Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
Volmarias
Dec 31, 2002

EMAIL... THE INTERNET... SEARCH ENGINES...

D. Ebdrup posted:

I would be 100% okay with SMS 2FA if the standard had just recommended that every message be prepended with something like "Authentication Code:" so that iOS and Android could look for that in SMS messages and then blur the rest of the contents of the SMS from being displayed on the lock screen. Heck, it should be possible to implement the information as meta-data in the message itself.
I'm half-convinced that would solve every problem with SMS 2FA that doesn't involve the targeted attacks, for example where accounts are stolen via social engineering.

I'm the non-targeted attack that relies on reading the SMS code from someone's locked phone.

Adbot
ADBOT LOVES YOU

BlankSystemDaemon
Mar 13, 2009



Volmarias posted:

I'm the non-targeted attack that relies on reading the SMS code from someone's locked phone.
I mean, I get what you're saying, but the point is that doing it via phone apps which require biometric locks straddle the 'something your own' and 'something you are' part of MFA, so you end up with 3FA, not just 2FA.

Space Gopher
Jul 31, 2006

BLITHERING IDIOT AND HARDCORE DURIAN APOLOGIST. LET ME TELL YOU WHY THIS SHIT DON'T STINK EVEN THOUGH WE ALL KNOW IT DOES BECAUSE I'M SUPER CULTURED.

D. Ebdrup posted:

I would be 100% okay with SMS 2FA if the standard had just recommended that every message be prepended with something like "Authentication Code:" so that iOS and Android could look for that in SMS messages and then blur the rest of the contents of the SMS from being displayed on the lock screen. Heck, it should be possible to implement the information as meta-data in the message itself.
I'm half-convinced that would solve every problem with SMS 2FA that doesn't involve the targeted attacks, for example where accounts are stolen via social engineering.

The big threat with SMS 2FA isn't somebody reading the code off your lock screen. If you're worried about that, just set your phone to not display SMS previews on the lock screen at all, which will stop exposing both SMS 2FA codes and that message from your ex that says "hey this is awkward but you might wanna get tested." More generally, starting off with "you have to find a way to get the person's phone in your hands" is not a feature of a strong attack.

The problem with SMS 2FA is that phone numbers are not strongly tied to hardware, people, or cryptographic secrets. Phone provider CSRs are willing to help an attacker with a SIM swap, because they're judged on fast resolutions and survey scores, not security. Anyone who can break into not-particularly-secure provider customer accounts can set up call forwarding, and many services that do SMS 2FA also wire it up to a "call me" option that reads the code over a text-to-speech engine. SS7 attacks can redirect incoming SMSes directly to an attacker using the same mechanisms that let your phone number work overseas, and larger-scale organized crime treats access to SS7 as a commodity. There are a lot of ways to compromise 2FA SMS before your phone is ever involved, and that's the reason that SMS is not a good 2FA mechanism.

Space Gopher fucked around with this message at 17:15 on Jul 4, 2020

Volmarias
Dec 31, 2002

EMAIL... THE INTERNET... SEARCH ENGINES...

D. Ebdrup posted:

I mean, I get what you're saying, but the point is that doing it via phone apps which require biometric locks straddle the 'something your own' and 'something you are' part of MFA, so you end up with 3FA, not just 2FA.

I've written and re-written a response several times and each time it boils down to "What the hell are you even talking about here" so I'll just leave it at that.

BlankSystemDaemon
Mar 13, 2009



It's me, I'm the secfuck. :mad:

CommieGIR
Aug 22, 2006

The blue glow is a feature, not a bug


Pillbug
Yeah, SMS 2FA only if you have absolutely no other option, its still just a risk

CyberPingu
Sep 15, 2013


If you're not striving to improve, you'll end up going backwards.

Space Gopher posted:

The big threat with SMS 2FA isn't somebody reading the code off your lock screen. If you're worried about that, just set your phone to not display SMS previews on the lock screen at all, which will stop exposing both SMS 2FA codes and that message from your ex that says "hey this is awkward but you might wanna get tested." More generally, starting off with "you have to find a way to get the person's phone in your hands" is not a feature of a strong attack.

The problem with SMS 2FA is that phone numbers are not strongly tied to hardware, people, or cryptographic secrets. Phone provider CSRs are willing to help an attacker with a SIM swap, because they're judged on fast resolutions and survey scores, not security. Anyone who can break into not-particularly-secure provider customer accounts can set up call forwarding, and many services that do SMS 2FA also wire it up to a "call me" option that reads the code over a text-to-speech engine. SS7 attacks can redirect incoming SMSes directly to an attacker using the same mechanisms that let your phone number work overseas, and larger-scale organized crime treats access to SS7 as a commodity. There are a lot of ways to compromise 2FA SMS before your phone is ever involved, and that's the reason that SMS is not a good 2FA mechanism.

They arent great but they are a hell of a lot better than no 2FA at all.


The biggest issue though is education & attitude. How do you expect someone who doesn't even set a lock pin on their phone to use it for 2FA.

