Re: [liberationtech] Time validation for 2-step verification codes
Hi, As Collin mentioned, my question is simple and the only person answered it is Nadim. I know all of staff that you said but I want to know the lifetime of the code that Google sends via SMS. I know the code lifetime for the Google Authenticator apps is around 32 seconds but I don't have any idea about the SMS code. Thanks, Amin On 28 August 2014 01:05, Collin Anderson wrote: > In this case, it appears that the victims were deceived by a well-attended > phishing campaign into giving up both their password and their SMS-provided > 2FA code. Amin is simply asking what the lifetime of that code is, since it > is not nearly as short as the Authenticator-provided number. > > > On Wed, Aug 27, 2014 at 6:46 PM, John Adams wrote: > >> I don't know where you're getting your information from, but I audited >> Google's 2FA when I worked at Twitter. The attack scenario that is >> described here is simply not possible without the endpoint being >> owned. >> >> Code replay is not possible. Once a code is accepted, it cannot be >> used again to log in. >> >> The SMS attack is substantially more likely, but you can disable SMS >> codes in preferences. You should not use SMS at all if you can avoid >> it. >> >> Additionally, in order to get past 2FA, the attacker would have to >> have the user's password. All of this points to some sort of remote >> access tool or keylogger being active on the activist's machine. >> >> -j >> >> >> On Wed, Aug 27, 2014 at 10:08 AM, Nadim Kobeissi >> wrote: >> > The two-step verification used by Google is based on the TOTP protocol >> [1] >> > which is the open standard for this sort of thing. >> > >> > To answer your questions Amin: >> > >> > 1. Tokens last 60 seconds according to the TOTP standard. >> > 2. Your journalist friends would be very well-advised to use an app [2] >> > instead of SMS codes. By using an authenticator app, they will be able >> to >> > obtain codes without using SMS and even with their phone completely not >> > connected to a network. >> > >> > [1] http://tools.ietf.org/html/rfc6238 >> > [2] https://support.google.com/accounts/answer/1066447?hl=en >> > >> > >> > >> > On Wed, Aug 27, 2014 at 11:29 AM, Amin Sabeti >> wrote: >> >> >> >> Hi, >> >> >> >> Recently, a bunch of Iranian journalists/ activists have been targeted >> by >> >> Iranian hackers. >> >> >> >> Some of them said their 2-step verification was active during the >> attack >> >> but hacker could reuse the code that sent by Google via SMS and passed >> >> 2-step verification! >> >> >> >> I was wonder to know if some folks here know the validation time for >> the >> >> 2-step verification code that users receive through SMS not the app. >> >> >> >> Cheers, >> >> >> >> Amin >> >> >> >> -- >> >> Liberationtech is public & archives are searchable on Google. >> Violations >> >> of list guidelines will get you moderated: >> >> https://mailman.stanford.edu/mailman/listinfo/liberationtech. >> Unsubscribe, >> >> change to digest, or change password by emailing moderator at >> >> compa...@stanford.edu. >> > >> > >> > >> > -- >> > Liberationtech is public & archives are searchable on Google. >> Violations of >> > list guidelines will get you moderated: >> > https://mailman.stanford.edu/mailman/listinfo/liberationtech. >> Unsubscribe, >> > change to digest, or change password by emailing moderator at >> > compa...@stanford.edu. >> -- >> Liberationtech is public & archives are searchable on Google. Violations >> of list guidelines will get you moderated: >> https://mailman.stanford.edu/mailman/listinfo/liberationtech. >> Unsubscribe, change to digest, or change password by emailing moderator at >> compa...@stanford.edu. >> >> > > > -- > *Collin David Anderson* > averysmallbird.com | @cda | Washington, D.C. > > -- > Liberationtech is public & archives are searchable on Google. Violations > of list guidelines will get you moderated: > https://mailman.stanford.edu/mailman/listinfo/liberationtech. > Unsubscribe, change to digest, or change password by emailing moderator at > compa...@stanford.edu. > -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Time validation for 2-step verification codes
