All the way back from March.  Can’t believe I missed this for so long.

Interesting.  I’m going to try and see an implementation of this and see how it works with my new Android-based phone.

Man in the middle attacks circumventing authenticators

This makes perfect sense as:

1. OTP tokens such as the Authenticator are obviously susceptible to a live man-in-the-middle (MITM) attack as has been demonstrated as something well beyond “theoritical” a decade ago.  The issue isn’t with the token vendor or type, it is with the entire scheme of a short-lived, shared secret in an increasingly real-time, share-it-and-lose-it networked world.
2. Blizzard is likely the largest OTP deployment on the planet.  They haven’t released any numbers, but if even 10% of users use it, that’s roughly 1.2 million users.  i.e. Big ROI.
3. There’s money in “them thar accounts”.

What can you do?

• All the normal things, run anti-virus, anti-spyware, etc.
• Log into WoW from as few PCs as possible and only those you absolutely control.
• Try to log into any web page that requires authenticator authentication as little as possible, as a man-in-the-middle attack in a browser doesn’t require a local keylogger file as is being used in this current attack

What can Blizzard do?

• The obvious:
  • I believe their thick client already scans for a large number of known attack libraries, files, etc. at the time of launch.  This will be added to the list.
  • I also suspect they are looking for suspicious behavior to the extent that they can with the client.  This type of behavior should be added to the list for that.  Also, they may want to consider increasing the terms and conditions of what we allow them to do in the client with regard to looking for vulnerabilities and suspicious behavior.
• Less Obvious:  Blizzard should seriously consider having a separate authentication mechanism for getting into the game client than for logging into the various portions of Battle.Net / WorldofWarcraft.com / etc.  Why?
  • The more times you use the Authenticator, the more opportunities you have to be compromised.
  • Blizzard has more controls and capabilities to protect the login through their seriously “thick” client to provide additional protections to the authenticator login.
  • Blizzard has much less control over the login environment and ability to monitor what is happening in a web-based authentication with an authenticator.  This current attack is heavy-weight in regards to payload necessary to pull it off.  A successful MITM attack in a web login requires much less work and no payload (client software installed) to execute.
  • What does the attacker want access to, my WoW account details or the stuff on my various characters, in my banks or my guild’s banks?  Go look at what is on file in your “My Account” section. Ask yourself:
    • What is there that an attacker couldn’t get more readily and simply somewhere else given Blizzard is following good practices with regard to what details are shown, masked, etc.?
    • What can the attacker do to you there?  Change your password?  Why bother when I can steal both your static password and dynamic password in a simple web-based MITM attack?  As you now realize, an attacker only need to compromise you one time.  They don’t need to have a reusable password.
    • How about turn off your authenticator?  Hopefully you would stop and think seriously about providing the serial number of your Authenticator if asked outside of your specifically intending to turn it off.
• My suggestion to Blizzard is to consequently move authenticator management and use completely into the WoW client and only ever ask for the Authenticator code from within the client for game session login.  Enable the ability and strongly suggest to users that they use a separate password for Battle.Net web page logins (sans Authenticator) and another separate password to use in the game client with your Authenticator).
• Lastly, and I know from first-hand experience in discussing this with Blizzard devs that this probably won’t fly, but seriously consider offering additional forms of authentication that aren’t susceptible to MITM attacks.  I know the alternatives aren’t as globally friendly for all our WoW brethren that login from shared network cafe PCs, but that’s not the whole market and those of us not constrained in that fashion would like something better if you offered it.  More work for you, yes.  Better security for us and retention of us as customers, yes.

via FBI Investigating Web Spycam — InformationWeek.

This is a case and investigation to keep an eye on.

Can’t be too careful out there.

via The Associated Press: Security chip that does encryption in PCs hacked.

Now for the really cool “how’d he do it?” part:

Tarnovsky needed six months to figure out his attack, which requires skill in modifying the tiny parts of the chip without destroying it.

Using off-the-shelf chemicals, Tarnovsky soaked chips in acid to dissolve their hard outer shells. Then he applied rust remover to help take off layers of mesh wiring, to expose the chips’ cores. From there, he had to find the right communication channels to tap into using a very small needle.

The needle allowed him to set up a wiretap and eavesdrop on all the programming instructions as they are sent back and forth between the chip and the computer’s memory. Those instructions hold the secrets to the computer’s encryption, and he didn’t find them encrypted because he was physically inside the chip.

Even once he had done all that, he said he still had to crack the “huge problem” of figuring out how to avoid traps programmed into the chip’s software as an extra layer of defense.

“This chip is mean, man — it’s like a ticking time bomb if you don’t do something right,” Tarnovsky said.

So either the bank’s supposed “two-factor” solution flat out failed (seriously arguable that an IP address is a legitimate “what you have” factor, IMHO) or they processed it anyway?  It will be interesting to see how this plays out.

Looks like another case of sacrificing security at a real world cost for ease-of-use roughly tied into my most recent previous post.

Passwords remain weakest link in Web security | Service-Oriented Architecture | ZDNet.com.

Frustrating that with all the focus on SSO without security (I’m talking to you OpenID folks) and all the security technologies available to grant both security and SSO (or Reduced Sign-On for you “SSO is impossible” folks) this hasn’t been addressed.  I chalk it up to a lack of vision on certain IP holders and cowardice of those in a position to implement something real  vs. never-ending “play projects”.  Time for these folks to create some momentum (banks, huge portals, OS providers, large retailers, etc.).  Time to get serious about providing real security starting at the point of authentication at which point a huge amount of powerful innovation in services could begin (emergence of the mythical semantic web).

Of course, till the current governmental economic dithering ends (reduce taxes and quit spending us into slavery), who wants to make an admittedly large entrepreneurial bet right now?

December 14, 2009 05:05 PM

Much as I’d like to say that consumers aren’t so much against “working for” strong authentication as they are at recognizing that KBA isn’t actually providing any security, at least the results are the same.  KBA is being rejected.  KBA doesn’t protect against even phishing and is just another set of hard to remember and manage passwords.

I still contend that users will definitely work for and even pay for strong authentication if they believe it is effective and if they believe what they are protecting has value to them.  Why should I worry about my credit card being compromised when I know my liability is limited to $50 or some such manageable number.  Heck, my credit card has been stolen a couple times via physical POS situations and it has never cost me any out of pocket money and at worst a couple minutes on the phone with my credit card company.  Of course, it does cost me something as the losses to merchants and banks end up reflected back to me in increased fees, rates, etc., but all that disappears into the great “cost of doing business” economic effect.

Which then brings up the question as to why financial institutions, merchants, etc. aren’t looking to reduce their costs and increase their margins by offering strong authentication to:

• Give themselves a competitive edge over their competitors on margin
• Give themselves a competitive edge in customer loyalty by taking better care of their customers
• Offer price breaks and other incentives for customers that use offered strong authentication mechanisms

One of the online communities I spend time in has actually begun to self-regulate itself along the lines of those that use strong authentication and those that don’t.  Want to participate with a group in that community?  You have to use strong authentication offered in the context of that community.  You don’t have to, but if you don’t you are precluded from interactions with the “better elements” of that community.

Just something to consider.