Real-Time Attacks Against Two-Factor Authentication

Attackers are targeting two-factor authentication systems:

Attackers working on behalf of the Iranian government collected detailed information on targets and used that knowledge to write spear-phishing emails that were tailored to the targets' level of operational security, researchers with security firm Certfa Lab said in a blog post. The emails contained a hidden image that alerted the attackers in real time when targets viewed the messages. When targets entered passwords into a fake Gmail or Yahoo security page, the attackers would almost simultaneously enter the credentials into a real login page. In the event targets' accounts were protected by 2fa, the attackers redirected targets to a new page that requested a one-time password.

This isn't new. I wrote about this exact attack in 2005 and 2009.

Posted on December 14, 2018 at 10:02 AM • 40 Comments

Comments

AJWMDecember 14, 2018 11:53 AM

The emails contained a hidden image that alerted the attackers in real time when targets viewed the messages.

This is why you don't let your email client download images or follow web links. (Or ideally, interpret HTML at all.)

PNDecember 14, 2018 2:38 PM

Real-Time Attacks Against...
How did you select 2FA?
The text reads "used that knowledge to write spear-phishing emails that were tailored to the targets' level of operational security"
So was it not just another spear-phishing attack?

WeatherDecember 14, 2018 9:40 PM

I read your lies and outline, it was good, and the fishing eg,to quoted a eg, explained a lot,but some thing tested,hopefully not

WaelDecember 15, 2018 4:47 AM

Oh, this again!

We discussed this on many ocasions, but the single working neron in my head is not firing anymore... too tired to find all the links...

From The Failure of Two-Factor Authentication, March 15, 2005

Two-factor authentication is not useless. It works for local login, and it works within some corporate networks. But it won't work for remote authentication over the Internet.

You need multi-entity authentication! As in Silicon-unit / Carbon-unit authentication.

From More on Two-Factor Authentication April 15, 2005 (a month later... strange.)

Of course it's a broken model. We have to stop trying to authenticate the person; instead, we need to authenticate the transaction:

First of all, transactions are (mostly) authenticated. HMACs, shared secrets, PKI, the works... Transactions are authenticated at various levels (JSON (encoding), Transport (Mutual TLS, for example - "where applicable") etc.) . But that's not a fool-proof solution either, although it's most definitely needed." Transaction authentication is "Necessary but not sufficient", in logician-speak. "Vector versus Tensor", in Mathematicians-speak (a bit of a stretch.) In Security-speak: Multi-entity authentication is a necessary condition.

So: Multi-entity, Multi-channel, Multi-Factor, Transaction authentication! Can it be cracked? Yes, of course... the barrier to entry is not insurmountable, but is rather formidable (given proper architecture, design, and implementation, and possibly utilization of PUFs) There remains one factor that's hard to fix: "idiocy"1 (no, not Idempotency -- which is needed)

[1] Not only the end user, but applies to the Security Architect, The code-cutter (oh, no!), and the Penetration tester, and the full chain of command. One moron in the chain, and all bets are off... All ot takes is one moron!

Moron: Someone who speaks with an 'air of authority' and beleives that the controls in place are fool-proof. A moron in this business is someone who doesn't wear a straitjacket ;)

Clive RobinsonDecember 15, 2018 9:55 AM

@ Wael,

Oh, this again!

It's a game started by idiots, kind of like the old and very juvenile "knock on the door and run away"...

In this version they post a factless insult devoid of context, so they can claim it means anything they want at a later date. Which is the surest clue that they don't have one...

However it forces some one to respond and as you can not cover all bases --except by calling them juvenile idiots-- you are at best in a "Draw-loose" position, thus it's not a sensible game to play unless they are rather more than idiots...

Speaking of which, if you look back in history they had a quite simple test for idiots or worse.

The physician would light a candle and put it in the middle of the table, he (they were always men in those days) would sit on the opposite side to the person being tested. The rest of the room would be both dark and quiet, to avoid distracting the person being tested.

The physician would take a gold coin like a Half Sovereign from his waist coat pocket, hold it up so that it attracted the eye of the person being tested. He would then put the edge of the coin in the candle flame to heat it up, when hot he would offer the coin to the person being tested.

If the person took the coin and burned themselves they were classified as an "Idiot".

