Tag Archives: 2FA

Google Two Factor Authentication

Background

Anytime we get real data on Internet user passwords, we once again discover people are bad with passwords. Additionally as the tools to compromise and crack passwords get better, even high quality passwords are becoming less secure. Two factor authentication is something that should be used – when available and if you have an authenticated website / webapp, there is a cheap and easy method to implement.

In an earlier post, I showed that some online services were more critical than others from a security perspective – specifically the email account used for account recovery for other services. In many cases, this is Google Gmail and in this post I will be using it as an example.

One Time Passwords and Google Authenticator

Google Authenticator is a relatively simple app written by Google that generates time windowed One Time Passwords (OTP) every 30 seconds. This app is available for Blackberry, iOS and Android devices, and can be used for Google account access as a Two Factor Authenticator (2FA). More importantly, it can be used by any non-Google website or application developer. Let me back up a minute, and explain why this is a good thing.

An Authenticator is something you use to authenticate – or prove who you are to a system. A password is an authenticator, but not a very good one by itself (anymore). Authenticators can be based on:

  •  Something you know : Password, PIN code
  • Something you possess : Smart Card/Fob, SecurID, device with Google Authenticator
  • Something you are (biometrics) : Fingerprints, Retina scan, etc.

The idea behind Two Factor Authentication is that even if one the factors is weak, the combination of two factors is much stronger than either one of the authenticators individually. Most importantly – it is very easy to share passwords, but very hard to share both parts of a Two Factor Authentication.  In the very recent past, 2FA was not very accessible since passwords are cheap to use / implement, and none of the other authenticator options were.

Here is where Google Authenticator comes in. Google Authenticator provides a well known (RFC6238) method to generate six digit authenticator tokens based on the current time and a shared secret key. The app can also support multiple concurrent authentication generators. The app does not depend on Google services – and up until a certain point, it was open sourced. Open source equivalents to Authenticator are available. Details on the alternatives and how Authenticator functions is in the associated Wikipedia article.

Enabling on Google Account – How it Works

To setup 2FA on your Google account, do the following:

  1. Install Google Authenticator on your Smart Device (phone / tablet / etc)
  2. Login to your Google Account
  3. Go to Account Settings / Security / 2-Step Verification and select ‘edit’
  4. Enter the information including the phone number and printing out the 10 emergency codes. Safety nets are what prevent Self Inflicted Denial of Service Attacks (SIDoSA).
  5. Follow the instructions to load the shared secret into the app AND verify it.
  6. That’s it – you are setup.

After that, you will be asked to enter username / password followed by a request for the six digit authenticator from your smart device. Since I don’t store cookies, I need to do this each time I login – but after a few days it becomes an easy habit. I also have the knowledge that my account is fairly secure – even if my password looks like “Fluffy-Bunnies” instead of something like ‘H@Af5%Zwqhkh*6iJ8’.

Potential Risks with using Google Authenticator

There are no risk free solutions to real problems, and Google Authenticator also has its risks. We can look at a couple of scenarios to see what some of those may be:

  • When used on Google Account:
    • Q: If my Google Authenticator device is lost or stolen and it happens to be the phone listed as my recovery, could somebody use that to access my Google account?
    • A: Only if: your phone is not locked (it should be), and they also have your password – since they need both factors to get in. Low Risk (and yes you should put a lock on your phone).
    • Steps: If this actually did happen the first actions you should take is to use one of your 10 recovery codes to login to your google account, disable 2FA, disable that device password (if you use device passwords) and change your primary password – taking your lost / stolen authenticator out of the loop and disabling access of any form from that device.
  • When used on some Non-Google website /application:
    • Q: Since the secret key for this non-Google website / application is entered into Google Authenticator, does Google now have access to my account on this non-Google website / application.
    • A: Not very likely. It is possible that they are backdooring all of these secret keys, but since:
      • There is no direct association between a secret key and a given website / application, there is no direct way for Google to know where this key should be used; and
      • It is only one half of a two factor authentication, since they are missing the password authenticator (and the username).

