Man in the middle attacks circumventing authenticators

This makes perfect sense as:

1. OTP tokens such as the Authenticator are obviously susceptible to a live man-in-the-middle (MITM) attack as has been demonstrated as something well beyond “theoritical” a decade ago.  The issue isn’t with the token vendor or type, it is with the entire scheme of a short-lived, shared secret in an increasingly real-time, share-it-and-lose-it networked world.
2. Blizzard is likely the largest OTP deployment on the planet.  They haven’t released any numbers, but if even 10% of users use it, that’s roughly 1.2 million users.  i.e. Big ROI.
3. There’s money in “them thar accounts”.

What can you do?

• All the normal things, run anti-virus, anti-spyware, etc.
• Log into WoW from as few PCs as possible and only those you absolutely control.
• Try to log into any web page that requires authenticator authentication as little as possible, as a man-in-the-middle attack in a browser doesn’t require a local keylogger file as is being used in this current attack

What can Blizzard do?

• The obvious:
  • I believe their thick client already scans for a large number of known attack libraries, files, etc. at the time of launch.  This will be added to the list.
  • I also suspect they are looking for suspicious behavior to the extent that they can with the client.  This type of behavior should be added to the list for that.  Also, they may want to consider increasing the terms and conditions of what we allow them to do in the client with regard to looking for vulnerabilities and suspicious behavior.
• Less Obvious:  Blizzard should seriously consider having a separate authentication mechanism for getting into the game client than for logging into the various portions of Battle.Net / WorldofWarcraft.com / etc.  Why?
  • The more times you use the Authenticator, the more opportunities you have to be compromised.
  • Blizzard has more controls and capabilities to protect the login through their seriously “thick” client to provide additional protections to the authenticator login.
  • Blizzard has much less control over the login environment and ability to monitor what is happening in a web-based authentication with an authenticator.  This current attack is heavy-weight in regards to payload necessary to pull it off.  A successful MITM attack in a web login requires much less work and no payload (client software installed) to execute.
  • What does the attacker want access to, my WoW account details or the stuff on my various characters, in my banks or my guild’s banks?  Go look at what is on file in your “My Account” section. Ask yourself:
    • What is there that an attacker couldn’t get more readily and simply somewhere else given Blizzard is following good practices with regard to what details are shown, masked, etc.?
    • What can the attacker do to you there?  Change your password?  Why bother when I can steal both your static password and dynamic password in a simple web-based MITM attack?  As you now realize, an attacker only need to compromise you one time.  They don’t need to have a reusable password.
    • How about turn off your authenticator?  Hopefully you would stop and think seriously about providing the serial number of your Authenticator if asked outside of your specifically intending to turn it off.
• My suggestion to Blizzard is to consequently move authenticator management and use completely into the WoW client and only ever ask for the Authenticator code from within the client for game session login.  Enable the ability and strongly suggest to users that they use a separate password for Battle.Net web page logins (sans Authenticator) and another separate password to use in the game client with your Authenticator).
• Lastly, and I know from first-hand experience in discussing this with Blizzard devs that this probably won’t fly, but seriously consider offering additional forms of authentication that aren’t susceptible to MITM attacks.  I know the alternatives aren’t as globally friendly for all our WoW brethren that login from shared network cafe PCs, but that’s not the whole market and those of us not constrained in that fashion would like something better if you offered it.  More work for you, yes.  Better security for us and retention of us as customers, yes.

via CNN Poll: Majority says government a threat to citizens’ rights.

Maybe there is hope given that this apparently “astonishing poll” reflects the firmly held belief of the crafters of the U.S. Constitution.  Government is an evil.  A necessary evil, but evil all the same and is to be kept small and easy to stomp on when it starts to do what it must by its nature… restrict freedom of the individual.

Want to fix the economy?  Want to fix healthcare?

• Reduce the number of regulations everywhere.
• Reduce taxes across the board.
• Reduce all levels of government employment.
• Break the unions in all government hiring so the weak and the lazy can actually be fired.  (Throw in the completely evil NEA while you’re at it).
• Introduce “loser pays” tort reform.

That would do for a start as there would be such a boom as hasn’t been seen since at least the post-WW2 or 1980s boom and would likely be even bigger than that.  Then the problem just becomes keeping those that feel guilty for living in the greatest country ever on earth to keep from gaining power and undoing what makes it great.  Once we leave this obamanation behind, let’s vow to never return.  Let our rally cry be, “Remember Carter and the obamanation!”.

via FBI Investigating Web Spycam — InformationWeek.

This is a case and investigation to keep an eye on.

Victor Davis Hanson as always well worth the time to read.

Can’t be too careful out there.

via The Associated Press: Security chip that does encryption in PCs hacked.

Now for the really cool “how’d he do it?” part:

Tarnovsky needed six months to figure out his attack, which requires skill in modifying the tiny parts of the chip without destroying it.

Using off-the-shelf chemicals, Tarnovsky soaked chips in acid to dissolve their hard outer shells. Then he applied rust remover to help take off layers of mesh wiring, to expose the chips’ cores. From there, he had to find the right communication channels to tap into using a very small needle.

The needle allowed him to set up a wiretap and eavesdrop on all the programming instructions as they are sent back and forth between the chip and the computer’s memory. Those instructions hold the secrets to the computer’s encryption, and he didn’t find them encrypted because he was physically inside the chip.

Even once he had done all that, he said he still had to crack the “huge problem” of figuring out how to avoid traps programmed into the chip’s software as an extra layer of defense.

“This chip is mean, man — it’s like a ticking time bomb if you don’t do something right,” Tarnovsky said.

But the latest yuppie terrorist — Omar Hammami, the Alabaman who went to Somalia to kill non-believers and rant about the evil America that nourished him — is more candid than most. In a recent New York Times Magazine piece, Hammami is quoted as rejecting the claim that socioeconomic factors drove his own murderous extremism: “They cant blame it on poverty or any of that stuff. They will have to realize that its an ideology and its a way of life that make people change. They will also have to realize that their political agendas need to be fixed.”

via VDHs Private Papers::Its Not about Poverty.

So either the bank’s supposed “two-factor” solution flat out failed (seriously arguable that an IP address is a legitimate “what you have” factor, IMHO) or they processed it anyway?  It will be interesting to see how this plays out.

Looks like another case of sacrificing security at a real world cost for ease-of-use roughly tied into my most recent previous post.

Passwords remain weakest link in Web security | Service-Oriented Architecture | ZDNet.com.

Frustrating that with all the focus on SSO without security (I’m talking to you OpenID folks) and all the security technologies available to grant both security and SSO (or Reduced Sign-On for you “SSO is impossible” folks) this hasn’t been addressed.  I chalk it up to a lack of vision on certain IP holders and cowardice of those in a position to implement something real  vs. never-ending “play projects”.  Time for these folks to create some momentum (banks, huge portals, OS providers, large retailers, etc.).  Time to get serious about providing real security starting at the point of authentication at which point a huge amount of powerful innovation in services could begin (emergence of the mythical semantic web).

Of course, till the current governmental economic dithering ends (reduce taxes and quit spending us into slavery), who wants to make an admittedly large entrepreneurial bet right now?

Yeah… what he said.

Now, will we get another Reagan to follow-up this generation’s Carter-to-the-factor-of-10?  I sure hope so, cuz there’s a lot more to dig out from under than with Carter.