This week in computer security

With that Twatter story, just to add to that a bit about 2FA (2 factor authentication), because that's how they got these phone numbers; by making a texted authentication necessary for "security". There's a bit of debate around 2FA, with some saying it's a scam, and others saying that's stupid FUD, because it's great for security.

The thing is, in principle it is great for security… but it can be implemented in a disingenuous way that is also about getting valuable identifying information, like your phone number.

Texting a verification to a phone number is actually a terrible way of doing 2FA. There are completely open source solutions (like Aegis) that work using a system called TOTP. The idea of that app is that the two systems - you and the system you're logging into - don't need to communicate or know anything about each other, as long as you have exchanged encryption keys. Then, both parties can agree on codes based on their key and the current time, without communicating at all.

That's where 2FA is a great idea pretty much everywhere, and these buggers know that very well.
 
Last edited:
Joined
Nov 8, 2014
Messages
12,085
There are completely open source solutions (like Aegis) that work using a system called TOTP. The idea of that app is that the two systems - you and the system you're logging into - don't need to communicate or know anything about each other, as long as you have exchanged encryption keys. Then, both parties can agree on codes based on their key and the current time, without communicating at all.

It's just too bad they allow biometrics instead of a password. That's mixing real authentication and (error-prone) identification.
 
Joined
Aug 29, 2020
Messages
10,159
Location
Good old Europe
It's just too bad they allow biometrics instead of a password. That's mixing real authentication and (error-prone) identification.

Sure, but that's an extra level of authentication on top - to unlock the app itself. The biometrics play no part in the authentication between parties, just add an extra hurdle for someone having physical access to your phone, over reading a confirmation texted code.
 
Joined
Nov 8, 2014
Messages
12,085
Sure, but that's an extra level of authentication on top - to unlock the app itself. The biometrics play no part in the authentication between parties, just add an extra hurdle for someone having physical access to your phone, over reading a confirmation texted code.

I'm not using it so maybe I misunderstand, but from what they explain it's more than just unlocking the app (FAQ on their Github):

Why doesn't Aegis support biometric unlock for my device, even though it works with other apps?

The reason for this is pretty technical. In short, since you're not entering your password when using biometric unlock, Aegis needs some other way to decrypt the vault. For this purpose, we generate and use a key in the Android Keystore, telling it to only allow us to use that key if the user authenticates using their biometrics first. Some devices have buggy implementations of this feature, resulting in the error displayed to you by Aegis in an error dialog.

Of course, I suppose it's an option and it's up to the user to allow biometrics anyway. So it's just a minor quirk, I think apps should make the risks more clear. Their system is certainly better than most others.
 
Joined
Aug 29, 2020
Messages
10,159
Location
Good old Europe
I'm using Authy, because it is available on Android and iOS. I understand that Aegis is not, so that would be a miss.
 
Joined
Aug 30, 2006
Messages
11,223
I'm not using it so maybe I misunderstand, but from what they explain it's more than just unlocking the app (FAQ on their Github):

Of course, I suppose it's an option and it's up to the user to allow biometrics anyway. So it's just a minor quirk, I think apps should make the risks more clear. Their system is certainly better than most others.

I think that's just an FAQ to answer why someone can't use the biometrics on their particular phone. When you set up the app, it asks if you want to encrypt the local database, and you can choose no encryption, biometrics, or a password. Then you have to enter your password or biometric scan when you use the app, as an extra layer of security on your device. The encryption of the local database (or not) has no bearing on the nature of the cryptographic exchange for logins.

It's just an extra security measure, if you want it, so that in a worst-case 2FA situation, where someone knows your login password AND has possession of your phone, they now have an extra barrier to get through. That reduces convenience, though, so you have the option of another password, biometrics, or no extra protection.
 
Joined
Nov 8, 2014
Messages
12,085
I'm using Authy, because it is available on Android and iOS. I understand that Aegis is not, so that would be a miss.

Yeah, in one sense it makes no difference which app you choose - the important part is the TOTP system, which is implemented in various apps and solutions. Authy is closed source, and I wouldn't trust it not to be participating in the tracking I'm trying to avoid.

But there's many choices, and you can often import and export between them, because TOTP is an open standard.
 
