fido2support
-
Anything that can be phished will be phished. Seriously, though, I just want Cloudron to support better security, and FIDO2 beats OTP. I found getting keys physically or software into users' routines easier than getting OTP codes through apps or (shudder) SMS or Email.
I always try to design for as much stupidity as possible. Users display an amazing capacity for finding ways around security tactics. It's worth making that part of the research during the design phase I think ;-0
What's your experience been?
-
@necrevistonnezr said in fido2support:
And I know many companies who have moved away from hardware keys or cards because of the excessive downtime when users forget those hardware keys somewhere.
Ah, yes. That could be a hindrance or mild annoyance. I find that having a password manager that supports passkeys is helpful as a fallback or a primary way to log in. That, or having users have two physical keys ideally. How do you create backups for FIDO2 keys?
-
There is a meme going around as follows...
"There are two types of companies: those who have already been hacked, and those that don't know it yet". @3246 I laughed when I saw the source of the article you posted. Perhaps you have also seen that CISA itself has been hacked: CISA Hacked - CNN, March 2024. No one is immune. No one is too safe. No one is invincible.
All of your points are valid. I have also seen insurance companies that sell cyberliability policies offer to store a cookie in your browser and bypass 2FA. I have also seen banks do the same. That said, we should do everything we can to strengthen our authentication systems (including Cloudron) and I agree with @necrevistonnezr that balance is the key. A hard to use security mechanism will cause users to scream for a bypass (like the aforementioned cookie fiascos). And lost or forgotten hardware keys will likely require another alternative - reducing the intended level of security.
I have no doubt that Team Cloudron will consider adding more secure authentication mechanisms in the future and I support that effort wholeheartedly. But in the interim, I would encourage others to consider the risk/reward tradeoff offered by Cloudron. Personally, I have not seen a better platform and not found a better community of colleagues to dialogue about issues such as this.
-
@3246 you cannot.
the key cannot be backed up because it is at the OS level.
however, some password managers, such as bitwarden (my favorite) can store your passkeys in the cloud, but that's it.
other than that, the closest thing you can do is create 2 separate keys on 2 different devices.
backing up the key, though, is not possible.
and even if you did get in, you still wouldn't be able to get in from the outside.the best thing a hacker would be able tto do is do a sohisticated enough man in the mittle attack, and force the user to change to SMS or a less secure version.
and good luck with that, because my Google account has the Google advanced protection program which as I describe it as the secret service for Google accounts.
which is good, because Google seamed to have gotten hacked very recently. now I wish I can claim 5000 dollars from it, but at least i'm secure. I wanted to claim 5k but I cant because I wasn't involved in this breach.
now I'm gonna turn off advanced protection and I will create a shorter password that way I can claim 5k next time.
I'm kidding, I'm kidding.
but anyways, hope that answers your question -
@3246 said in fido2support:
To add my 2p to this topic: I currently cannot recommend Cloudron to businesses as OTP is phishable.
My recommendation to clients is usually to go with FIDO hardware keys and/or passkeys - especially for mission-critical stuff, thus I cannot recommend Cloudron because it does not support it
Ref. https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf, https://www.sectigo.com/resource-library/how-phishers-take-your-one-time-passwords, etc
what you could also do is see if you can get bitwardens business plan, and have it self hosted. then , you could setup a policy that forces all users to login with their passkey. then they could put their TOTp tokens in there.
this does take a little longer, but it's better than nothing. -
also I can agree with you
I tryed giving them resources, like this1 and the users could sign up for the service, and all they would have to do is put in their API key then boom. it would work -
@3246 yeah, I'm a hacker myself, so I know how that shit works.
not to mention the fact it's a 6 digest code. I mean sure, it changes, but some hackers could get lucky.
it becomes even worse when you consider the fact that some apps cloud since. and if you can get say, authy, and get the phone number and they have it since in the cloud, or even more worse, you end up getting a bitwarden csv file that is unencrypted, they could get not just your TOTP but potentially your passwords and your Elon musk crypto YouTube channel. -
@necrevistonnezr said in fido2support:
@3246 said in fido2support:
To add my 2p to this topic: I currently cannot recommend Cloudron to businesses as OTP is phishable.
