Category Archives: Security

Yubikeys and 2FA / MFA

Google employees have stopped using traditional 2FA and now use physical keys Yubikeys as 2FA can now be hacked via SIM Swaps and the recent cases as in below.

Two-factor authentication, the added security step that requires people enter a code sent to their phone or email, has traditionally worked to keep usernames and passwords safe from phishing attacks.

However, security experts have demonstrated an automated phishing attack that can cut through that added layer of security—also called 2FA—potentially tricking unsuspecting users into sharing their private credentials.

The attack was first demonstrated at the Hack in the Box Security Conference in Amsterdam last month. A video of the presentation was posted on YouTube on June 2, bringing renewed attention to how hackers are getting better at penetrating extra layers of security, despite people using stronger tools, like 2FA.

The hack employs two tools, called Muraena and NecroBrowser, which work in tandem to automate the attacks. The two tools work together like the perfect crime duo. Think of Muraena as the clever bank robber, and NecroBrowser as the getaway driver.

Muraena intercepts traffic between the user and the target website, acting as a proxy between the victim and a legitimate website. Once Muraena has the victim on a phony site that looks like a real login page, users will be asked to enter their login credentials, and 2FA code, as usual. Once the Muraena authenticates the session’s cookie, it is then passed along to NecroBrowser, which can create windows to keep track of the private accounts of tens of thousands of victims.

A demonstration of the attack was also released on GitHub, an open source coding site, to provide developers an opportunity to see how it works.

Amit Sethi, senior principal consultant at Synopsys, who was not affiliated with the presentation, says that while attacks against 2FA have been demonstrated in the past, these tools “make one of these attacks easier to execute for lower-skilled attackers.”

Despite this hack, 2FA is still considered a best security practice—far better than the alternative of simply relying on a username and strong password, according to security experts.

“Of course this does not mean that people should not worry,” says Sethi. “We now need to be even more diligent about detecting phishing attempts.”

The researchers, and Sethi, both say that universal second factor is a strong solution, when available. A U2F key is a secondary, physical device that can be plugged into a computer port as an additional way of verifying a person’s identity after they enter their username or password.

If that’s not an option, Sethi also says being vigilant can help thwart potential 2FA phishing attacks. That includes not clicking on links in suspicious emails, checking the a web address in the browser before entering credentials, and avoiding entering sensitive information when using public Wi-Fi.

“If you suspect that your credentials for a website have been compromised, act quickly to change your password, and report the event to the website,” says Sethi.‹

Decreased Awareness – Wake-up London!!

In today’s heightened security we are becoming less aware of what’s going on around us, people wearing headphones and walking along looking at their phones. Everyone on the train is completely oblivious of what’s going on around them, people don’t notice when an elderly or pregnant person boards and may need a seat, how are we going to notice a suspicious bag or unattended baggage?
Could Parsons Green have been avoided if someone had noticed the bag and asked the question ‘whose bag is this?’ and got everyone to move away? We’re far too British to dare ask and too engrossed in tech to even notice.

Things need to change, we need to be more aware, look up from your phone and look around the carriage someone might need your seat, someone may be acting suspiciously or a bag that’s been left, there could be a commotion nearby that if you’re aware of could save your life.

Wake-up Londoners your life may depend on it. See a bag alone? Shout out whose bag is this, if no-one answers get well away and encourage others to aswell. See it, say it, sorted.

More reading 

H-O-T Protocol

See it, say it, sorted

How Secure is Your Password

Check how quickly a computer can crack your password, you’ll be amazed.

Check here https://howsecureismypassword.net

Don’t worry your password doesn’t get transmitted.