Bottom Line

Passwords alone are about a decade past being effective and rapidly approaching useless. Google Authenticator provides an effective authenticator generator for Google accounts that can also be used on just about anything (there is a PAM plugin available). and when paired with a password provides a much better degree of security.

Recommendations

Use it for Google accounts and any other website that offers it as an option. Use it for your enterprise login.

For the Maker community – Use it for your PIN pad on your house/garage door. Use it for access to your home automation webserver.  A rolling Google Authenticator can be duplicated on multiple devices easily to allow family wide access, but cannot be shared with others (something to be said for that). 

Use it everywhere you can imagine – and if you can use it with a password, you have 2FA and all of the goodness that comes with that.

Internet Security As a System

Background

Most of us do not see our activities on the Internet as a system, and if it is a system we are not sure what that has to do with securing ourselves on the Internet. First lets look at a typical Joe Internet User in terms of the definition of system – “a set of connected things or parts forming a complex whole”. The parts are the individual services we use – GMail, Facebook, Amazon, iTunes, PayPal, Verizon and/or AT&T, etc. For each one of these we have a username and password – which may or may not be very unique. The connectivity part is the user, Joe Internet user – who is the real target of a attacker.

How you defend this type of a system is not entirely obvious, however if we flip the perspective around it may give us some insight. Specifically, how would an attacker plan to go after your accounts to their benefit?

If we assume the threat model is a high volume, Internet cyber extortionist looking for a quick return, we can characterize an attack pattern.

Phases of an Attack

A simple attack has three phases:

Compromise – This phase is where an attacker has already identified you as a target, and is probing for a weakness / vulnerability to “get inside” – compromising the system.

Mapping / Discovery – This phase is where the attacker has compromised some part of your system of services and is mapping out your other accounts / services. Since this process is essentially information gathering / compromise – it is fairly hard to detect. This information is used to plan and execute the next phase as quickly as possible.

Exploitation – This phase is where the attacker implements a plan to use the information collected to their benefit – and usually to your detriment.

An Example of a Common Attack

In this example, Joe Internet User is a typical first world Internet power user with all of the accounts listed above –  GMail, FaceBook, Amazon, iTunes, PayPal, Verizon and/or AT&T, etc..

In our first example, the attacker has been perusing Facebook and found a public profile for promising target. The status updates indicate either an iPhone/iPad/Android Tablet / Smartphone etc – indicating either a iTunes or Google Play account, or both. Other references may indicate online shopping habits – enabling the attacker to identify target accounts. Most importantly, the attacker discovers the target’s primary email address – either GMail, HotMail or Yahoo (for example). Connections to other social networks (eg Twitter, Google+, Instagram, etc) provide additional sources of personal information. At this point the attacker knows where you live, your age, family / marital status, friends, pets / kids names / ages, where you work, what you do for a living, where you went to school, and what you do for fun. All from public sources.

The next part of discovery is compromising an account. The most promising is usually the primary email account. This is due to this magical feature of every Internet service – the password recovery email address. People forget passwords and people forget usernames, but every service has an email address for password recovery. This is usually setup when the account is initially created, and forgotten shortly afterwards.

To get back to our process, the attacker makes a number of educated guesses for the password for the users primary email account – and sadly most people are still using simple passwords. Is your email password based on a birthday, names (parents, spouse, kids, pets), sports team / player, personal interests? With a one or two number appended? In any case, lets just guess that an attacker will compromise a quarter of all accounts in less than 25 guesses – and our Joe Internet User GMail account has been compromised. Where does that lead us?

