[liberationtech] Time validation for 2-step verification codes

2014-08-27 Thread Amin Sabeti
Hi,

Recently, a bunch of Iranian journalists/ activists have been targeted by
Iranian hackers.

Some of them said their 2-step verification was active during the attack
but hacker could reuse the code that sent by Google via SMS and passed
2-step verification!

I was wonder to know if some folks here know the validation time for the
2-step verification code that users receive through SMS not the app.

Cheers,

Amin
-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Time validation for 2-step verification codes

2014-08-27 Thread Richard Brooks
Botnet in the mobile (BITM) like Zeus in the mobile (ZITM)
usually gets around 2-step verification by tricking people
to install malware on their Android that intercepts SMS.

Can also be done by tricking the system to SMS another device
(done lately to attack German banks).

On 08/27/2014 11:29 AM, Amin Sabeti wrote:
 Hi,
 
 Recently, a bunch of Iranian journalists/ activists have been targeted
 by Iranian hackers.
 
 Some of them said their 2-step verification was active during the attack
 but hacker could reuse the code that sent by Google via SMS and passed
 2-step verification!
 
 I was wonder to know if some folks here know the validation time for the
 2-step verification code that users receive through SMS not the app.
 
 Cheers,
 
 Amin
 
 


-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.



Re: [liberationtech] Time validation for 2-step verification codes

2014-08-27 Thread Bill Woodcock

On Aug 27, 2014, at 8:29 AM, Amin Sabeti aminsab...@gmail.com wrote:
 Recently, a bunch of Iranian journalists/ activists have been targeted by 
 Iranian hackers.
 Some of them said their 2-step verification was active during the attack but 
 hacker could reuse the code that sent by Google via SMS and passed 2-step 
 verification!
 I was wonder to know if some folks here know the validation time for the 
 2-step verification code that users receive through SMS not the app.

I just checked with Google security, and this was the response:

 I think the code lasts as long as the one displayed on a phone... I
 suspect that even in the case where the code is 'short lived' getting
 it over SMS is considered 'insecure' and really, really not the best
 plan :(
 
 android/i-device/blackberry all have OTP apps that work with google's
 2-step, suggest that they use that instead of sms?

…for the same reasons Richard Brooks outlined in his reply.

-Bill




-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.



Re: [liberationtech] Time validation for 2-step verification codes

2014-08-27 Thread The Doctor
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 08/27/2014 10:08 AM, Nadim Kobeissi wrote:

 2. Your journalist friends would be very well-advised to use an app
 [2] instead of SMS codes. By using an authenticator app, they will
 be able to obtain codes without using SMS and even with their phone
 completely not connected to a network.

Authenticator software can also be run on isolated machines and still
be useful.  I've been playing around with this a little in my spare
time while developing OPSEC strategy:

https://github.com/gbraad/html5-google-authenticator

- -- 
The Doctor [412/724/301/703] [ZS]
Developer, Project Byzantium: http://project-byzantium.org/

PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F  DD89 3BD8 FF2B 807B 17C1
WWW: https://drwho.virtadpt.net/

THAT. WON'T. WORK. EITHER.

-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJT/kQuAAoJED1np1pUQ8RkcacP/j6MaviVyW6YEoRjDKORbY77
wLoxfSD1pp3BSMQML1QBK/HTP66oB8CMga4FdeJbAHU5z8cSyhaohRO/BNSnPqo+
XYiPu83Cku/O0GsSa0bb/Ps+kFfM+PGxutjN1Ne4eLP0nuXEJW2syFnjp6C4L90N
4jf8oMV1cLJZ1ZlRqAoYDmDxD4axIEAl/vffNgxpX4LyrJs9TJ2u4grvrpo/OLvv
tjHFUae4HlImkNn0nOoIFgF2XaWp4yvIeF12QSLMigXnsdMzufqpXGSemPHdj15S
Pa/ICckNvA/8z7Z41lpPTmn3VMyQMoYvJnIei7qVwEVc5tVknK12nJWWnaS/4yXq
+HCyrNgmTXf9uz6CVyq2J54xj7i0vN18pP1fWVKOZ7eNVE4D4mUwChNpZiBuL2J+
erz7PgXm5eB3d24xTbCiGUgmaE40oo/heE0qSHQoMKbdjCMcpYIKlOq5mxr7MZg/
ZhV+daLrXXR7T57+nZk4fEDbbEbVUapUYi70e5dlnATxuirIz6yk4+ZkbQ3+uuUW
WIEJaKG6/aeVuJ5Obuf+F4YrcZ4mSSwuW8TOmPrPRw9wQaYfHy9JQpvvDYSuU9fF
xnnhfcz8sC4wjyOizapXc3zf+hYVWQ8LsUs0I38Bo0ktStcytddJC172hg3fc+YP
/zk8mNqZDRErDLmB2iol
=otcB
-END PGP SIGNATURE-
-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.



Re: [liberationtech] Time validation for 2-step verification codes

2014-08-27 Thread John Adams
I don't know where you're getting your information from, but I audited
Google's 2FA when I worked at Twitter.  The attack scenario that is
described here is simply not possible without the endpoint being
owned.

Code replay is not possible. Once a code is accepted, it cannot be
used again to log in.

The SMS attack is substantially more likely, but you can disable SMS
codes in preferences. You should not use SMS at all if you can avoid
it.

Additionally, in order to get past 2FA, the attacker would have to
have the user's password. All of this points to some sort of remote
access tool or keylogger being active on the activist's machine.

-j


On Wed, Aug 27, 2014 at 10:08 AM, Nadim Kobeissi nadim@nadim.computer wrote:
 The two-step verification used by Google is based on the TOTP protocol [1]
 which is the open standard for this sort of thing.