The test would be repeated, if the person got burnt a second time they were clasified as a "Moron".

The test would then be repeated if the person was burnt a third time the the classification was "Imbecile".

In the texts I've seen nobody talks about the person being tested a fourth time or what they would be called.

But I've been pushed by one person on this blog into testing them more than half a dozen times, and they got burned on every occasion. I'm open to suggestions of what word would classify them?

But it does look like others want to que up and play the game, so maybe a list of further classification words is required?

I gues we could go to "doh-d'hker-hedjit" or some such for "the full dozen" if it were,to go that far :-S

WaelDecember 15, 2018 11:09 AM

@Clive Robinson,

But it does look like others want to que up and play the game, so maybe a list of further classification words is required?

The list has 42 classes, in alphabetical order:

Ape, Asinine, Boob, Boor, Brainless, Clod, Clown, Crackpot, Cretin, Delirious, Dense, Deranged, Different specimen, Dimwit, Donkey1 (I like that one), Dope, Dork, Dunce, Dunderhead, Fool, Freak, Goon, Idiot, Insane, Kook, Lunatic, Misfit, Mindless, Nitwit, Obtuse, Scatterbrain (you called me that, once upon a time,) Schmuck, Schnook, Scumbag, Simpleton, Stolid, Stooge, Twit, Unglued, Witless

And number 42: Bong-Smoking Primitive Monkey-Brained Spook. That has got to be the lowest of the low, hands down!

[1] Not sure if I told the story of the donkey and the ruler...

Clive RobinsonDecember 15, 2018 12:13 PM

@ Wael,

Not sure if I told the story of the donkey and the ruler...

Which one, I've been told several over the years.

On was even about getting a donkey down a Minaret...

WaelDecember 15, 2018 12:29 PM

@Clive Robinson,

On was even about getting a donkey down a Minaret

No! There was once a small-time trader who used his donkey for travels to and from Syria. There was a puddle in the path every time they traveled. One dry year, the puddle dried. But the donkey (symbol of stupidity, in some cultures) avoided the dry puddle and walked around it. The trader told his donkey: 'I swear you're smarter than the ruler of Levant

News reached the ruler that someone said the donkey is smarter than him. He summoned the poor guy, and said to him: did you really say that about me? The trader said: yes! So the ruler told him: explain to me what made you say that before I have your neck chopped.

The trader told him what the donkey did was pretty intelligent. Then he asked the ruler: what happened to the ruler before you? Ruler said: he was assassinated. The one before him? Assassinated, the one before him? Assassinated. Trader said: what do you think will happen to you?

Rumor has it, the ruler told him you're right! The donkey is more intelligent than me. He released him and resigned.

Clive RobinsonDecember 15, 2018 9:08 PM

@ Wael,

But the donkey avoided the dry puddle and walked around it

Was the trader sitting on the donkey facing the tail?

If not, he had trained the donkey well to remember just where the puddle was on the way to Syria?

If he was sitting facing the tail then the small-time trader was Mullah Nasruddin earning a little on the side ;-)

@ For those reading along,

Mullah Nasruddin is so famed he is claimed by atleast three countries, one of which is Turkey, for the rest of us he provides little insights to life, especially where donkeys are concerned. After all he mourned longer for the loss of his donkey than he did for his wife Fatima, even though she was a good cook and faithful wife...

One night there was a fearfull crashing and banging from Nasruddin's house. The following day his neighbor called across at him "Hey Nasruddin what was all that noise last night?" to which Nasruddin replied "Oh my coat, it fell down the stairs". The neighbor looking at the Mullah's coat said "What that coat there's nothing to it, how could it make such a fearfull noise?" to which Nasruddin said with pained eyes "Because it still had me in it".

A few days latter feeling somewhat eased Nasruddin was walking around the market, when an earnest young man came up to him and said "Mullah what side of a coffin should I carry". Nasruddin thought for a moment and advised the young man "Take the front left or right or even the rear left or right" paused whilst the young man looked confused and said with fealing "Take any side you like, as long as it's not the inside", nodded and walked off rubbing his back.

