[liberationtech] Time validation for 2-step verification codes
Hi, Recently, a bunch of Iranian journalists/ activists have been targeted by Iranian hackers. Some of them said their 2-step verification was active during the attack but hacker could reuse the code that sent by Google via SMS and passed 2-step verification! I was wonder to know if some folks here know the validation time for the 2-step verification code that users receive through SMS not the app. Cheers, Amin -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Time validation for 2-step verification codes
Botnet in the mobile (BITM) like Zeus in the mobile (ZITM) usually gets around 2-step verification by tricking people to install malware on their Android that intercepts SMS. Can also be done by tricking the system to SMS another device (done lately to attack German banks). On 08/27/2014 11:29 AM, Amin Sabeti wrote: Hi, Recently, a bunch of Iranian journalists/ activists have been targeted by Iranian hackers. Some of them said their 2-step verification was active during the attack but hacker could reuse the code that sent by Google via SMS and passed 2-step verification! I was wonder to know if some folks here know the validation time for the 2-step verification code that users receive through SMS not the app. Cheers, Amin -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Time validation for 2-step verification codes
On Aug 27, 2014, at 8:29 AM, Amin Sabeti aminsab...@gmail.com wrote: Recently, a bunch of Iranian journalists/ activists have been targeted by Iranian hackers. Some of them said their 2-step verification was active during the attack but hacker could reuse the code that sent by Google via SMS and passed 2-step verification! I was wonder to know if some folks here know the validation time for the 2-step verification code that users receive through SMS not the app. I just checked with Google security, and this was the response: I think the code lasts as long as the one displayed on a phone... I suspect that even in the case where the code is 'short lived' getting it over SMS is considered 'insecure' and really, really not the best plan :( android/i-device/blackberry all have OTP apps that work with google's 2-step, suggest that they use that instead of sms? …for the same reasons Richard Brooks outlined in his reply. -Bill -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Time validation for 2-step verification codes
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 08/27/2014 10:08 AM, Nadim Kobeissi wrote: 2. Your journalist friends would be very well-advised to use an app [2] instead of SMS codes. By using an authenticator app, they will be able to obtain codes without using SMS and even with their phone completely not connected to a network. Authenticator software can also be run on isolated machines and still be useful. I've been playing around with this a little in my spare time while developing OPSEC strategy: https://github.com/gbraad/html5-google-authenticator - -- The Doctor [412/724/301/703] [ZS] Developer, Project Byzantium: http://project-byzantium.org/ PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ THAT. WON'T. WORK. EITHER. -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJT/kQuAAoJED1np1pUQ8RkcacP/j6MaviVyW6YEoRjDKORbY77 wLoxfSD1pp3BSMQML1QBK/HTP66oB8CMga4FdeJbAHU5z8cSyhaohRO/BNSnPqo+ XYiPu83Cku/O0GsSa0bb/Ps+kFfM+PGxutjN1Ne4eLP0nuXEJW2syFnjp6C4L90N 4jf8oMV1cLJZ1ZlRqAoYDmDxD4axIEAl/vffNgxpX4LyrJs9TJ2u4grvrpo/OLvv tjHFUae4HlImkNn0nOoIFgF2XaWp4yvIeF12QSLMigXnsdMzufqpXGSemPHdj15S Pa/ICckNvA/8z7Z41lpPTmn3VMyQMoYvJnIei7qVwEVc5tVknK12nJWWnaS/4yXq +HCyrNgmTXf9uz6CVyq2J54xj7i0vN18pP1fWVKOZ7eNVE4D4mUwChNpZiBuL2J+ erz7PgXm5eB3d24xTbCiGUgmaE40oo/heE0qSHQoMKbdjCMcpYIKlOq5mxr7MZg/ ZhV+daLrXXR7T57+nZk4fEDbbEbVUapUYi70e5dlnATxuirIz6yk4+ZkbQ3+uuUW WIEJaKG6/aeVuJ5Obuf+F4YrcZ4mSSwuW8TOmPrPRw9wQaYfHy9JQpvvDYSuU9fF xnnhfcz8sC4wjyOizapXc3zf+hYVWQ8LsUs0I38Bo0ktStcytddJC172hg3fc+YP /zk8mNqZDRErDLmB2iol =otcB -END PGP SIGNATURE- -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Time validation for 2-step verification codes
