fido2support
-
I think they fixed it a month after the insident see this from ivanti connect
-
@3246 said in fido2support:
Anything that can be phished will be phished. Seriously, though, I just want Cloudron to support better security, and FIDO2 beats OTP. I found getting keys physically or software into users' routines easier than getting OTP codes through apps or (shudder) SMS or Email.
I always try to design for as much stupidity as possible. Users display an amazing capacity for finding ways around security tactics. It's worth making that part of the research during the design phase I think ;-0
What's your experience been?
If you use good passwords, a password manager, and OTP, you are already 90% there. You wouldn’t believe how many companies don’t even have those three.
That being said, I think the Microsoft authenticator implementation of OTP‘s is the smartest: You don’t pull OTP, but the Authenticator app pushes a notification to you if someone tries to login and then requires you to put in a number showing on the log-in screen.
That way, you’re automatically being informed about every look in attempt.
Very clever. -
@necrevistonnezr said in fido2support:
@3246 said in fido2support:
Anything that can be phished will be phished. Seriously, though, I just want Cloudron to support better security, and FIDO2 beats OTP. I found getting keys physically or software into users' routines easier than getting OTP codes through apps or (shudder) SMS or Email.
I always try to design for as much stupidity as possible. Users display an amazing capacity for finding ways around security tactics. It's worth making that part of the research during the design phase I think ;-0
What's your experience been?
If you use good passwords, a password manager, and OTP, you are already 90% there. You wouldn’t believe how many companies don’t even have those three.
That being said, I think the Microsoft authenticator implementation of OTP‘s is the smartest: You don’t pull OTP, but the Authenticator app pushes a notification to you if someone tries to login and then requires you to put in a number showing on the log-in screen.
That way, you’re automatically being informed about every look in attempt.
Very clever.even if, again, someone could try to fish that OTP in different ways of fishing, or even better, have the device or, better, get the guy or gal on a call, claim to be IT, and make them go through the steps. a clever social engineerer (yes i know that's probably not a word) would be able to social engineer.
personally, i like aegis because it's open source (and use t), and the bitwarden authenticator.
I have some experience in this field, as I myself, again, am a hacker.
it's better to be 99.9999999% unfishible than 90%.
the only way i know to get the passkeys or the fido cred is to get the key, but if they got that or your fido device you're fucked as it is. that being said, there's no way to fish it. -
I would like to imfisize that I don't think TOTP is bad, I think it's good, but as @3246 said, they are fishible, and I can confirm that. in fact, TOTP is better than nothing and can be secure if you train your employees (something most IT staffers don't know how to do) but eitherway, that's aside the point.
OTP in general is pretty much insecure when you are using SMS, that's even worse than TOTP for a bunch of reasons.
plus it's really easy to fish.
you don't even have to metasploit the phone, nore do you have to even simswaup them, because technically if the person is using a landline and the method is call (especially older people who can barely use a Samsung) all you have to do is tap the line and you['re good to go.
VOIP is better as yes, it's kinda hackible and it's kinda fun key, but it's better than nothing. in fact, some people will take googles advanced protection program, and use Google voice to make a dedicated 2FA number not related to their mobile and or primary number.
some people may even setup dedicated numbers for each service, which is clever, but even still fido is the way to go.
if you do have to use OTP, it's best in my opinion to use ybikey OTP because it is a lot more secure, and i've set it up on my password manager.
that said, again, OTP is not bad, it's better than nothing (unless it's SMS than you're fucked) but I still prefer fido2 -
o and as for the question about my experience, what I basically did was I had a family member who I wanted to access the account for. so basically what I managed to do (even though this was SMS2FA) was I had reset their password thanks to googles dair I say, stupid security practices at the time, o and a known password she used for her computer (a long with taking other related password combinations) i managed to get into her account.
but of course, fuckin 2FA blocks me, but that's easy.
all I did was, I think I said something under the lines of "hey, I wasl locked out of my device and it sent you a code so I could get back in". and I was given the code, which lead me to a lot. payment/banking emails, tv provider emails, a hole lot of shit. and you know how way back then security wasn't all that 2 seriously, so we sent emails galore. even Amazon decided to send you emails when you baught that sweet braw. and even though that was SMS 2FA, a similar thing could've been done with authenticator 2FA -
back then you could've considered me a black hat hacker, or a hacker with malicious intensions, because I was way younger than I am right now. I think I was like 9 or 10 when this occurred
-
cant exactly remember how old I was, it was a long time ago
-
@adisonverlice2 Thanks for clarifying that the CISA hack was a zero-day exploit. I wasn't aware of that. Guess even the "big boys" can get unlucky too. Some very interesting comments making me want to move this computer into a Farraday cage and call it a day:)
-
@crazybrad no problem dood, and thanks for allowing me to geek out.
if you want a secure computer, you should get this computer
it's a secure computer with heavy modifications for security, such as disabling Intel management engine (Intel ME) (IME), and has special boting software for open source booting.
I would definitely get this computer if I had the money. -
o btw, CISA I think is easy to hack.
if you want some proof, go to this censys search page and search CISA.gov. you'll find plenty of servers that are opened waiting to be intruded upon. -
also i'm not fuckin sure why CISA would need a firm like ivanti in the first place, because guess what?
the national security agency (NSA) themselves have a VPN product, based on IpSec and used in commercial solutions for classified (CSFC) deployments
it is not hard to setup, from what I understand.
and even though it's old, all the CISA would have to do is fork the project, update some code and do whatever they wonna do with it, and boom!
it works!
or even better, use wireguard!
it' not hard to setup a wireguard server yourself, and it's indefinitely easy if you're a cybersecurity or a government agency.
don't just rely on another firm to host your VPNs if you're a government agency.
if you're a small business, or an org that needs managed services, fine, I can understand.
this is a government agency we're talking about, who probably has duzens of IT guys sitting around waiting for orders!
and Pentagon also got hacked because of an IT firm that got hacked (see this source for more information)o and not to mention, the military also uses windows XP.
sounds like a military i'd definitely be working for...
I think only small businesses, and organizations that for whatever reason cannot have an IT guy on site are the orgs who need managed services, not government agencies who have multiple IT guys sitting around ready to work.
my organization (blindsofts) had at least 2 IT guys ready to work.
yes, we had cloudflares for our filtering and internet solution, but we never allowed another company to manage our IT services, including servers. we always deployed servers ourselves, including cloud servers.
now I myself am a hacker, so I have had some experience in the field of IT, so i'd be the1 who not only deals with executive operations (sense i'm the CEO of the business) but also making the security policies.
and yes, this included FIDO2 policies.
now at times we would use cloudron TOTP.
but i'm gonna do an experiment with cloudron when I can get a server up and running (fuckin AWS you all are idiots for charging us a thousand dollars by the way) what I'm gonna do is i'm gonna use cloudrons AD or ldap solution. and the, i'm gonna setup duo security to use it, then i'm gonna require all users to use passkey or, i I can help it, password less, signing to their accounts.
I prefer openID connect, but in this case, I gotta use active directory to import.
it'd also would have been nice if they allowed SAML auth, but right now all we got is AD and openID connect, so we're gonna do that.
this could work while cloudron does not have FIDO2. and when I do that, I will document it in another thread. -
also, if any of you have tested this, let me know.
I wonna know how you tested and how it was.
i've also PM'd @3246 to see if he could test it while I'm still trying to find a server.
and I think I might have to open port636 but maybe not, because duo connects to your actual server, not tryed to authenticate there, it wants a connection to your actual real life server. i'm curious to see how this will actually work, or if cloudron has a docker container i'd put it in. -