Still rubbing his sore back and having found his accustomed position in the market, Nasruddin stood there with a totaly vacant stare. Not long after a group of young men laughing and smiling come up to him, and offer him two coins, a big shiny one and a small dull one. Nasruddin takes the small one and much laughter is had amoungst the young men where upon a second young man offers two coins. And again Nasruddin takes the smaller coin. The young men laughing even more heartily wander off clapping each other on the back. As Nasruddin returns to standing with a vacant stare his friend comes up and says "Nasruddin, Nasruddin, why do you do this to yourself, why do you let them think you are an idiot?" To which the Mullah replies "If I take the large coin they will think I cheated them and get angry, if I take the small it makes them feel good all be it in a silly way" His friend says "But they think you are stupid" to which Nasruddin nods and smiles gently and asks "My friend which is better, one large coin of little worth and angry men, or a steady income from happy idiots?".

WaelDecember 15, 2018 11:44 PM

@Clive Robinson,

If not, he had trained the donkey well to remember just where the puddle was on the way to Syria?

I've never ridden a donkey. From what I hear, donkeys learn the path and the 'rider' doesn't have to direct them - they just go to their destination and follow the same route they took the first few times. So the rider could be facing any direction or even sleeping and the donkey (or the horse) will take him to the destination. You see that in some western movies, too. Call it auto-pilot. This link has a picture of him riding the donkey backwards (Figure-4.)

He did not tell the donkey to avoid the puddle. The donkey knew that by instinct.

especially where donkeys are concerned.

Oh, a lot more than that -- mostly made-up stories meant to be funny. He's known in Arabic as "Juha", and there're a few good stories related to him... I have a favorite one or two. Could not find them on the net, so I can't "story-cut" them ;)

Clive RobinsonDecember 16, 2018 4:03 AM

@ Wael,

This link has a picture of him riding the donkey backwards

Yup that's him "earning a bit on the side".

He thought it was rude not to face those who he was teaching, and as a leader always has to, well lead from the front, his reasoning said the only way to do both was sit backwards on his donkey... It's the sort of logic I like as it is a simple way to keep people happy ;-)

WaelDecember 16, 2018 4:57 AM

@Clive Robinson,

"earning a bit on the side"

Please disambiguate...

Brain is almost non-functional now! Waiting on a freaking sdcard clone operation to finish! It takes forever. That 'dd' command without the correctly tuned 'bs' (block size) operates in geological time-scales. Forth time already and it didn't boot. Worked a few weeks ago, but now after I've made some progress, it just won't work. Worked in the past with bs=10m which is an order of magnitude faster than the default block size. Now I am trying the incredibly slow default block size again: 6 hours writing a 32GB image to the SD-Card. A disaster waiting to happen :(

Downloaded a tool for cloning SD-cards, but the tool is asking for my admin password and says "we will not store it". Yea, right... Carbon Copy for MacOS says it may not support the latest Mavrick OS, and may cause data loss. They want $40 for upgrade...

Yea, and diskutil isn't working right either for that one. I guess I'll use diskutil to clone the sdcard one partition at a time. Seems Sunday is a goner too!

Oh, well. It's always something.

Pseudo-RaconteurDecember 16, 2018 1:26 PM

A simple google search turns up the likelihood that Clive made up his entire gold coin thing.

https://www.merriam-webster.com/words-at-play/moron-idiot-imbecile-offensive-history

"Idiot, imbecile, and moron were, not so long ago, used in a psychological classification system, and each one was assigned to a fairly specific range of abilities."

Idiots.—Those so defective that the mental development never exceeds that or a normal child of about two years.

Imbeciles.—Those whose development is higher than that of an idiot, but whose intelligence does not exceed that of a normal child of about seven years.

Morons.—Those whose mental development is above that of an imbecile, but does not exceed that of a normal child of about twelve years.

— Edmund Burke Huey, Backward and Feeble-Minded Children, 1912


I wonder how you would classify someone making up stories about this classification system...

Clive RobinsonDecember 16, 2018 7:48 PM

@ Pseudo-Raconteur,

... the likelihood that Clive made up his entire gold coin thing.

If it is fabricated then I'm not the one who made it up.