I don't know where you're getting your information from, but I audited Google's 2FA when I worked at Twitter. The attack scenario that is described here is simply not possible without the endpoint being owned. Code replay is not possible. Once a code is accepted, it cannot be used again to log in. The SMS attack is substantially more likely, but you can disable SMS codes in preferences. You should not use SMS at all if you can avoid it. Additionally, in order to get past 2FA, the attacker would have to have the user's password. All of this points to some sort of remote access tool or keylogger being active on the activist's machine. -j On Wed, Aug 27, 2014 at 10:08 AM, Nadim Kobeissi nadim@nadim.computer wrote: The two-step verification used by Google is based on the TOTP protocol [1] which is the open standard for this sort of thing. To answer your questions Amin: 1. Tokens last 60 seconds according to the TOTP standard. 2. Your journalist friends would be very well-advised to use an app [2] instead of SMS codes. By using an authenticator app, they will be able to obtain codes without using SMS and even with their phone completely not connected to a network. [1] http://tools.ietf.org/html/rfc6238 [2] https://support.google.com/accounts/answer/1066447?hl=en On Wed, Aug 27, 2014 at 11:29 AM, Amin Sabeti aminsab...@gmail.com wrote: Hi, Recently, a bunch of Iranian journalists/ activists have been targeted by Iranian hackers. Some of them said their 2-step verification was active during the attack but hacker could reuse the code that sent by Google via SMS and passed 2-step verification! I was wonder to know if some folks here know the validation time for the 2-step verification code that users receive through SMS not the app. Cheers, Amin -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Time validation for 2-step verification codes
In this case, it appears that the victims were deceived by a well-attended phishing campaign into giving up both their password and their SMS-provided 2FA code. Amin is simply asking what the lifetime of that code is, since it is not nearly as short as the Authenticator-provided number. On Wed, Aug 27, 2014 at 6:46 PM, John Adams j...@retina.net wrote: I don't know where you're getting your information from, but I audited Google's 2FA when I worked at Twitter. The attack scenario that is described here is simply not possible without the endpoint being owned. Code replay is not possible. Once a code is accepted, it cannot be used again to log in. The SMS attack is substantially more likely, but you can disable SMS codes in preferences. You should not use SMS at all if you can avoid it. Additionally, in order to get past 2FA, the attacker would have to have the user's password. All of this points to some sort of remote access tool or keylogger being active on the activist's machine. -j On Wed, Aug 27, 2014 at 10:08 AM, Nadim Kobeissi nadim@nadim.computer wrote: The two-step verification used by Google is based on the TOTP protocol [1] which is the open standard for this sort of thing. To answer your questions Amin: 1. Tokens last 60 seconds according to the TOTP standard. 2. Your journalist friends would be very well-advised to use an app [2] instead of SMS codes. By using an authenticator app, they will be able to obtain codes without using SMS and even with their phone completely not connected to a network. [1] http://tools.ietf.org/html/rfc6238 [2] https://support.google.com/accounts/answer/1066447?hl=en On Wed, Aug 27, 2014 at 11:29 AM, Amin Sabeti aminsab...@gmail.com wrote: Hi, Recently, a bunch of Iranian journalists/ activists have been targeted by Iranian hackers. Some of them said their 2-step verification was active during the attack but hacker could reuse the code that sent by Google via SMS and passed 2-step verification! I was wonder to know if some folks here know the validation time for the 2-step verification code that users receive through SMS not the app. Cheers, Amin -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- *Collin David Anderson* averysmallbird.com | @cda | Washington, D.C. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Lantern Ask me anything over on Reddit now
Does your software have a friendly UI that shows the user sharing their internet connection _exactly_ what requests they are making on another's behalf? Does it store a log and require the user to read and analyze that log? -Jonathan On Wednesday, August 27, 2014 4:30 PM, Adam Fisk af...@getlantern.org wrote: Forgot the link =): http://www.reddit.com/r/IAmA/comments/2er083/we_build_lantern_an_app_that_you_can_run_at_home/ On Wed, Aug 27, 2014 at 1:29 PM, Adam Fisk af...@getlantern.org wrote: Hi Folks- I just wanted to let you know we're doing an Ask me anything about Lantern over on Reddit right now. Please feel free to ask whatever you like, and PLEASE UPVOTE IT ON REDDIT! Thanks so much. -Adam -- -- pgp A998 2B6E EF1C 373E 723F A813 045D A255 901A FD89 -- -- Adam pgp A998 2B6E EF1C 373E 723F A813 045D A255 901A FD89 -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.-- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.