That is exaggerated b/s. OTP is still an industry standard and a good balance between security and convenience (important if you want your 3,000 employees to comply with it!). The article argues that since a bad actor may convince you to reveal your OTP in some other channel, it‘s insecure - well, you can hardly get security against stupidity.
And I know many companies who have moved away from hardware keys or cards because of the excessive downtime when users forgot those hardware keys somewhere.I mean, he's not wrong though. I've had some experience in this field.
and sure, TOTP is good, but what use is it if you can fish it, from a tool like the social engineering toolkit or even better, get some TOTP secrets someware, weather it be from a server breach, or from a hacked device.
o, especially if there's malware on the machine but at that point, you're fucked already.
what I actually did was I setup a policy that only allowed I think 2 rules, allow passkey and allow yubikey OTP, and deny everything else.
users were allowed to use duo on our password manager self hosted, but even then you were only allowed to use u2f keys.
of course, you could also use nitrokey, Wich imo is better than yubikey in some ways, though you don't get that yubikey OTP thingy I talked about earlier. though you can do stuff like encrypted and or hidden storage, and even some hardware level boot security using pureboot, an alternative to UEFI.
here's the software, if anyone's interested -
@crazybrad said in fido2support:
CISA Hacked - CNN, March 2024
so the CISA hack was not a fishing attack at all, far from it.
so what the hackers did in this case was they found what's known as a zero-day flaw.
this is a flaw that exploits a system, but it's a very brand new exploits. almost like a new candy bar. no one knows about it. similar to the zero-day, no one knows about the exploit.
in this case, it was a zeroday in a VPN product known as ivanti, whichis a , well, VPN, but not like the 1's you all might be used to, like serfshark and express VPN.
they use protocols like openVPN which you all may know, and you put it in your network or a dedicated device to act as the kinda gateway.
I think this product would actually go against the NSA commercial solutions for classified (CSFC) components list which ironically, I don't think the CISA follows.
it is in the NIAP-CCEVS compliant product list, but I don't know if it's certified. I don't think it is.
ok nevermind, it is certified by acumen security.
but yes, they did have to take offline their kemical testing tools I think.
nevertheless I think it should be taken off that list considering how bad it hurt certain government agencies.
and even then, there shsould've been some testing with that update, which ever update had the critical bug.
o and furthermore, fuck proprietary VPN tools.
I don't care if you're in a government agency, you should use one source security tools, like wireguard or zero-trust tools like cloud flare gateway, which has user-based authentication.
in fact, check this out.
I know, I got off topic there, but I really needed to stress that.
back to the topic of fishing though, zero-days are commonly worse than fishing and offen have nothing to do with fishing, unless the CVE in question requires the user to be authenticated.
and at that point, you better have your users trained. -
I think they fixed it a month after the insident see this from ivanti connect
-
@3246 said in fido2support:
Anything that can be phished will be phished. Seriously, though, I just want Cloudron to support better security, and FIDO2 beats OTP. I found getting keys physically or software into users' routines easier than getting OTP codes through apps or (shudder) SMS or Email.
I always try to design for as much stupidity as possible. Users display an amazing capacity for finding ways around security tactics. It's worth making that part of the research during the design phase I think ;-0
What's your experience been?
If you use good passwords, a password manager, and OTP, you are already 90% there. You wouldn’t believe how many companies don’t even have those three.
That being said, I think the Microsoft authenticator implementation of OTP‘s is the smartest: You don’t pull OTP, but the Authenticator app pushes a notification to you if someone tries to login and then requires you to put in a number showing on the log-in screen.
That way, you’re automatically being informed about every look in attempt.
Very clever. -
@necrevistonnezr said in fido2support:
@3246 said in fido2support:
Anything that can be phished will be phished. Seriously, though, I just want Cloudron to support better security, and FIDO2 beats OTP. I found getting keys physically or software into users' routines easier than getting OTP codes through apps or (shudder) SMS or Email.
I always try to design for as much stupidity as possible. Users display an amazing capacity for finding ways around security tactics. It's worth making that part of the research during the design phase I think ;-0
What's your experience been?
If you use good passwords, a password manager, and OTP, you are already 90% there. You wouldn’t believe how many companies don’t even have those three.
That being said, I think the Microsoft authenticator implementation of OTP‘s is the smartest: You don’t pull OTP, but the Authenticator app pushes a notification to you if someone tries to login and then requires you to put in a number showing on the log-in screen.