Back in the 1990's it was actually given by a Prof to students in a London institution as an example of how the various fields etc had moved on in the proffession and why. I've been told it by two different "Proffessionals" in the field who as far as I know were not related to each other. One I knew well enough socialy that they used to joke about why I could not be part of various tests being run out of a South London teaching hospital. They were perfectly aware that I am left handed hence "The trouble with you lefties are you are not wired up right" joke. Over a meal one evening they confirmed my suspicions that "the proffession" was quite deliberately only testing "right handed people" as policy. Apparently because they knew that left handed people mucked up their results for various reasons. Which if you are not one of the ~4/5ths --or whatever it is where you are and age range you are in[1]-- that are right handed is a tads worrying.

Next time I'm up in the Euston Rd during office hours with time on my hands I'll pop into the collection and have a chat with one of the curators assistants about looking it up in their records. They were quite helpfull a few years ago when I had some questions about the "Shrunken Head" process.

Oh the story about the Mullah and the two coins goes back to possibly medieval times. So there maybe an "apocryphal conjunction". I don't know but as the saying has it,

    Life imitates Art far more than Art imitates Life. (OW 1889)

As for searching on either Google or Wikipedia I've found not just significant historical gaps with Google significantly so for time periods prior to 1995, but also quite a few prior to 2005. Perhaps worse is that some people apparently get some value out of editing Wikipedia to point away from primary refrences. In atleast one case it was tracked down to a school teacher in East London who wanted their pupils to do "real research"... Others however are far worse which is one of the reasons a few years ago I spent quite a bit of time in the UK National Archives looking at primary sources with regards the "British Protectorates" that came about with the collapse of the Ottoman Empire.

Then of course as I've mentioned befor, there was the head of a University business school who tried to tell me I was wrong over a hacking incident in the UK...

Which by the way I had been in the middle of and personally knew all the players (Oh and had met HRH Prince Philip as well on another occasion a couple of years prior to that, but that as they say "Is a story for another day"). His mistakes were obvious he had looked it up via Google... Instead of consulting actual court records or speaking to those involved. He later stood as an MP and the electorate did themselves a favour, such that I think he lost his deposit...

But if I was you I would just do a google search on historic mental tests and coins. It turns up next to nothing... Which is odd because we know from historic records including a supreme court case (buck v. Bell) that they are used to test people. Even today waving a bright coin or similar shiny object at a six month old or more child is used as a measure of alertness an mental processing capacity, which is assessed by the childs eyes following or hand reaching out. If you try to widen the search you are likely to end up reading about punctured lungs.

Part of the problem appears to be because of the likes of Arthur Estabrook, who in the begining of the 20th Century was recognized expert in eugenics, and committed to the view that sterilisation laws was the way forward. This was then a quite common view back then both Woodrow Willson and Theodore Roosevelt were very much believers in it the former quite happy to sign such ideas into state law. With upwards of 30,000 forced sterilisations in the US and with obvious links to the same things going on in much of Europe it's a very dark chapter in twentieth century Western history which has been effectively "edited out". In essence the revised history points eugenics, sterilisation and euthanasia as a thing peculiar and distinct to Nazi Germany under Hitler, thus codified with "extream evil". When in fact it was extreamly popular in the US with side shows at county fairs and the likes, so for that matter "National Socialist" morals and ethics...

Because of that you might find it hard to get search results out of Google thus finding out about the "feeble minded" and the "alienists" that managed the "reservations" harder than it should be.

But to save you a little time try downloading,

https://www.forgottenbooks.com/it/download/TheIntelligenceoftheFeebleMinded_10066916.pdf

And start reading at page 60, then ask yourself what the difference between a hot coin and a naked flame for testing?

You might then start to see why such information got "buried away" after WWII, after all it's hard to hold somebody up as extreamly evil when your own researchers and doctors were doing much the same thing...

[1] There once was a claim that a study of Apple's design teams showed that the population was inverted with only 1/5th being right handed. If you search hard enough you will find that Steve Jobs actually said as much in an interview with,

    And most of them are also left-handed, whatever that means. Almost all of the really great technical people in computers that I’ve known are left-handed. Isn’t that odd?

However I suspect that may not have been the case for a while as google searches predominantly bring up the likes of,

https://www.cnet.com/news/apple-criticized-by-left-handed-org-over-iphone-4/

From 2010 and a half decade later,

https://m.mic.com/articles/125883/iphone-6s-6s-plus-ios-9-causing-problems-for-left-handed-users

Clive RobinsonDecember 16, 2018 8:06 PM

@ Pseudo-Raconteur,

I wonder how you would classify someone making up stories about this classification system...