In this case, it appears that the victims were deceived by a well-attended phishing campaign into giving up both their password and their SMS-provided 2FA code. Amin is simply asking what the lifetime of that code is, since it is not nearly as short as the Authenticator-provided number. On Wed, Aug 27, 2014 at 6:46 PM, John Adams wrote: > I don't know where you're getting your information from, but I audited > Google's 2FA when I worked at Twitter. The attack scenario that is > described here is simply not possible without the endpoint being > owned. > > Code replay is not possible. Once a code is accepted, it cannot be > used again to log in. > > The SMS attack is substantially more likely, but you can disable SMS > codes in preferences. You should not use SMS at all if you can avoid > it. > > Additionally, in order to get past 2FA, the attacker would have to > have the user's password. All of this points to some sort of remote > access tool or keylogger being active on the activist's machine. > > -j > > > On Wed, Aug 27, 2014 at 10:08 AM, Nadim Kobeissi > wrote: > > The two-step verification used by Google is based on the TOTP protocol > [1] > > which is the open standard for this sort of thing. > > > > To answer your questions Amin: > > > > 1. Tokens last 60 seconds according to the TOTP standard. > > 2. Your journalist friends would be very well-advised to use an app [2] > > instead of SMS codes. By using an authenticator app, they will be able to > > obtain codes without using SMS and even with their phone completely not > > connected to a network. > > > > [1] http://tools.ietf.org/html/rfc6238 > > [2] https://support.google.com/accounts/answer/1066447?hl=en > > > > > > > > On Wed, Aug 27, 2014 at 11:29 AM, Amin Sabeti > wrote: > >> > >> Hi, > >> > >> Recently, a bunch of Iranian journalists/ activists have been targeted > by > >> Iranian hackers. > >> > >> Some of them said their 2-step verification was active during the attack > >> but hacker could reuse the code that sent by Google via SMS and passed > >> 2-step verification! > >> > >> I was wonder to know if some folks here know the validation time for the > >> 2-step verification code that users receive through SMS not the app. > >> > >> Cheers, > >> > >> Amin > >> > >> -- > >> Liberationtech is public & archives are searchable on Google. Violations > >> of list guidelines will get you moderated: > >> https://mailman.stanford.edu/mailman/listinfo/liberationtech. > Unsubscribe, > >> change to digest, or change password by emailing moderator at > >> compa...@stanford.edu. > > > > > > > > -- > > Liberationtech is public & archives are searchable on Google. Violations > of > > list guidelines will get you moderated: > > https://mailman.stanford.edu/mailman/listinfo/liberationtech. > Unsubscribe, > > change to digest, or change password by emailing moderator at > > compa...@stanford.edu. > -- > Liberationtech is public & archives are searchable on Google. Violations > of list guidelines will get you moderated: > https://mailman.stanford.edu/mailman/listinfo/liberationtech. > Unsubscribe, change to digest, or change password by emailing moderator at > compa...@stanford.edu. > > -- *Collin David Anderson* averysmallbird.com | @cda | Washington, D.C. -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Time validation for 2-step verification codes
I don't know where you're getting your information from, but I audited Google's 2FA when I worked at Twitter. The attack scenario that is described here is simply not possible without the endpoint being owned. Code replay is not possible. Once a code is accepted, it cannot be used again to log in. The SMS attack is substantially more likely, but you can disable SMS codes in preferences. You should not use SMS at all if you can avoid it. Additionally, in order to get past 2FA, the attacker would have to have the user's password. All of this points to some sort of remote access tool or keylogger being active on the activist's machine. -j On Wed, Aug 27, 2014 at 10:08 