Joined
Nov 8, 2014
Messages
12,085
A Face Search Engine Anyone Can Use Is Alarmingly Accurate
For $29.99 a month, a website called PimEyes offers a potentially dangerous superpower from the world of science fiction: the ability to search for a face, finding obscure photos that would otherwise have been as safe as the proverbial needle in the vast digital haystack of the internet.

A search takes mere seconds. You upload a photo of a face, check a box agreeing to the terms of service and then get a grid of photos of faces deemed similar, with links to where they appear on the internet. The New York Times used PimEyes on the faces of a dozen Times journalists, with their consent, to test its powers.

PimEyes found photos of every person, some that the journalists had never seen before, even when they were wearing sunglasses or a mask, or their face was turned away from the camera, in the image used to conduct the search.
[. . .]
Unlike Clearview AI, a similar facial recognition tool available only to law enforcement, PimEyes does not include results from social media sites. The sometimes surprising images that PimEyes surfaced came instead from news articles, wedding photography pages, review sites, blogs and pornography sites. Most of the matches for the dozen journalists’ faces were correct. For the women, the incorrect photos often came from pornography sites, which was unsettling in the suggestion that it could be them. (To be clear, it was not them.)

A tech executive who asked not to be identified said he used PimEyes fairly regularly, primarily to identify people who harass him on Twitter and use their real photos on their accounts but not their real names. Another PimEyes user who asked to stay anonymous said he used the tool to find the real identities of actresses from pornographic films, and to search for explicit photos of his Facebook friends.
 
Time for another PSA it seems Cloudflare is down impacting a wide range of web sites and services. Just in case your wondering why your website isn't starting.

All you get is the usual 500 Internal Server Error. Sounds like another Dox attack.

FVwfz9ZXoAQjpjx
 
Joined
Oct 1, 2010
Messages
36,185
Location
Spudlandia
Cloudflare going down and taking half the internet at least down with it.:lol:

Shows how much of the internet is centralized these days. In a war just one hack hits and large swaths of communications will be gone into the shitter just like right now.

It's dangerous to have much of the internet's backbone propped up by Cloudflare.
 
Last edited:
Joined
Oct 1, 2010
Messages
36,185
Location
Spudlandia
Well, they aren't part of the internet backbone. They are more like a gateway combined with a CDN that offers protection from a lot of malicious attacks and can also offer load balancing in the case of an attack. It is just being used by a lot of websites. You can't choose the backbone you are using, but you can choose to use their service or not.
With all the investments they do in providing protection, it would be really strange if they themselves are the victim of such an attack and would not be able to manage that.
 
Joined
Aug 30, 2006
Messages
11,223
That's worrying.


At approximately 05:00 UTC on March 24, out of an abundance of caution, we replaced our RSA SSH host key used to secure Git operations for GitHub.com. We did this to protect our users from any chance of an adversary impersonating GitHub or eavesdropping on their Git operations over SSH. This key does not grant access to GitHub’s infrastructure or customer data. This change only impacts Git operations over SSH using RSA. Web traffic to GitHub.com and HTTPS Git operations are not affected.

Only GitHub.com’s RSA SSH key was replaced. No change is required for ECDSA or Ed25519 users. Our keys are documented here.

What happened and what actions have we taken?​

This week, we discovered that GitHub.com’s RSA SSH private key was briefly exposed in a public GitHub repository. We immediately acted to contain the exposure and began investigating to understand the root cause and impact. We have now completed the key replacement, and users will see the change propagate over the next thirty minutes. Some users may have noticed that the new key was briefly present beginning around 02:30 UTC during preparations for this change.

Please note that this issue was not the result of a compromise of any GitHub systems or customer information. Instead, the exposure was the result of what we believe to be an inadvertent publishing of private information. We have no reason to believe that the exposed key was abused and took this action out of an abundance of caution.

I'm reassured now. :p
 
Joined
Aug 29, 2020
Messages
10,159
Location
Good old Europe
Microsoft might have had a small problem with their cloud ...
 
Joined
Nov 5, 2006
Messages
21,909
Location
Old Europe
Steam tells me that they are going to have a new version with an "embedded version of Chrome which doesn't function on Windows 7 , 8 , 8.1 anymore".

So, seeing how much Chrome is used everywhere, I often think : "One Chrome to bind them all ... " ... which means to me : Those who find a serious security leak in Chrome will have a jackpot.
 
Joined
Nov 5, 2006
Messages
21,909
Location
Old Europe
Back
Top Bottom