Well firstly how would you describe a US Researcher putting a flame up somebodies nose back at the begining of the twentieth century?

Which you can now see has a quite factual basis behind it, unless you think that report is made up?

So "Making up stories" hmm the method with the coin I was told appears to be a little more humane. But some US folk might think otherwise.

Oh and before I forget,

    Old wine in new bottles?

Rach ElDecember 16, 2018 8:10 PM

Clive

A book I happen to own is available to read online for free (legally, with permission) - it contains a whole chapter dediated to Mulla Nasrudin, explaining the depths and context of the stories that far surpass superfical humour or moral value, and include the capacity for Arabic code in the original versions. They are designed to awaken and stimulate conciousness but this is obviously lost on most.

Your tale of the donkey is in fact discussed in the chapter.

https://idriesshahfoundation.org/read-online/the-sufis/

By the same author, 'Exploits of the Incomparable Mulla Nasrudin' also available in the same fashion, below

https://idriesshahfoundation.org/read-online/exploits/

Clive RobinsonDecember 16, 2018 8:31 PM

@ Wael,

Please disambiguate...

Well in the stories teaching is not the way he earns his living. But sitting on the back of a donkey is something he does alot. One story explains his logic for sitting backwards on the donkey to teach, as it would be rude not to face his audiance and leaders must lead from the front.

Thus logic would also dictate that unless he were a fool, he trusted where his donkey was going. Thus again by logic, he must have spent a lot more time teaching the donkey, than his audience. So compared to teaching the donkey teaching the audience was just "earning a bit on the side".

With regards your card issue most likely the actual storage chips have ~2Kbit rows, which need setting back to all ones to erase which is a slow process at the best of times (10mS a row on some chips). However clearing the bits to store data is an order or so of magnitude faster... The problem you have is of course the "MiTM" in this case being a "microcontroler". It will have some "wear leveling algorithm" that could be set for longevity or speed but I suspect not both...

Speaking of "wear" some persons just do not give up no matter how often they get burnt... Maybe I should sit backwards on a donkey and charge the old wine one hundred silver coins for each lesson...

As you say,

    Oh, well. It's always something.

WaelDecember 16, 2018 9:26 PM

@Clive Robinson,

teaching the audience was just "earning a bit on the side".

Somehow I correlated it to money... I get it now :)

With regards your card issue most likely the actual storage chips ...

In addition to what you say, I found out that the models are different even though they are the same size. Checked the original file against the backup file (dumped both files from the two cards) and there was a few bytes difference. Ordered a new set from Amazon, hopefully they'll be from the same "lot". I'll do something else until they arrive...

Speaking of "wear" some persons just do not give up no matter how often they get burnt... Maybe I should sit backwards on a donkey and charge the old wine one hundred silver coins for each lesson...

Donkeys are seldom affluent ;)

@Pseudo-Raconteur,

I wonder how you would classify someone making up stories about this classification system...

You came to the right place. The list has, you guessed it, 42 classes *snort*, in alphabetical order:

Accomplished, Adept, Alert, Analytical, Artful, Astute, Brain, Bright, Brilliant, Cerebral, Cognitive, Crafty, Creative, Cultured, Educated, Enlightened, Exceptional, Expert, Highbrow, Informed, Intellectual, Inventive, Keen, Knowing, Learned, Methodical, Original, Polished, Profound, Rational, Resourceful, Sage, Savant, Savvy, Scientific, Sharp, Shrewd, Slick, Studious, Versed, Wise ;)

WaelDecember 16, 2018 9:52 PM

@Rach El,

Took a glance at both books. Too bad there isn't search functionality, or is there? Does the book have the story of the nail and the house, or Juha (Mullah Nasruddin1) and his neighbor's clay pots?

[1] Just in case you wondered, the name has a meaning: 'Mulla' is a word used in certain countries to mean "Scholar in religion", Clergy, sometimes equivalent to "Sheikh" in other countries - but there are countries that make a distinction between the two "titles". Mulla is usually a title, but sometimes is also a last name.

