And despite you hilighting the wallet, as I said before, other items of mine were affected (sabotaged), and I’ve been through worse.
The main idea for others is that physical access is probably more of the norm rather than the exception or rarity.
I’m no longer in that part of the country whatsoever, and as I mentioned, I notified some people and organizations. It was noteworthy how little they responded in terms of emotion and concern or even protocol. That part of the country I’ve already identified as being a place of multiple troubles and risks and damages, and that’s why I left permanently–I will not be returning there ever.
For those who are familiar with my posts here, I will remind you that I did mention on this site that I was living extremely closely to a so-called “critical infrastructure” on more than one occasion. I think that some of those places are magnets for trouble because they are magnets for interlopers, and that’s just the tip of the iceberg in terms of my personal experiences which I’m not obligated to depict in full here. Besides, I could write a 500 page book on the topic if so inclined, but I’m not. It wouldn’t be practical and I’ve got other priorities and different audiences.
If you want to review the content of the soundclips I posted, it’s in my form-submitted URL and within a list of links on the resulting homepage. And here it is again:
https://hearthis.at/protozone/voiceprint
Instead of trying to derail the topic, it’s better to just cope with it as is and face the facts that it’s completely plausible that ex-NSA employees hacked the Democratic National Committee’s file servers using Vault 7 type of tools which inherently as function of their hacking capabilities intentionally place false digital fingerprints in order to evade id attribution. This is quite believable and refers to well-known spoofing technology rather than mainstreamed propaganda and gossip. There are several online videos and websites over the past several years explaining the techniques and even the actual softwares themselves are still online for distribution and use totally in spite of the mainstream propaganda and gossip. When the actual security specialists are honest, they tend to admit that id attribution is extremely difficult and sometimes impossible.
What they won’t typically tell anyone is how vastly easy it is to evade detection in multiple dynamic compound layers of id spoofing. These id spoofing techniques aren’t infallible, but the techniques which undermine id camouflage the best are seldomly talked about whatsoever because they involve the types of SIGINT that undermines nearly EVERYONE’s security at pretty much all times and makes the users and holders and makers of such technologies look quite conspicuous and suspicious (which is in fact quite normal!).
Earth penetrating tomography as surveillance technology for example is a classic example. If such tools can be used to look several hectares (or maybe even deeper) through minerals and rocks and water bodies and perhaps xenolithic metals, then surely they can be used to look through the walls of buildings especially if configured to do so. Coupled with other similar techniques and technologies, SECURITY DOES NOT EXIST.
Bigger questions are implied: Why is there all this bogus security theatre? Why is there all this hostile false propaganda? What are the deeper intentions of those who attempt to distract us and the masses from scientificly accessible truths? Who benefits from these odd behaviors? What are the adverse effects and risks of these odd behaviors? And HOW CAN THE ADVERSITY, RISKS AND DAMAGES BE AVOIDED AND REDUCED?
This is all still withing the realm of Security, it’s just that there’s a subcultural tendency for many people and writers to focus simply on algorithmic digital security. But that’s really too narrow of a perspective. I am regularly trying to widen the focus as a reminder of the bigger pictures and as a reminder that there are shattering implications of what’s at stake for several billions of lives. It’s not really at all about pointing fingers at people; it’s about trying to more effectively halt exteremely undesirable results for a maximum quantity of lives for a maximum quantity of time. Some of us are just trying to get more of a foothold on this type of active resistance rather than to just be victimized as usual.
Nevermind the spelling of serrepticious/surrepticious; the meaning and context are what’s important. And of course, if no empathy is involved in the nitpicking, the nitpicker(s) makes themselves out to look like sociopaths who have been known to victimise many people s*rrepticiously and without remorse nor empathy. Meanwhile, I’m not the only person who occasionally misspells a word, so why are you focussing upon me? And as I mentioned before, sometimes I notice that my posts are altered in transit, and words that I did spell correctly are corrupted. So that’s parity for ya.
If people don’t want longer responses than necessary from me, don’t try to bait me with side issues. Everything I say here has specific and deliberate purpose and meaning and always relates to Security and the related fields of SIGINT, forensics, HUMINT, and stuff I’d rather not mention lexically. No SMS required.
Peacefulness Will Prevail Within All Realms of Existence and The Meek Shall Inherit The Earth
Anon Coward from the USA • August 23, 2018 3:41 PM
@Wael
This sense of humor is better than that of a significant portion of the population.
https://www.wolframalpha.com/input/?i=tell+me+a+joke
The humorless population is larger if the person lists Politician or Political Analyst as their profession.
Wael • August 23, 2018 3:59 PM
@Anon Coward from the USA,
This sense of humor is better…
It’s clever. Heard some of these in the past, but not the majority of them.
The humorless population is larger if the person lists Politician or Political Analyst as their profession.
I believe that’s somewhat true and can think of a few reasons, but I’d like to hear your reasoning 🙂
Clive Robinson • August 23, 2018 4:23 PM
@ Wael,
Very soon computers (hardware and algorithms) are going to surpass humans in everything. Well, almost. I doubt they’ll have better sense of humor 😉
Hmm, humor might stay ahead of the game for a very short while… But other human activities, especially manual ones are going to get automated to work at the press of a button…
Such as US20050228219A1, just needs an IoT device for the speed and direction of the cordless screwdriver,
https://patentimages.storage.googleapis.com/df/60/72/1eb6db60f54187/US20050228219A1.pdf
The abstract starts,
Wael • August 23, 2018 4:40 PM
@Clive Robinson,
Oh, man! I looked at the patent and stopped after reading a certain word. How could someone put his name on such a patent? I know: it’s gotta be the same fellow in this story!
Search for: “Finding himself alone, he had begun the regular practice of”
Ok, so he’s into Machiniality, then 🙂
echo • August 23, 2018 5:14 PM
@Clive
UK regulators areawareof arguments that the auditing industry has failed from a competition and diversity of competition point of view, not to mention quality. The reasons are basically that structural issues and false choices herd clients towards particular companies. While difficult to write up as an exact equivalent I wonder if a similar kind of thing is happening with the big service providers.
Even with layers of bureaucracy and gold plated qualifications humans still take mental shortcuts and have biases. Deviations from routine and exceptional cases are rarely managed well. Reactive fear tends to escalate and turn things into a cliff edge power battle of who pays.
A new study claims the brain has a limited bandwidth for focus and tunes out a lot. We’re not actually concious most of the time. The brain stitches it all back together so it only appears like a continuous narrative.
Perhaps a “through the user” protocol needs to be developed. The Trident missile system basically uses something like this plus its systems are mostly fixed design and airgapped in general use. Your proposal isn’t unlike this in some sense but in the real world would be practiced much more often to the point of annoyance.
I have no answer but maybe a slightly different perspective may help stimulate something leading to an “Aha!” moment.
Clive Robinson • August 23, 2018 7:02 PM
@ Peacehead,
When the actual security specialists are honest, they tend to admit that id attribution is extremely difficult and sometimes impossible.
I would not use the word “honest” on it’s,own because of the implication others are beibg “dishonest”, which has further implications.
I have pointed out on a number of occasions why it is infact impossible to do a network only “method” even if you “own” 9 tenths of the routers on the assumed path and why you should use other “methods” or try to cultivate insider “sources” for atribution.
For various reasons mine is not a popular viewpoint which means in all probability your’s is likewise not going to be popular either. The fact that both our opibions can be shown to be on sound logic, unfortunately cuts no ice with many people.
And that is a problem. As I’ve mentioned before “independent” US security companies tend to find incidents correlate with the US Govs latest “cyber-existential threat”. Which equally as oddly tends only to be one of “four horsemen of the cyber-apocalypse” nations (of China, Iran, North Korea, Russia) at any one time.
Simple logic would dictate that even if it’s only four nations, they would not be coordinating their attacks so only one threatens the US at any time. Similarly it’s quite unlikely that it is only four nations. I would expect there to be many more nations some of which such as France, Germany, and Israel would be considered “friendly” or “partner” nations due to the old,
Keep your enemies close, but your friends closer…
PeaceHead • August 24, 2018 3:35 PM
Thanks for your reply, Clive. I think I understand what you are saying.
I have some similar educated opinions.
@ anyone and everyone with the inclination to ponder…
I think that there’s a pretty simple explanation of a lot of what could otherwise be overintellectualised or underintellectualised: modern-day Joe McCarthyism
It seems to me that there’s a campaign by the few to manipulate the many according to ideologies which don’t reflect enough of actual reality and it’s a dogma weaponised in only one direction and which rejects all scientific claims to the contrary.
But yeah, I somewhat agree with what you just said. There’s all this routine weighted finger pointing at the same 1-4 groups as if each group is monolithic and unanimous and devoid of any internal diversity whatsoever. It’s statistically impossible, however. It’s pretty much another form of politically generated xenophobia used to accomplish some type of unneeded and dangerous and unauthorised neowarfare.
As you implied, there’s much more going on than just 1-4 entities allegedly doing what maybe they sometimes did in the past. But NOW IS NOT THEN. The past does not predict the present nor the future. Even in statistics, this is true; the past doesn’t dictate the future. And ignoring all of the other world players and interlopers is just not scientific nor believable.