 To answer your questions Amin:

 1. Tokens last 60 seconds according to the TOTP standard.
 2. Your journalist friends would be very well-advised to use an app [2]
 instead of SMS codes. By using an authenticator app, they will be able to
 obtain codes without using SMS and even with their phone completely not
 connected to a network.

 [1] http://tools.ietf.org/html/rfc6238
 [2] https://support.google.com/accounts/answer/1066447?hl=en



 On Wed, Aug 27, 2014 at 11:29 AM, Amin Sabeti aminsab...@gmail.com wrote:

 Hi,

 Recently, a bunch of Iranian journalists/ activists have been targeted by
 Iranian hackers.

 Some of them said their 2-step verification was active during the attack
 but hacker could reuse the code that sent by Google via SMS and passed
 2-step verification!

 I was wonder to know if some folks here know the validation time for the
 2-step verification code that users receive through SMS not the app.

 Cheers,

 Amin

 --
 Liberationtech is public  archives are searchable on Google. Violations
 of list guidelines will get you moderated:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe,
 change to digest, or change password by emailing moderator at
 compa...@stanford.edu.



 --
 Liberationtech is public  archives are searchable on Google. Violations of
 list guidelines will get you moderated:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe,
 change to digest, or change password by emailing moderator at
 compa...@stanford.edu.
-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.



Re: [liberationtech] Time validation for 2-step verification codes

2014-08-27 Thread Collin Anderson
In this case, it appears that the victims were deceived by a well-attended
phishing campaign into giving up both their password and their SMS-provided
2FA code. Amin is simply asking what the lifetime of that code is, since it
is not nearly as short as the Authenticator-provided number.


On Wed, Aug 27, 2014 at 6:46 PM, John Adams j...@retina.net wrote:

 I don't know where you're getting your information from, but I audited
 Google's 2FA when I worked at Twitter.  The attack scenario that is
 described here is simply not possible without the endpoint being
 owned.

 Code replay is not possible. Once a code is accepted, it cannot be
 used again to log in.

 The SMS attack is substantially more likely, but you can disable SMS
 codes in preferences. You should not use SMS at all if you can avoid
 it.

 Additionally, in order to get past 2FA, the attacker would have to
 have the user's password. All of this points to some sort of remote
 access tool or keylogger being active on the activist's machine.

 -j


 On Wed, Aug 27, 2014 at 10:08 AM, Nadim Kobeissi nadim@nadim.computer
 wrote:
  The two-step verification used by Google is based on the TOTP protocol
 [1]
  which is the open standard for this sort of thing.
 
  To answer your questions Amin:
 
  1. Tokens last 60 seconds according to the TOTP standard.
  2. Your journalist friends would be very well-advised to use an app [2]
  instead of SMS codes. By using an authenticator app, they will be able to
  obtain codes without using SMS and even with their phone completely not
  connected to a network.
 
  [1] http://tools.ietf.org/html/rfc6238
  [2] https://support.google.com/accounts/answer/1066447?hl=en
 
 
 
  On Wed, Aug 27, 2014 at 11:29 AM, Amin Sabeti aminsab...@gmail.com
 wrote:
 
  Hi,
 
  Recently, a bunch of Iranian journalists/ activists have been targeted
 by
  Iranian hackers.
 
  Some of them said their 2-step verification was active during the attack
  but hacker could reuse the code that sent by Google via SMS and passed
  2-step verification!
 
  I was wonder to know if some folks here know the validation time for the
  2-step verification code that users receive through SMS not the app.
 
  Cheers,
 
  Amin
 
  --
  Liberationtech is public  archives are searchable on Google. Violations
  of list guidelines will get you moderated:
  https://mailman.stanford.edu/mailman/listinfo/liberationtech.
 Unsubscribe,
  change to digest, or change password by emailing moderator at
  compa...@stanford.edu.
 
 
 
  --
  Liberationtech is public  archives are searchable on Google. Violations
 of
  list guidelines will get you moderated:
  https://mailman.stanford.edu/mailman/listinfo/liberationtech.
 Unsubscribe,
  change to digest, or change password by emailing moderator at
  compa...@stanford.edu.
 --
 Liberationtech is public  archives are searchable on Google. Violations
 of list guidelines will get you moderated:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech.
 Unsubscribe, change to digest, or change password by emailing moderator at
 compa...@stanford.edu.




-- 
*Collin David Anderson*
averysmallbird.com | @cda | Washington, D.C.
-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Lantern Ask me anything over on Reddit now

2014-08-27 Thread Jonathan Wilkes
Does your software have a friendly UI that shows the user sharing their 
internet connection _exactly_ what requests they are making on another's 
behalf?  Does it store a log and require the user to read and analyze that log?

-Jonathan

 
On Wednesday, August 27, 2014 4:30 PM, Adam Fisk af...@getlantern.org wrote:
 


Forgot the link =):

http://www.reddit.com/r/IAmA/comments/2er083/we_build_lantern_an_app_that_you_can_run_at_home/

On Wed, Aug 27, 2014 at 1:29 PM, Adam Fisk af...@getlantern.org wrote:
 Hi Folks-

 I just wanted to let you know we're doing an Ask me anything about
 Lantern over on Reddit right now.

 Please feel free to ask whatever you like, and PLEASE UPVOTE IT ON REDDIT!

 Thanks so much.

 -Adam

 --
 --
 pgp A998 2B6E EF1C 373E 723F A813 045D A255 901A FD89



-- 
--
Adam
pgp A998 2B6E EF1C 373E 723F A813 045D A255 901A FD89
-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.