Necessary Security Discussion to start 2019 right

[ChinaLamb]

Beware of the Feitian keys, with Chinese firmware. It's notoriously difficult to use, and there's tons of complaints that it doesn't work. Amazon reviews are terrrible. There's a reason Google re-wrote the firmware... Both from security standpoint, as well as usability standpoint.

Good thing that Google released Titan. Yubico is finally offering a well priced FIDO key.

[hitoriangasu]

Quote:

Originally Posted by ChinaLamb

TLR Ditch everything else, and start the new year out with FIDO

Authenticator codes are now broken and offer little real security:

From: https://mashable.com/article/hackers.../#K6LfewCAGOql

Unfortunately, 2 factor "authenticator" codes from Google Authenticator and similar tools are phishable, through man in the middle attacks.

The scam works like this. A malicious site sets up a Fastmail (or Google) login, or worse, redirects you from fastmail's (or Google's) login to their login, and uses SSL, with an approved SSL Certificate. As you type in your username and password, the automated site immediately enters this data into fast mail or Google. The automated site checks if an Authenticator code is requested from the site you are trying to reach, and either asks fast mail or Google to send you an SMS code, or for you to enter in your Authenticator code from the app on your phone. You give the middle web page the code and it passes it to fast mail or Google, giving **them** access to your account.

This effectively lets the man in the middle, to gain access. The malicious site, then automatically sets up a "App Password" (outlook, applemail, etc. non-2-factor password) and collects the password, and then gives themselves PERMANENT access to your account.

Additionally, IF someone gains access to your phone, all they have to do is look at your authenticator app, none of which I know to have additional passwords to be able to access, and see what accounts (email, bank, etc.) that you have. I personally don't like having a list of all my secure accounts, so easily accessed on my phone.

In short, future Phishing schemes will likely all include automated attempts to both get your password, and to get your security code, and in an automated method, gain access to your account.

Unfortunately SMS Codes are likewise woefully inadequate:

From: https://www.entrepreneur.com/article/317830
Also, multiple other documents: https://www.makeuseof.com/tag/two-fa...tion-sms-apps/

First off, SMS codes fall prey to the exact same problem as the man-in-the-middle attack above. There is NOTHING stopping someone from getting you to try and enter in a SMS code, legitimately generated by fast mail or Google, but triggered by an automated attack such as the one detailed above which then uses the password and code, before the code expires.

Reddit, and multiple other users have detailed how their SMS second factor codes were intercepted, or cell phone numbers were redirected, or cell accounts were transferred to malicious agents, etc. etc. etc. This should also be a significant concern to anyone living in a country that practices excessive surveillance on anyone within their borders.

Bottom line, SMS is not secure either, and potentially much less secure than an authenticator code depending where you live...

The only significant answer right now, seems to be FIDO U2F

From: https://www.yubico.com/2017/10/creat...-security-key/

The answer is something called "Origin Bound Keys" that is, creating a key, that is BOUND to the receiver. That means, only the "Real" site is able to authenticate the key. U2F mints a cryptographic pair foe each service. Enhanced by token binding, where the key is bound to the secure TLS connection, that only works with the intended website. If someone tries to spoof Fastmail, they cannot do it. They won't get the code, nor can they get a code from you... The two ends of the key won't work together if someone tries to stand in the middle, and pretends to be Fastmail. The key ONLY fits into the slot created by Fastmail, and it only unlocks the lock which Fastmail sets up.

What results, is a theoretically unphishable security key.

FIDO Devices

IF you use a mobile device, you'll need SOMETHING more than a simple USB device. Your phone needs to be authenticated to use Fastmail. That leaves you with either a Bluetooth or a NFC Based FIDO U2F compliant device. You should NOT authenticate your phone with Authenticator codes or SMS codes due to the issues above.

Google's new Titan key pair is FIDO compliant. It is based upon FeiTian, a Chinese company, but Google rewrote the firmware themselves, to ensure that the devices do not leak any information to the Chinese government. Google claims they've had no successful phishing attempts since enabling these devices across Google. Source: https://krebsonsecurity.com/2018/07/...oyee-phishing/

Unfortunately, TITAN is $50, but you get two keys. One Bluetooth and one NFC/USB

Yubikey also provides multiple FIDO compliant keys, unfortunately, as stated, you need a NFC device, and Yubikey's cheapest NFC capable device is $45 (Series 5 keys, EXCEPT the Nano).

Also note, that the orignial Yubikey devices were NOT FIDO compliant. That is, a Non-Fido Yubikey will not protect you from the above issues. If you currently rely on Yubikey, you should check if your current key IS or IS NOT Fido compliant.

There is, of course, the Feitian keys on Amazon. These can be purchased separately, starting at about $17. The problem is, the Feitian keys seem to have more issues than the Google version, and you are stuck with Chinese firmware, which may have vulnerabilities, and have poorly written documentation etc.

Unfortunately, I do not know of any other NFC or Bluetooth Capable FIDO devices currently on the market. his means your minimum cost to get rolling with FIDO is about $45.

And, I strongly suggest having a backup. One of my Yubikeys failed on me, and if I didn't have a spare, I'd be out of luck. Google sends two keys, Bluetooth/USB and NFC/USB for $50. With Yubikey that'll set you back at least $90...

/cl

Nothing is “broken”. The codes still work fine. Your statement implies their architecture had been breached. It hasn’t.

[ChinaLamb]

Quote:

Originally Posted by hitoriangasu

Nothing is “broken”. The codes still work fine. Your statement implies their architecture had been breached. It hasn’t.

The issue isn't that it is breached. Never said that. The issue is, it's phishable and people are already being targeted. Reporters are being hacked through interception of authenticator codes. Already happened multiple times last year.

[ioneja]

This thread has me completely re-evaluating my security game plan... thanks again. I just discovered I have older Yubico keys that should be updated.

Plus, more importantly, and on a related note, I'm getting a little nervous about LastPass... it just dawned on me that I've given LastPass so much power in my life and for 15 minutes today, I couldn't remember my LastPass password. That freaked me out a little. I use Yubikey with LastPass too, and because of this thread I realized they still haven't updated to U2F or FIDO2.

During that brief period of panic when I couldn't remember my password, I caught up on LastPass security issues and password recovery and that did NOT make me feel more secure. In fact, I just didn't realize how consumer-friendly LastPass had become... it should be VERY hard for me to get back into my LastPass account. Eventually I remembered my password, and I was able to get back in... but even if I didn't remember it, there was still relatively too easy of a recovery method IMO. That really bugs me now about using such a consumer-friendly cloud password service. Not to mention I've never felt completely comfortable with my passwords relying on the cloud so much. So I think after this little experience, I'm going to migrate back to a self-managed approach for password management with open source software like KeePass.

Anyway, thanks again for a great thread. I think I have some more homework to do, but I will be more secure when I'm done.

[ChinaLamb]

Quote:

Originally Posted by ioneja

Anyway, thanks again for a great thread. I think I have some more homework to do, but I will be more secure when I'm done.

BitWarden has been making great strides. They also have a self-hosting option. It's a bear if you host on Windows, other platforms are less buggy... but... you could self host with them if you want. BitWarden is OpenSource, and just completed a security audit with a German firm...

[ioneja]

Quote:

Originally Posted by ChinaLamb

BitWarden has been making great strides.

Thanks, I'll check it out!