Education can be kinda treated, as the infosec industry we do a really bad job of education imo. Attitude is a lot harder, some people won't bother acting until it's too late and it's almost impossible to get through to them because of the "I don't have any worth stealing so why would I be hacked". As they think the only things hackers do is steal poo poo.

Arsenic Lupin
Apr 12, 2012

This particularly rapid💨 unintelligible 😖patter💁 isn't generally heard🧏‍♂️, and if it is🤔, it doesn't matter💁.


Apparently scammers are successfully getting naive users to send their SMS confirmation codes to them with the usual social engineering. "Did you get the number I just sent you" pulls in a lot of people. :(

CommieGIR
Aug 22, 2006

The blue glow is a feature, not a bug


Pillbug

Arsenic Lupin posted:

Apparently scammers are successfully getting naive users to send their SMS confirmation codes to them with the usual social engineering. "Did you get the number I just sent you" pulls in a lot of people. :(

Yeah we had to do a big education push at our office to inform users they should never reveal 2FA to anyone after we had someone share it with a phish.

CyberPingu
Sep 15, 2013


If you're not striving to improve, you'll end up going backwards.

Arsenic Lupin posted:

Apparently scammers are successfully getting naive users to send their SMS confirmation codes to them with the usual social engineering. "Did you get the number I just sent you" pulls in a lot of people. :(

That could be done with literally any code though unfortunately. Social engineering is scarily easy.

Imo it should be included in more Pen Testing as if you have a lack of understanding from a people side of things then that's something I would want to know about.

Cup Runneth Over
Aug 8, 2009

She said life's
Too short to worry
Life's too long to wait
It's too short
Not to love everybody
Life's too long to hate


Arsenic Lupin posted:

Apparently scammers are successfully getting naive users to send their SMS confirmation codes to them with the usual social engineering. "Did you get the number I just sent you" pulls in a lot of people. :(

You think that's scary? I know from experience there are banks with customer support that will trigger a 2FA auth and ask you to repeat it back to them to verify your identity. No, not a scammer. The actual customer support.

Raymond T. Racing
Jun 11, 2019

Cup Runneth Over posted:

You think that's scary? I know from experience there are banks with customer support that will trigger a 2FA auth and ask you to repeat it back to them to verify your identity. No, not a scammer. The actual customer support.

When working with phone support I'm not really sure what the better situation is.

I know Simple (my bank) does do this, but the phrasing of the message is "Your Simple verification code to provide to the Simple team member is xxxxxx", not just "Your Simple verification code to log in is xxxxxx".

Arsenic Lupin
Apr 12, 2012

This particularly rapid💨 unintelligible 😖patter💁 isn't generally heard🧏‍♂️, and if it is🤔, it doesn't matter💁.


My bank, after repeatedly assuring me in email footers that they would never ask for private financial information in email .... asked for private financial information in email. I called and told them this was dumb. It's Wells Fargo, so I assume this was about as useful as pissing in the ocean.

Ynglaur
Oct 9, 2013

The Malta Conference, anyone?

Arsenic Lupin posted:

My bank, after repeatedly assuring me in email footers that they would never ask for private financial information in email .... asked for private financial information in email. I called and told them this was dumb. It's Wells Fargo, so I assume this was about as useful as pissing in the ocean.

Wells Fargo, an ocean full of piss, sounds about right.

CommieGIR
Aug 22, 2006

The blue glow is a feature, not a bug


Pillbug

Arsenic Lupin posted:

My bank, after repeatedly assuring me in email footers that they would never ask for private financial information in email .... asked for private financial information in email. I called and told them this was dumb. It's Wells Fargo, so I assume this was about as useful as pissing in the ocean.

Wells Fargo, so it checks out. As far as banks that make gross errors, they are top on my list.

some kinda jackal
Feb 25, 2003

 
 
I would be 100% fine with SMS MFA if I hadn’t walked into a Rogers store last year and successfully SIM-jacked ... myself.

Subjunctive
Sep 12, 2006

✨sparkle and shine✨

Martytoof posted:

I would be 100% fine with SMS MFA if I hadn’t walked into a Rogers store last year and successfully SIM-jacked ... myself.

Yeah, I did that too when I moved back to Canada.

“So do you want to see ID?”
“Nah, that’s fine.”
:bang:

some kinda jackal
Feb 25, 2003

 
 
Yeah I moved my SIM to an e-Sim and the guy was like “ok what’s the phone number” and 30 seconds later gave me a QR code to scan

I was same. Want some ID? Nah.

CommieGIR
Aug 22, 2006

The blue glow is a feature, not a bug


Pillbug
Did the same thing when I moved from Sprint to T-Mobile. No proof of ID requires, just a couple digital signatures and I had my number transferred in less than 30 minutes.

