|
D. Ebdrup posted:I would be 100% okay with SMS 2FA if the standard had just recommended that every message be prepended with something like "Authentication Code:" so that iOS and Android could look for that in SMS messages and then blur the rest of the contents of the SMS from being displayed on the lock screen. Heck, it should be possible to implement the information as meta-data in the message itself. I'm the non-targeted attack that relies on reading the SMS code from someone's locked phone.
|
# ? Jul 4, 2020 15:33 |
|
|
# ? Mar 29, 2024 05:53 |
Volmarias posted:I'm the non-targeted attack that relies on reading the SMS code from someone's locked phone.
|
|
# ? Jul 4, 2020 15:37 |
|
D. Ebdrup posted:I would be 100% okay with SMS 2FA if the standard had just recommended that every message be prepended with something like "Authentication Code:" so that iOS and Android could look for that in SMS messages and then blur the rest of the contents of the SMS from being displayed on the lock screen. Heck, it should be possible to implement the information as meta-data in the message itself. The big threat with SMS 2FA isn't somebody reading the code off your lock screen. If you're worried about that, just set your phone to not display SMS previews on the lock screen at all, which will stop exposing both SMS 2FA codes and that message from your ex that says "hey this is awkward but you might wanna get tested." More generally, starting off with "you have to find a way to get the person's phone in your hands" is not a feature of a strong attack. The problem with SMS 2FA is that phone numbers are not strongly tied to hardware, people, or cryptographic secrets. Phone provider CSRs are willing to help an attacker with a SIM swap, because they're judged on fast resolutions and survey scores, not security. Anyone who can break into not-particularly-secure provider customer accounts can set up call forwarding, and many services that do SMS 2FA also wire it up to a "call me" option that reads the code over a text-to-speech engine. SS7 attacks can redirect incoming SMSes directly to an attacker using the same mechanisms that let your phone number work overseas, and larger-scale organized crime treats access to SS7 as a commodity. There are a lot of ways to compromise 2FA SMS before your phone is ever involved, and that's the reason that SMS is not a good 2FA mechanism. Space Gopher fucked around with this message at 17:15 on Jul 4, 2020 |
# ? Jul 4, 2020 15:41 |
|
D. Ebdrup posted:I mean, I get what you're saying, but the point is that doing it via phone apps which require biometric locks straddle the 'something your own' and 'something you are' part of MFA, so you end up with 3FA, not just 2FA. I've written and re-written a response several times and each time it boils down to "What the hell are you even talking about here" so I'll just leave it at that.
|
# ? Jul 4, 2020 15:42 |
It's me, I'm the secfuck.
|
|
# ? Jul 4, 2020 15:59 |
|
Yeah, SMS 2FA only if you have absolutely no other option, its still just a risk
|
# ? Jul 4, 2020 17:27 |
Space Gopher posted:The big threat with SMS 2FA isn't somebody reading the code off your lock screen. If you're worried about that, just set your phone to not display SMS previews on the lock screen at all, which will stop exposing both SMS 2FA codes and that message from your ex that says "hey this is awkward but you might wanna get tested." More generally, starting off with "you have to find a way to get the person's phone in your hands" is not a feature of a strong attack. They arent great but they are a hell of a lot better than no 2FA at all. The biggest issue though is education & attitude. How do you expect someone who doesn't even set a lock pin on their phone to use it for 2FA. Education can be kinda treated, as the infosec industry we do a really bad job of education imo. Attitude is a lot harder, some people won't bother acting until it's too late and it's almost impossible to get through to them because of the "I don't have any worth stealing so why would I be hacked". As they think the only things hackers do is steal poo poo.
|
|
# ? Jul 4, 2020 17:30 |
|
Apparently scammers are successfully getting naive users to send their SMS confirmation codes to them with the usual social engineering. "Did you get the number I just sent you" pulls in a lot of people.
|
# ? Jul 4, 2020 20:50 |
|
Arsenic Lupin posted:Apparently scammers are successfully getting naive users to send their SMS confirmation codes to them with the usual social engineering. "Did you get the number I just sent you" pulls in a lot of people. Yeah we had to do a big education push at our office to inform users they should never reveal 2FA to anyone after we had someone share it with a phish.
|
# ? Jul 4, 2020 21:48 |
Arsenic Lupin posted:Apparently scammers are successfully getting naive users to send their SMS confirmation codes to them with the usual social engineering. "Did you get the number I just sent you" pulls in a lot of people. That could be done with literally any code though unfortunately. Social engineering is scarily easy. Imo it should be included in more Pen Testing as if you have a lack of understanding from a people side of things then that's something I would want to know about.
|
|
# ? Jul 5, 2020 06:41 |
|
Arsenic Lupin posted:Apparently scammers are successfully getting naive users to send their SMS confirmation codes to them with the usual social engineering. "Did you get the number I just sent you" pulls in a lot of people. You think that's scary? I know from experience there are banks with customer support that will trigger a 2FA auth and ask you to repeat it back to them to verify your identity. No, not a scammer. The actual customer support.
|
# ? Jul 5, 2020 06:47 |
|
Cup Runneth Over posted:You think that's scary? I know from experience there are banks with customer support that will trigger a 2FA auth and ask you to repeat it back to them to verify your identity. No, not a scammer. The actual customer support. When working with phone support I'm not really sure what the better situation is. I know Simple (my bank) does do this, but the phrasing of the message is "Your Simple verification code to provide to the Simple team member is xxxxxx", not just "Your Simple verification code to log in is xxxxxx".
|
# ? Jul 5, 2020 21:36 |
|
My bank, after repeatedly assuring me in email footers that they would never ask for private financial information in email .... asked for private financial information in email. I called and told them this was dumb. It's Wells Fargo, so I assume this was about as useful as pissing in the ocean.
|
# ? Jul 5, 2020 22:15 |
|
Arsenic Lupin posted:My bank, after repeatedly assuring me in email footers that they would never ask for private financial information in email .... asked for private financial information in email. I called and told them this was dumb. It's Wells Fargo, so I assume this was about as useful as pissing in the ocean. Wells Fargo, an ocean full of piss, sounds about right.
|
# ? Jul 5, 2020 22:20 |
|
Arsenic Lupin posted:My bank, after repeatedly assuring me in email footers that they would never ask for private financial information in email .... asked for private financial information in email. I called and told them this was dumb. It's Wells Fargo, so I assume this was about as useful as pissing in the ocean. Wells Fargo, so it checks out. As far as banks that make gross errors, they are top on my list.
|
# ? Jul 5, 2020 22:36 |
|
I would be 100% fine with SMS MFA if I hadn’t walked into a Rogers store last year and successfully SIM-jacked ... myself.
|
# ? Jul 6, 2020 00:12 |
|
Martytoof posted:I would be 100% fine with SMS MFA if I hadn’t walked into a Rogers store last year and successfully SIM-jacked ... myself. Yeah, I did that too when I moved back to Canada. “So do you want to see ID?” “Nah, that’s fine.”
|
# ? Jul 6, 2020 00:14 |
|
Yeah I moved my SIM to an e-Sim and the guy was like “ok what’s the phone number” and 30 seconds later gave me a QR code to scan I was same. Want some ID? Nah.
|
# ? Jul 6, 2020 00:54 |
|
Did the same thing when I moved from Sprint to T-Mobile. No proof of ID requires, just a couple digital signatures and I had my number transferred in less than 30 minutes. Patch your F5s all CommieGIR fucked around with this message at 04:04 on Jul 6, 2020 |
# ? Jul 6, 2020 03:03 |
|
|
# ? Jul 6, 2020 08:51 |
|
my lovely MSP got acquired by a much bigger and evidently much shittier firm recently. my new employer, a professional services and accounting firm, appends one of those dumbass “If someone emailed you this by accident you are somehow required to delete it” signatures to every out-of-domain email. somehow, incredibly, this happens after the DKIM signature is computed, so every single external email fails DKIM. cool
|
# ? Jul 6, 2020 09:09 |
|
Here's how this is going to go: We didn't prioritize your patching because service isn't impacted a bloo bloo bloo
|
# ? Jul 6, 2020 14:11 |
|
uniball posted:my lovely MSP got acquired by a much bigger and evidently much shittier firm recently. ... every single external email fails DKIM. LOL imagine how much business they're losing.
|
# ? Jul 6, 2020 17:25 |
|
Okay folks, a business under my parent company is wanting to use a security vendor based in the Ukraine. Would you say no based on the region alone?
|
# ? Jul 6, 2020 17:42 |
|
Sickening posted:Okay folks, a business under my parent company is wanting to use a security vendor based in the Ukraine. Would you say no based on the region alone? This depends on who your parent does business with, where they are based, etc.
|
# ? Jul 6, 2020 18:31 |
|
Biowarfare posted:This depends on who your parent does business with, where they are based, etc. All us , only the us.
|
# ? Jul 6, 2020 18:31 |
|
How did this even come up in the vendor search unless they were nearly free
|
# ? Jul 6, 2020 18:36 |
|
Biowarfare posted:How did this even come up in the vendor search unless they were nearly free rudy giuliani is on the board of directors and he "knows a guy."
|
# ? Jul 6, 2020 18:45 |
|
Well, Stuxnet was first discovered by the Belarus IT security company VirusBlokAda. Shady slavs doing proper-tier cybersecurity in their mothers' basements is a real thing.
|
# ? Jul 6, 2020 18:52 |
|
I don't mean from a technical standpoint, if it's a large enough US company to own other companies and exclusively deals in the US, a Ukraine-based one seems just odd to be the first thing to turn to. I'd imagine the first crap to come up is whoever wines and dines you first from mcafee or fortinet or fireeye or something, while if you were in anywhere not-US or China (this will be 360 Antivirus malware itself) you'd default to the usual there like F-Secure or Kaspersky.
|
# ? Jul 6, 2020 19:00 |
|
Sickening posted:Okay folks, a business under my parent company is wanting to use a security vendor based in the Ukraine. Would you say no based on the region alone? If you do any sort of government contracting that'd be a no-no in a lot of situations.
|
# ? Jul 6, 2020 19:06 |
|
Defenestrategy posted:If you do any sort of government contracting that'd be a no-no in a lot of situations. I worked for a company that required government background checks for support ops, but outsourced chunks of their dev to Ukraine.
|
# ? Jul 6, 2020 19:53 |
|
RFC2324 posted:I worked for a company that required government background checks for support ops, but outsourced chunks of their dev to Ukraine. There is actually a lot of really good dev outsource firms in the Ukraine, but yeah I'd wonder about a security firm.... Not to say there isn't a lot of good security resources from and/or in Ukraine. There is. Its practically a hotbed of a lot of Infosec stuff.
|
# ? Jul 6, 2020 21:12 |
|
CommieGIR posted:There is actually a lot of really good dev outsource firms in the Ukraine, but yeah I'd wonder about a security firm.... it wasn't a security firm, it was a hosting firm that handled some government contracts. The Ukranian firm was handling part of the interactions between UI and database, iirc(some piece of middleware) which was, in theory, innocuous, but I can imagine could have back doors added I'm also paranoid in general so
|
# ? Jul 7, 2020 08:22 |
|
So how is everyone's F5 patching going? Surely all SLAs for a CVSS 10 were met, right?
|
# ? Jul 7, 2020 13:41 |
|
Martytoof posted:I would be 100% fine with SMS MFA if I hadn’t walked into a Rogers store last year and successfully SIM-jacked ... myself.
|
# ? Jul 7, 2020 17:04 |
How the gently caress do you break a Sim card?
|
|
# ? Jul 7, 2020 18:14 |
|
CyberPingu posted:How the gently caress do you break a Sim card? bite it to see if its really made of gold?
|
# ? Jul 7, 2020 18:21 |
|
CyberPingu posted:How the gently caress do you break a Sim card? re-enacting a spy movie?
|
# ? Jul 7, 2020 18:24 |
|
|
# ? Mar 29, 2024 05:53 |
The Fool posted:re-enacting a spy movie? They said it so nonchalant as if its something everyone does on a regular basis
|
|
# ? Jul 7, 2020 18:42 |