AM, Nadim Kobeissi wrote: > The two-step verification used by Google is based on the TOTP protocol [1] > which is the open standard for this sort of thing. > > To answer your questions Amin: > > 1. Tokens last 60 seconds according to the TOTP standard. > 2. Your journalist friends would be very well-advised to use an app [2] > instead of SMS codes. By using an authenticator app, they will be able to > obtain codes without using SMS and even with their phone completely not > connected to a network. > > [1] http://tools.ietf.org/html/rfc6238 > [2] https://support.google.com/accounts/answer/1066447?hl=en > > > > On Wed, Aug 27, 2014 at 11:29 AM, Amin Sabeti wrote: >> >> Hi, >> >> Recently, a bunch of Iranian journalists/ activists have been targeted by >> Iranian hackers. >> >> Some of them said their 2-step verification was active during the attack >> but hacker could reuse the code that sent by Google via SMS and passed >> 2-step verification! >> >> I was wonder to know if some folks here know the validation time for the >> 2-step verification code that users receive through SMS not the app. >> >> Cheers, >> >> Amin >> >> -- >> Liberationtech is public & archives are searchable on Google. Violations >> of list guidelines will get you moderated: >> https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, >> change to digest, or change password by emailing moderator at >> compa...@stanford.edu. > > > > -- > Liberationtech is public & archives are searchable on Google. Violations of > list guidelines will get you moderated: > https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, > change to digest, or change password by emailing moderator at > compa...@stanford.edu. -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Time validation for 2-step verification codes
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 08/27/2014 10:08 AM, Nadim Kobeissi wrote: > 2. Your journalist friends would be very well-advised to use an app > [2] instead of SMS codes. By using an authenticator app, they will > be able to obtain codes without using SMS and even with their phone > completely not connected to a network. Authenticator software can also be run on isolated machines and still be useful. I've been playing around with this a little in my spare time while developing OPSEC strategy: https://github.com/gbraad/html5-google-authenticator - -- The Doctor [412/724/301/703] [ZS] Developer, Project Byzantium: http://project-byzantium.org/ PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ "THAT. WON'T. WORK. EITHER." -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJT/kQuAAoJED1np1pUQ8RkcacP/j6MaviVyW6YEoRjDKORbY77 wLoxfSD1pp3BSMQML1QBK/HTP66oB8CMga4FdeJbAHU5z8cSyhaohRO/BNSnPqo+ XYiPu83Cku/O0GsSa0bb/Ps+kFfM+PGxutjN1Ne4eLP0nuXEJW2syFnjp6C4L90N 4jf8oMV1cLJZ1ZlRqAoYDmDxD4axIEAl/vffNgxpX4LyrJs9TJ2u4grvrpo/OLvv tjHFUae4HlImkNn0nOoIFgF2XaWp4yvIeF12QSLMigXnsdMzufqpXGSemPHdj15S Pa/ICckNvA/8z7Z41lpPTmn3VMyQMoYvJnIei7qVwEVc5tVknK12nJWWnaS/4yXq +HCyrNgmTXf9uz6CVyq2J54xj7i0vN18pP1fWVKOZ7eNVE4D4mUwChNpZiBuL2J+ erz7PgXm5eB3d24xTbCiGUgmaE40oo/heE0qSHQoMKbdjCMcpYIKlOq5mxr7MZg/ ZhV+daLrXXR7T57+nZk4fEDbbEbVUapUYi70e5dlnATxuirIz6yk4+ZkbQ3+uuUW WIEJaKG6/aeVuJ5Obuf+F4YrcZ4mSSwuW8TOmPrPRw9wQaYfHy9JQpvvDYSuU9fF xnnhfcz8sC4wjyOizapXc3zf+hYVWQ8LsUs0I38Bo0ktStcytddJC172hg3fc+YP /zk8mNqZDRErDLmB2iol =otcB -END PGP SIGNATURE- -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Time validation for 2-step verification codes
Richard Brooks wrote: > Botnet in the mobile (BITM) like Zeus in the mobile (ZITM) > usually gets around 2-step verification by tricking people > to install malware on their Android that intercepts SMS. or you could buy the main telecom company in the country and intercept every single sms... oh right, seems like IRGC took care of that back in '09. > > Can also be done by tricking the system to SMS another device > (done lately to attack German banks). > > On 08/27/2014 11:29 AM, Amin Sabeti wrote: >> Hi, >> >> Recently, a bunch of Iranian journalists/ activists have been targeted >> by Iranian hackers. What do you mean by Iranian hackers? could you share the source or more details with me off the list? >> Some of them said their 2-step verification was active during the attack >> but hacker could reuse the code that sent by Google via SMS and passed >> 2-step verification! SMS?! really? they should be using the Google app, not the SMS! #facepalm [1] [1] https://upload.wikimedia.org/wikipedia/commons/3/3b/Paris_Tuileries_Garden_Facepalm_statue.jpg >> I was wonder to know if some folks here know the validation time for the >> 2-step verification code that users receive through SMS not the app. >> >> Cheers, >> >> Amin Stay safe! -- Nima 0XC009DB191C92A77B | @nimaaa | mrphs "I disapprove of what you say, but I will defend to the death your right to say it" --Evelyn Beatrice Hall -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Time validation for 2-step verification codes
The two-step verification used by Google is based on the TOTP protocol [1] which is the open standard for this sort of thing. To answer your questions Amin: 1. Tokens last 60 seconds according to the TOTP standard. 2. Your journalist friends would be very well-advised to use an app [2] instead of SMS codes. By using an authenticator app, they will be able to obtain codes without using SMS and even with their phone completely not connected to a network. [1] http://tools.ietf.org/html/rfc6238 [2] https://support.google.com/accounts/answer/1066447?hl=en On Wed, Aug 27, 2014 at 11:29 AM, Amin Sabeti wrote: > Hi, > > Recently, a bunch of Iranian journalists/ activists have been targeted by > Iranian hackers. > > Some of them said their 2-step verification was active during the attack > but hacker could reuse the code that sent by Google via SMS and passed > 2-step verification! > > I was wonder to know if some folks here know the validation time for the > 2-step verification code that users receive through SMS not the app. > > Cheers, > > Amin > > -- > Liberationtech is public & archives are searchable on Google. Violations > of list guidelines will get you moderated: > https://mailman.stanford.edu/mailman/listinfo/liberationtech. > Unsubscribe, change to digest, or change password by emailing moderator at > compa...@stanford.edu. > -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Time validation for 2-step verification codes
On Aug 27, 2014, at 8:29 AM, Amin Sabeti wrote: > Recently, a bunch of Iranian journalists/ activists have been targeted by > Iranian hackers. > Some of them said their 2-step verification was active during the attack but > hacker could reuse the code that sent by Google via SMS and passed 2-step > verification! > I was wonder to know if some folks here know the validation time for the > 2-step verification code that users receive through SMS not the app. I just checked with Google security, and this was the response: > I think the code lasts as long as the one displayed on a phone... I > suspect that even in the case where the code is 'short lived' getting > it over SMS is considered 'insecure' and really, really not the best > plan :( > > android/i-device/blackberry all have OTP apps that work with google's > 2-step, suggest that they use that instead of sms? …for the same reasons Richard Brooks outlined in his reply. -Bill -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Time validation for 2-step verification codes
Botnet in the mobile (BITM) like Zeus in the mobile (ZITM) usually gets around 2-step verification by tricking people to install malware on their Android that intercepts SMS. Can also be done by tricking the system to SMS another device (done lately to attack German banks). On 08/27/2014 11:29 AM, Amin Sabeti wrote: > Hi, > > Recently, a bunch of Iranian journalists/ activists have been targeted > by Iranian hackers. > > Some of them said their 2-step verification was active during the attack > but hacker could reuse the code that sent by Google via SMS and passed > 2-step verification! > > I was wonder to know if some folks here know the validation time for the > 2-step verification code that users receive through SMS not the app. > > Cheers, > > Amin > > -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.