The attacker is patient, and access to a primary email account is a much better way to collect more useful / personal information. One of the first things an attacker is going to do is download the user contacts and email – in case the user suspects compromise and changes the password. Most webmail services provide this feature, and it ensures that the attacker has a backup of your information. At this point we have to ask a few questions about Joe Users webmail account. Does he have a folder with his online account email? Bills, credit cards, online shopping accounts? Do the contacts have birthdays, anniversaries, even Social Security numbers? We know they have addresses, email and phone numbers. Each of these helps build data for credit card fraud. At this point this is still a discovery process, and the attacker is very careful to not touch, change or leave any clues of activity.

Exploitation is the next step and the attacker will develop a plan of attack and usually the first step is based on the accounts and stored credit cards / store credit cards. For example – is there an Amazon, Tiffanys, Macys, Sears, etc online account with an credit card saved in the online store? Is the email account tied in with a Google Play Store and a credit card? The attacker can buy phones, tablets and computers using that account. Is it tied to a Verizon, AT&T, or T-Mobile with a credit card stored in the account? Once again, the attacker can buy phones and tablets from these accounts. The first think to consider for online shopping is embedded credit card numbers. Some of these are credit cards that can be removed – but most store credit cards are automatically available on the account and cannot be removed without cancelling the credit card.

The next step of exploitation is to look for signs of illegal or incriminating information that can be used to extort something from the user. Most people know this as blackmail, and although it does not occur often – it does occur. Think about the depth and breadth of highly personal information that is in your email accounts.

Going one step beyond blackmail, attackers will sometimes “hijack” all of the accounts by changing the passwords and redirecting the recovery email address to some email account held by the attacker. Then a message is sent to the user, asking for ransom to get their accounts back. Once again – this is rare, but it does occur.

Generally the last part of exploitation is where all of this personal information gathered on Joe User, his friends, family, acquaintances etc, is used to build a persona database used to apply for credit and loans – credit fraud and what is commonly known as identity theft.

A Few Simple Steps

This example shows how attackers see the collective accounts and services of Joe Internet User as a system – with Joe User as the key connective element, and how attacking a few weaknesses provides significant opportunity to the attacker.

  1. Learn how to create Good Passwords (and use them when possible) – I get frustrated when an account service requires an 8-12 character password, with upper case, lower case, numbers and symbol. This does create a high entropy password – but is also very difficult to remember. Take a look at this xkcd panel and think about it when you create passwords.
  2. Primary Email Account – Since your primary email account is your account recovery account, this account is more critical than any other account. Choose / use a quality password and if possible use two factor authentication.
  3. Two Factor Authentication (2FA) – If the service offers two factor authentication, referred to as “2-step verification” by Google – use it. Two factor authentication does not make an account impossible to compromise, but it makes it sufficiently hard that this type of attacker will move on as soon as they discover you are using it. Google (GMail, Google Play) and WordPress both offer free 2FA for user accounts. In both cases it is based on a mobile device app – Google Authenticator
  4. Stored Credit Card Numbers / Bank Account Numbers – Carefully tradeoff the convenience of storing a credit card online in an account versus the cost if it is compromised. I recommend removing any general credit card numbers.
  5. Store Credit Accounts – Store credit accounts are usually tied right to that stores online store and cannot be removed without closing that line of credit. Attackers know this and use this to their advantage. Consider closing those lines of credit.
  6. Sanitize Contacts / Email – Audit your contacts and all of your email to see what could be deleted and clean it up. How necessary is a 5 year archive of all sent mail? If you are worried about holding onto everything – back it up before cleaning. The less information available in a compromise, the lower the risk.
  7. Sanitize Social networks / Make your profile Private – Most of the social networks now enable you to make your profile private – so only your circles / friends can see what is on your pages. In addition, content should be cleaned up to reduce your online presence. Once again, is it really necessary to have a 5 year archive of Facebook posts?
  8. Unique Passwords – DO NOT use the same password for all your accounts. DO not use a couple of passwords for all your accounts. Use unique passwords for each account. If one of you accounts is compromised, make them work for each account – don’t just give it too them.

These steps will not make your accounts bulletproof, but most attackers are opportunists and these steps will harden your accounts enough for them to move on to somebody else.