Furthermore, the evidence to the contrary to the mainstreamed garbage propaganda is partially buried every time. But our primary sources of “news” don’t actually usually broadcast news. They broadcast trivia and fearporn in 6 second segments without in-depth reporting nor error-correction. Most of the major outlets are in fact media megacorporations whose primary motivation is profit, and not cultural enlightenment nor news reporting. Propaganda suits them just as much as it suits advertisers trying to sell toxic waste to the masses.
And NPR and BBC are not devoid of plenty of bandwagon hollywood people magazine inane meaningless propagandistic theatre.
And many of the above regularly censor, intimidate, and detract from their more articulate and insightful callers during open-call types of shows which push for high numbers of calls answered rather than allowing diversity of opinions and insights. They will stall the whole show to play 2-5 or more minutes of pointless music 4 or more times an hour, but they won’t allow a smart phonecaller to complete his or her insights unless it fits whatever flavor of the month agenda they are pushing. Add to this some of their fake planted guests and “experts” and it’s not pretty.
It’s worth remembering that the CIA and other intel organizations reported have suffered low morale in recent years as well as low employment numbers as well as having to deal with the Trump administration being slow to hire key members while also kicking out and blocking some of the most important and often reputable members. And similar B.S. was happening to the FBI in a few ways.
So when it comes down to some supposed “unanimous decision” within the US intel, that’s based upon a severely deprecated pool of people, gutted of many of those who might know better and who might actually complain.
And let’s not forget the others who spontaneously resigned when the corruption elements bulldozed into place.
So the intel reports used to rationalise the weaponization of the american people are not based upon stable and high-integrity sources during a time of intellectual and technical accomplishment.
Instead they are based upon a much smaller, more fragmented, more weary, and sometimes corrupted or bullied residue of what used to be, relying upon much fewer sources in a climate of overt hostility and sabotage run by a group with high-correlation to groups who deny a lot of scientific knowledge, in order to grab more money and power and give it to the richest people who don’t even need any of it.
Meanwhile, we are encouraged to trust “Faceblank” and “Microshaft” as if they are security experts on geopolitics. They aren’t. Facebook is a pyramid scheme regularly ripping of people’s intellectual property content and personal information and turning all otherwise normal internet activity into mega marketing weaponised against everyone everywhere. They routinely lie and misdirect and try to dominate everything and everyone. Zuckerberg’s claims aren’t reliable and they have enough resources to manufacture plenty of B.S. just in time for the show. And let’s not forget when they knowingly manipulated people’s personal feed as part of unauthorized human experimentation in ways that tended to increase depression.
Microsoft has for several decades been possibly the dominant source of severe and proliferating security vulnerabilities, unnecessary internal corporate competition and encouraged internal employee project sabotage, mismanagement of end-user purchase rights, long-term negligence of end-user real-life software needs and wants, and they keep raising their prices while lowering their quality. All this while fostering increased dependence and built-in obsolescence and encouraging bad digital hygiene as a norm (their patches and patching systems are as bad as malware at times, and often create more problems than they fix). And their routine OS design is bloatware upon bloatware and is relied upon heavily by malware creators and hackers.
Both corporations are more like problem sources than problem solvers. Their financial success reflects cultural problems not security acumen.
OK, so some of you are wanting me to substantiate my claims: how about this? If you doubt me, look it up yourself. It’s not my responsibility to lead you to every daily, weekly, monthly, yearly source of enlightenment. The info is all around if you are open to it. If you don’t know where to look, do compound keyword searches of all the terms and ideas you can’t quite grasp and then cross-reference with books and conversations with people in your life who might be outside of your inner circle.
And don’t rely upon Google, for goodness sakes. There are now several alternative search engines which are superior and it’s good to routinely do an updated search for alternative search engines to gain more. And remember, the internet maxes out backtracking to about 1993. Most historical information is from 1992 and before that. So the internet can’t answer all your quesions despite how many books are shredded and lost by Google or anybody else.
But getting back to the ID attribution thing:
most people too tired and weary and distracted to know how to filter out the propaganda
education systems which pump out more consumers and consumerism than intellectuals
plenty of invasive opportunists of all types all jockeying for a chance to be on top and push their trash onto as many victims as possible (and they aren’t all politicians).
the dissenting intellectuals and scientists and common sense afficionados are blocked, filtered, demoted, insulted, undermined, ignored, rejected, ejected, sanctioned, censored, taxed, sabotaged, arrested, and sometimes even killed. Those who keep a low profile are relegated to waiting in hiding for an opportunity for accomplishment.
These are off the top of my head some of the synergistic reasons why we are being led possibly into WWIII by a handful of toxic idiots who just might in fact be pathologically addicted to both warfare and multiple forms of lying, cheating, and stealing.
I may lack the eloquence, but I don’t lack all of the insight.
SOME OF WHAT I LEARNED CAME FROM LIVING RIGHT NEXT TO AND INSIDE OF SOME OF THE REALMS OF THE PSYOPS-CREATORS AND KLEPTOCRATS.
So to much degree, I really can’t cite my sources and can’t clearly substantiate my claims because it could put decent lives at risk, including mine. I wasn’t the only decent person living amongst some of potential engineers of armageddon. Like I said, I left and I’m not going back. It’s not really a secret; if I’d have stayed, I would’ve been killed or lobotomised. One of the only reasons why I’m still alive now is because I’m not threatening and because I can act and because at times even I temporarily believed the utter bullsh*tstorm. And last but not least, some of the worst already had their way with me and they’re too busy exploiting plenty of others for both profit and folly to need me anymore.
I’ve been flushed down the tubes more times than I can count. They didn’t think I was smart enough to notice because their arrogance is on par with their ignorance. It would be a digression of me to mention this stuff, except that it actually is also within the field of security even as a vague anecdote because I’m a living result of multiple types of abuses of the system(s) and multiple types of congames and social hacks and multiple types of security holes in North American civilization itself.
But alas, I think next week I really will try to live up to my word and stay off this site for a month.
I have to remind myself of the seriousness of what happened to me also implies that the abusers of me are part of the continuum of abusers who are trying to get to potential acquaintances or former fellow citizens of mine who might actually work serious jobs doing serious int and mil and lawenf and other important stuff. I could easily just be collateral damage.
So I probably will try to avoid coming here for a while. Even if some folks aren’t after people I might have known or met somehow or been proximal to, I did have some interesting correspondences via this amazing thing called the Internet. I’ve certainly been hacked plenty of times and had my accounts and email accounts and phone services messed with pleny of times. I’ve had my postal mail interrupted and stolen plenty of times. I’ve had every residence I’ve ever lived in noticeably entered without permission several times. I’ve experienced hate crimes. I’ve experienced renditions.
But thankfully, I’ve also experienced some moments of joy and wonder and deep gratitude and shared humour, thankfully not all via the internet, but in person. It’s the people and nature of those moments that I need to protect along with myself and hopefully anybody else who might be at risk.
I might seem off topic, but those who understand what I’m alluding to probably know well enough how my experiences and ramblings do and don’t crossreference and corroborate some of the exact precise blog materials we have the luxury to ponder here. Also, I’m in the process of re-educating myself some survival skills for modern-day and future life. Most of this security stuff isn’t taught in schools, though it affects everyone somehow everywhere. Some call it security theory and practice, to me it’s more about safety theory and practice.
Even if I can’t affect every ridiculous issue spewed out by the world’s worst, I’d like to have a clue so if I ever get a chance to join the correct group at the correct time and contribute the correct resources I won’t have to hesitate to much.
Peace be with anyone with enough patience and insight to be reading all of this.
Pete Forman • August 29, 2018 9:39 AM
Multiple factors often are not, what I refer to as 1½FA. If your smartphone is compromised then the bad guys have access to your email, SMS, authenticator apps, etc.
Sam • September 5, 2018 9:47 AM
Here’s the big issue I xurrrntly see brewing in 2FA:
IT security pros are simultaneously deriding the use of SMS text / phone numbers as a 2FA option while telling everyone to use 2FA.
So where does that leave users? Apps and physical keys only? What if the person’s phone or key is stolen, and now they have no option to retrieve their 2FA? At least with SMS you can get your number assigned to a new SIM and eventually recover. High-security services which don’t offer recovery options without 2FA are bricked in this scenario.
The best play to balance these benefits, it seems, is making the SMS method more secure by implementing new procedures to stop port forwarding and SIM swapping scams.
jeff birks • June 25, 2019 12:09 PM
There is still a place for hardware tokens as one of the factors in authentication (small device that can attach to your keyring with a battery that lasts years).
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Thoth • August 22, 2018 6:14 AM
The use of MFA is used to supplement a weak 1st level authenticator. A weak supplementary authenticator does no good for an MFA scheme.
One good example of a bad 2nd FA is SMS OTP which many enterprises still insist on it’s use despite recent Reddit incident shows that SMS 2FA is not a good idea anymore and @Clive Robinson have warned of SMS 2FA problems long before Reddit incident.
If the 1st FA is strong, there is no need for other source of supplementary authentication.
The usual sales via “Compliance” a like GDPA, PDPA and whatever privacy regulations are for sales. Structuring a proper defense in-depth must go beyond these marketing hype backed by some blind compliance.