As for "Nasruddin", it's a compound name made up of two words: Nasr and Al Deen. Nasr = Victory or Support, Al Deen roughly means "Religion". A familiar name would be Salah El Deen -- known in the west as Saladin. Salah, means success or correctness. Aladdin (and the magic lamp) is also: Ala' El Deen ... Ala' being "Hight" or "Apex"...

As for the author's name:

(Prophet) 'Idris' is most likely the Arabic name of 'Enoch'
'Shah', is known: it means 'King', in Persian. (Checkmate1 in Chess comes from 'Shah matt'. 'Matt' In Arabic means 'died'.) I could go on, but I'll stop here.

[1] What did the Australian customer tell the waiter, after he finished his dinner? :)

Bong-Smoking Primitive Monkey-Brained SpookDecember 17, 2018 3:03 AM

And number 42: Bong-Smoking Primitive Monkey-Brained Spook. That has got to be the lowest of the low, hands down!

I beg to differ, Sir(1). Quite the contrary... I'm the highest of the high :)

[1] I'm using the word very loosely here and could be prosecuted for torturing it's meaning. But I have an out of jail card: I was hallucinating, right? Right!

Major MephistophelesDecember 17, 2018 3:35 AM

BSPMBS

I meant Parsi, sorry.
They speak Farsi - which you probably know?


you seem like a nice chap anyway


Bong-Smoking Primitive Monkey-Brained SpookDecember 17, 2018 3:50 AM

@Major Mephistopheles:

you may be related to this Farsi fellow

Dude / Dudess! Don't give me the first link on a Google search of "Highest of the high". Be a little subtle about it: third or fourth link may work ;)

They speak Farsi - which you probably know?

Nah, I know next to zero about Farsi. I know like a couple dozen words and two or three expressions.

you seem like a nice chap anyway

And you're not such a devil yourself! But pitch-fork wielding Mephisto thinks I am nice!?! Not sure how to take that. Thank you either way.

Denton ScratchDecember 17, 2018 9:19 AM

@Clive
"editing Wikipedia to point away from primary refrences."

Wikipedia doesn't much like primary sources. They're better than no sources, but secondary sources are preferred. The problem is that it requires expertise to evaluate a primary source - Does the author know what he is talking about? Do his results stand up to scrutiny? Does his work support the claim made in then article?

Wikipedia is edited by amateurs, not by experts. That means that edits are also reviewed by amateurs. Edits that rely on primary sources are therefore hard to review.

Secondary sources, such as textbooks and review articles, are preferred because it means a Wikipedia reviewer only has to check the reliability of the secondary source, not the research technique and honesty of the original primary source, nor does he need the expertise to interpret it. That normally just means checking that the publisher of the secondary work is reputable.

I think that is a pretty sensible preference for an encyclopaedia that anyone can edit. It's why Wikipedia has a reputation for being mean to experts; it's true, experts do get a hard ride, especially if they rely on their expertise, and not on good sources.

Incidentally, I find Wikipedia to be a pretty good resource, as long as you stay away from subjects that are largely a matter of opinion, such as politics, international conflicts, and especially Israel/Palestine - all articles on Israel/Palestine are closely patrolled by terrifying demons.

Denton ScratchDecember 17, 2018 9:34 AM

I first came across Mullah Nasr-Uddin (or Nasrudin if you prefer) in a book by the Georgian mystic Gurdjieff, called Beelzebub's Tales To His Grandson. It's a very strange book. I only opened it because of that title.

Ah, I see that Wikipedia reckons he was Armenian-Greek, not Georgian. OK, I'll go with Armenian-Greek. Whatever - he lived among Georgians (and Tatars and Circassians, and generally a very diverse Caucasian population).

Clive RobinsonDecember 17, 2018 11:12 AM

@ Rach El,

A book I happen to own

Ahh, so you have a little "book of smiles" style entertainment that could also last you a life time of nuggets of wisdom.

Clive RobinsonDecember 17, 2018 11:31 AM

@ Denton Scratch,

Wikipedia doesn't much like primary sources. They're better than no sources, but secondary sources are preferred.

I realy don't like secondary sources as we see things like we did a day or so ago when a Newspaper title substituted "won't" for "can't" and changed the whole sense of an argument about Signals developers position.