Patch your F5s all

CommieGIR fucked around with this message at 04:04 on Jul 6, 2020

BlankSystemDaemon
Mar 13, 2009



:f5:

uniball
Oct 10, 2003

my lovely MSP got acquired by a much bigger and evidently much shittier firm recently. my new employer, a professional services and accounting firm, appends one of those dumbass “If someone emailed you this by accident you are somehow required to delete it” signatures to every out-of-domain email. somehow, incredibly, this happens after the DKIM signature is computed, so every single external email fails DKIM. cool

some kinda jackal
Feb 25, 2003

 
 
Here's how this is going to go:

We didn't prioritize your patching because service isn't impacted

a bloo bloo bloo

droll
Jan 9, 2020

by Azathoth

uniball posted:

my lovely MSP got acquired by a much bigger and evidently much shittier firm recently. ... every single external email fails DKIM.

LOL imagine how much business they're losing.

Sickening
Jul 16, 2007

Black summer was the best summer.
Okay folks, a business under my parent company is wanting to use a security vendor based in the Ukraine. Would you say no based on the region alone?

Impotence
Nov 8, 2010
Lipstick Apathy

Sickening posted:

Okay folks, a business under my parent company is wanting to use a security vendor based in the Ukraine. Would you say no based on the region alone?

This depends on who your parent does business with, where they are based, etc.

Sickening
Jul 16, 2007

Black summer was the best summer.

Biowarfare posted:

This depends on who your parent does business with, where they are based, etc.

All us , only the us.

Impotence
Nov 8, 2010
Lipstick Apathy
How did this even come up in the vendor search unless they were nearly free

Arivia
Mar 17, 2011

Biowarfare posted:

How did this even come up in the vendor search unless they were nearly free

rudy giuliani is on the board of directors and he "knows a guy."

EssOEss
Oct 23, 2006
128-bit approved
Well, Stuxnet was first discovered by the Belarus IT security company VirusBlokAda. Shady slavs doing proper-tier cybersecurity in their mothers' basements is a real thing.

Impotence
Nov 8, 2010
Lipstick Apathy
I don't mean from a technical standpoint, if it's a large enough US company to own other companies and exclusively deals in the US, a Ukraine-based one seems just odd to be the first thing to turn to. I'd imagine the first crap to come up is whoever wines and dines you first from mcafee or fortinet or fireeye or something, while if you were in anywhere not-US or China (this will be 360 Antivirus malware itself) you'd default to the usual there like F-Secure or Kaspersky.

Defenestrategy
Oct 24, 2010

Sickening posted:

Okay folks, a business under my parent company is wanting to use a security vendor based in the Ukraine. Would you say no based on the region alone?

If you do any sort of government contracting that'd be a no-no in a lot of situations.

RFC2324
Jun 7, 2012

http 418

Defenestrategy posted:

If you do any sort of government contracting that'd be a no-no in a lot of situations.

I worked for a company that required government background checks for support ops, but outsourced chunks of their dev to Ukraine. :psyduck:

CommieGIR
Aug 22, 2006

The blue glow is a feature, not a bug


Pillbug

RFC2324 posted:

I worked for a company that required government background checks for support ops, but outsourced chunks of their dev to Ukraine. :psyduck:

There is actually a lot of really good dev outsource firms in the Ukraine, but yeah I'd wonder about a security firm....

Not to say there isn't a lot of good security resources from and/or in Ukraine. There is. Its practically a hotbed of a lot of Infosec stuff.

RFC2324
Jun 7, 2012

http 418

CommieGIR posted:

There is actually a lot of really good dev outsource firms in the Ukraine, but yeah I'd wonder about a security firm....

Not to say there isn't a lot of good security resources from and/or in Ukraine. There is. Its practically a hotbed of a lot of Infosec stuff.

it wasn't a security firm, it was a hosting firm that handled some government contracts. The Ukranian firm was handling part of the interactions between UI and database, iirc(some piece of middleware) which was, in theory, innocuous, but I can imagine could have back doors added

I'm also paranoid in general so

some kinda jackal
Feb 25, 2003

 
 
So how is everyone's F5 patching going? Surely all SLAs for a CVSS 10 were met, right? :q:

Combat Pretzel
Jun 23, 2004

No, seriously... what kurds?!

Martytoof posted:

I would be 100% fine with SMS MFA if I hadn’t walked into a Rogers store last year and successfully SIM-jacked ... myself.
Same. Over the two decades of owning a cell-/smartphone, all the times I needed to replace a broken SIM card, I never had to show an ID or return the old SIM. Knowing the address to the phone number seemed sufficient to the customer rep.

CyberPingu
Sep 15, 2013


If you're not striving to improve, you'll end up going backwards.
How the gently caress do you break a Sim card?

RFC2324
Jun 7, 2012

http 418

CyberPingu posted:

How the gently caress do you break a Sim card?

bite it to see if its really made of gold?

The Fool
Oct 16, 2003


CyberPingu posted:

How the gently caress do you break a Sim card?

re-enacting a spy movie?

Adbot
ADBOT LOVES YOU

CyberPingu
Sep 15, 2013


If you're not striving to improve, you'll end up going backwards.

The Fool posted:

re-enacting a spy movie?

They said it so nonchalant as if its something everyone does on a regular basis

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply