All the way back from March.  Can’t believe I missed this for so long.

Interesting.  I’m going to try and see an implementation of this and see how it works with my new Android-based phone.

Man in the middle attacks circumventing authenticators

This makes perfect sense as:

1. OTP tokens such as the Authenticator are obviously susceptible to a live man-in-the-middle (MITM) attack as has been demonstrated as something well beyond “theoritical” a decade ago.  The issue isn’t with the token vendor or type, it is with the entire scheme of a short-lived, shared secret in an increasingly real-time, share-it-and-lose-it networked world.
2. Blizzard is likely the largest OTP deployment on the planet.  They haven’t released any numbers, but if even 10% of users use it, that’s roughly 1.2 million users.  i.e. Big ROI.
3. There’s money in “them thar accounts”.

What can you do?

• All the normal things, run anti-virus, anti-spyware, etc.
• Log into WoW from as few PCs as possible and only those you absolutely control.
• Try to log into any web page that requires authenticator authentication as little as possible, as a man-in-the-middle attack in a browser doesn’t require a local keylogger file as is being used in this current attack

What can Blizzard do?

• The obvious:
  • I believe their thick client already scans for a large number of known attack libraries, files, etc. at the time of launch.  This will be added to the list.
  • I also suspect they are looking for suspicious behavior to the extent that they can with the client.  This type of behavior should be added to the list for that.  Also, they may want to consider increasing the terms and conditions of what we allow them to do in the client with regard to looking for vulnerabilities and suspicious behavior.
• Less Obvious:  Blizzard should seriously consider having a separate authentication mechanism for getting into the game client than for logging into the various portions of Battle.Net / WorldofWarcraft.com / etc.  Why?
  • The more times you use the Authenticator, the more opportunities you have to be compromised.
  • Blizzard has more controls and capabilities to protect the login through their seriously “thick” client to provide additional protections to the authenticator login.
  • Blizzard has much less control over the login environment and ability to monitor what is happening in a web-based authentication with an authenticator.  This current attack is heavy-weight in regards to payload necessary to pull it off.  A successful MITM attack in a web login requires much less work and no payload (client software installed) to execute.
  • What does the attacker want access to, my WoW account details or the stuff on my various characters, in my banks or my guild’s banks?  Go look at what is on file in your “My Account” section. Ask yourself:
    • What is there that an attacker couldn’t get more readily and simply somewhere else given Blizzard is following good practices with regard to what details are shown, masked, etc.?
    • What can the attacker do to you there?  Change your password?  Why bother when I can steal both your static password and dynamic password in a simple web-based MITM attack?  As you now realize, an attacker only need to compromise you one time.  They don’t need to have a reusable password.
    • How about turn off your authenticator?  Hopefully you would stop and think seriously about providing the serial number of your Authenticator if asked outside of your specifically intending to turn it off.
• My suggestion to Blizzard is to consequently move authenticator management and use completely into the WoW client and only ever ask for the Authenticator code from within the client for game session login.  Enable the ability and strongly suggest to users that they use a separate password for Battle.Net web page logins (sans Authenticator) and another separate password to use in the game client with your Authenticator).
• Lastly, and I know from first-hand experience in discussing this with Blizzard devs that this probably won’t fly, but seriously consider offering additional forms of authentication that aren’t susceptible to MITM attacks.  I know the alternatives aren’t as globally friendly for all our WoW brethren that login from shared network cafe PCs, but that’s not the whole market and those of us not constrained in that fashion would like something better if you offered it.  More work for you, yes.  Better security for us and retention of us as customers, yes.

via FBI Investigating Web Spycam — InformationWeek.

This is a case and investigation to keep an eye on.

Can’t be too careful out there.

via The Associated Press: Security chip that does encryption in PCs hacked.

Now for the really cool “how’d he do it?” part:

Tarnovsky needed six months to figure out his attack, which requires skill in modifying the tiny parts of the chip without destroying it.

Using off-the-shelf chemicals, Tarnovsky soaked chips in acid to dissolve their hard outer shells. Then he applied rust remover to help take off layers of mesh wiring, to expose the chips’ cores. From there, he had to find the right communication channels to tap into using a very small needle.

The needle allowed him to set up a wiretap and eavesdrop on all the programming instructions as they are sent back and forth between the chip and the computer’s memory. Those instructions hold the secrets to the computer’s encryption, and he didn’t find them encrypted because he was physically inside the chip.

Even once he had done all that, he said he still had to crack the “huge problem” of figuring out how to avoid traps programmed into the chip’s software as an extra layer of defense.

“This chip is mean, man — it’s like a ticking time bomb if you don’t do something right,” Tarnovsky said.

So either the bank’s supposed “two-factor” solution flat out failed (seriously arguable that an IP address is a legitimate “what you have” factor, IMHO) or they processed it anyway?  It will be interesting to see how this plays out.

Looks like another case of sacrificing security at a real world cost for ease-of-use roughly tied into my most recent previous post.

Passwords remain weakest link in Web security | Service-Oriented Architecture | ZDNet.com.

Frustrating that with all the focus on SSO without security (I’m talking to you OpenID folks) and all the security technologies available to grant both security and SSO (or Reduced Sign-On for you “SSO is impossible” folks) this hasn’t been addressed.  I chalk it up to a lack of vision on certain IP holders and cowardice of those in a position to implement something real  vs. never-ending “play projects”.  Time for these folks to create some momentum (banks, huge portals, OS providers, large retailers, etc.).  Time to get serious about providing real security starting at the point of authentication at which point a huge amount of powerful innovation in services could begin (emergence of the mythical semantic web).

Of course, till the current governmental economic dithering ends (reduce taxes and quit spending us into slavery), who wants to make an admittedly large entrepreneurial bet right now?

AdBlock – Google Chrome extension gallery.

Bummer.  AdBlock only works with plain Chrome and not with the Chromium version I NEED for true RoboForm support.  The plain Chrome RoboForm extension requires me to use RoboForm Online and I don’t trust those folks to properly secure my authentication credentials.  Will stick with Chromium without AdBlock for now.

Come on RoboForm guys, we need a true RoboForm extension that works similarly to how it does for IE and FF!

Google Voice Storms Apple’s iPhone — InformationWeek.