As for the old protectorates, yeah, you have no choice but to go back to the old Gov Records, they are about as close to contemporaneous records as you can get, which is all you can count on due to "much meddling". Every few years a few more records get released at the UK National Records office, and a few more "wrong suppositions" get chalked off with a flurry of more nonsense...

QuestionDecember 17, 2018 4:03 PM

This is an interesting case. A practical example showing the shortcomings of 2FA.

However would something like a yubikey (those devices from yubico.com) have protected against this?

Or is there a possible scenario where yubikey would not protect the user but which would also not depend on taking over a persons computer (e.g. using a trojan) or intercepting the network connectivity (i.e. man-in-the-middle attack)?

Rach ElDecember 17, 2018 6:12 PM

Wael

Appreciate the linguistic insights. I knew about half of that. Amir also is a version of King, in Farsi

The two foundational, seminal Idries Shah books to read first are
The Sufis and The Way of the Sufi.

https://idriesshahfoundation.org/books/the-sufis/

You'll find the chapter dedicated to discussing Nasrudin, on page 69
This is the same book discussing Arabic as a code, I referred to.
And:

https://idriesshahfoundation.org/books/the-way-of-the-sufi/

Which of course are most desireable in hard copy and not expensive at all

In exchange for the gift of freely consuming these many texts by the author

https://idriesshahfoundation.org/books-tag/ebook/

looks like we are stuck with java script, admittedly it's not too cumbersome but
no visible search function without hinky thinking.

Here is another Nasrudin book in same context.

https://idriesshahfoundation.org/books/the-pleasantries-of-the-incredible-mulla-nasrudin/


[1] What did the Australian customer tell the waiter, after he finished his dinner?

That was the best vegemite sandwich I ever had?

I don't know but can't wait to find out. I am hoping it included the words Ass Access.
(Sorry. That was the one redeeming feature of this excellent video on the new Australian Snoopers legistlation. They just kept saying it)

https://youtu.be/AzdiPg4DfKU

WaelDecember 17, 2018 6:23 PM

@Rach El,

That was the best vegemite sandwich I ever had?

What's the word that took you to the footnote? :)

WaelDecember 17, 2018 8:41 PM

@Rach El,

'Shah', is known: it means 'King', in Persian. (Checkmate1 [...]

Check, mate!

He's done with dinner and ready to pay the bill :)

Rach ElDecember 17, 2018 10:23 PM

Wael

you inventing a new Radix dawg! Your post had two 1's !
great joke though.

In Australia it would be Chequemate. (you'd only hear the Q if you listened closely to the sound the tongue makes against the palate, though. Hard in a noisy restaurant)

Clive RobinsonDecember 18, 2018 5:13 AM

@ Wael, Rach El,

[1] What did the Australian customer tell the waiter, after he finished his dinner?

That is a typical "pune" for you...

Any way as you live in the US of Hay, where things "are done different"... In the UK and the last time I was there many many years ago in Aus you would ask for the "Bill" and pay with a "Cheque" (why you have this backwards in the US is one of life's little mysteries ;-)

And yes there are "Bill mate" jokes a certain Aus who moved to the US who then got falsely detained by the Aus Gov Tax Office after his mothers funeral, made a few in his early days as a comedian.

https://www.theguardian.com/film/2011/jan/06/paul-hogan-sue-australia-tax-inquiry

NorioDecember 18, 2018 3:16 PM

This isn't new. I wrote about this exact attack in 2005 and 2009.
Thank you, thank you for not writing "exact same attack"!

GuidoDecember 22, 2018 5:08 PM

"""Once a target enters a password on what she believes is the authentic Gmail or Yahoo Mail site, she will either open the 2fa app as instructed"""

The moment that the target believes the site is authentic it's game over.

I came up with a protocol that frees the user of doing site-authentication.

I call it Eccentric Authentication. Feel free to read my blogs at https://eccentric-authentication.nl/


Dee L.January 2, 2019 1:13 PM

Can someone explain, other than clicking a link, how 2fa may be breached? I am interested in more specific details. I understand from reading some links that a security key offers the most bonafide 2fa protection, but how are these other apps (gmail) particularly failing in their methods as a stand alone procedure? I don't want to go through all these hoops if they're useless or provide a false sense of security.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.