That way, you’re automatically being informed about every look in attempt.
Very clever.even if, again, someone could try to fish that OTP in different ways of fishing, or even better, have the device or, better, get the guy or gal on a call, claim to be IT, and make them go through the steps. a clever social engineerer (yes i know that's probably not a word) would be able to social engineer.
personally, i like aegis because it's open source (and use t), and the bitwarden authenticator.
I have some experience in this field, as I myself, again, am a hacker.
it's better to be 99.9999999% unfishible than 90%.
the only way i know to get the passkeys or the fido cred is to get the key, but if they got that or your fido device you're fucked as it is. that being said, there's no way to fish it. -
I would like to imfisize that I don't think TOTP is bad, I think it's good, but as @3246 said, they are fishible, and I can confirm that. in fact, TOTP is better than nothing and can be secure if you train your employees (something most IT staffers don't know how to do) but eitherway, that's aside the point.
OTP in general is pretty much insecure when you are using SMS, that's even worse than TOTP for a bunch of reasons.
plus it's really easy to fish.
you don't even have to metasploit the phone, nore do you have to even simswaup them, because technically if the person is using a landline and the method is call (especially older people who can barely use a Samsung) all you have to do is tap the line and you['re good to go.
VOIP is better as yes, it's kinda hackible and it's kinda fun key, but it's better than nothing. in fact, some people will take googles advanced protection program, and use Google voice to make a dedicated 2FA number not related to their mobile and or primary number.
some people may even setup dedicated numbers for each service, which is clever, but even still fido is the way to go.
if you do have to use OTP, it's best in my opinion to use ybikey OTP because it is a lot more secure, and i've set it up on my password manager.
that said, again, OTP is not bad, it's better than nothing (unless it's SMS than you're fucked) but I still prefer fido2 -
o and as for the question about my experience, what I basically did was I had a family member who I wanted to access the account for. so basically what I managed to do (even though this was SMS2FA) was I had reset their password thanks to googles dair I say, stupid security practices at the time, o and a known password she used for her computer (a long with taking other related password combinations) i managed to get into her account.
but of course, fuckin 2FA blocks me, but that's easy.
all I did was, I think I said something under the lines of "hey, I wasl locked out of my device and it sent you a code so I could get back in". and I was given the code, which lead me to a lot. payment/banking emails, tv provider emails, a hole lot of shit. and you know how way back then security wasn't all that 2 seriously, so we sent emails galore. even Amazon decided to send you emails when you baught that sweet braw. and even though that was SMS 2FA, a similar thing could've been done with authenticator 2FA -
back then you could've considered me a black hat hacker, or a hacker with malicious intensions, because I was way younger than I am right now. I think I was like 9 or 10 when this occurred
-
cant exactly remember how old I was, it was a long time ago
-
@adisonverlice2 Thanks for clarifying that the CISA hack was a zero-day exploit. I wasn't aware of that. Guess even the "big boys" can get unlucky too. Some very interesting comments making me want to move this computer into a Farraday cage and call it a day:)
-
@crazybrad no problem dood, and thanks for allowing me to geek out.
if you want a secure computer, you should get this computer
it's a secure computer with heavy modifications for security, such as disabling Intel management engine (Intel ME) (IME), and has special boting software for open source booting.
I would definitely get this computer if I had the money. -
o btw, CISA I think is easy to hack.
if you want some proof, go to this censys search page and search CISA.gov. you'll find plenty of servers that are opened waiting to be intruded upon. -
also i'm not fuckin sure why CISA would need a firm like ivanti in the first place, because guess what?
the national security agency (NSA) themselves have a VPN product, based on IpSec and used in commercial solutions for classified (CSFC) deployments
it is not hard to setup, from what I understand.
and even though it's old, all the CISA would have to do is fork the project, update some code and do whatever they wonna do with it, and boom!
it works!
or even better, use wireguard!
it' not hard to setup a wireguard server yourself, and it's indefinitely easy if you're a cybersecurity or a government agency.
don't just rely on another firm to host your VPNs if you're a government agency.
if you're a small business, or an org that needs managed services, fine, I can understand.
this is a government agency we're talking about, who probably has duzens of IT guys sitting around waiting for orders!
and Pentagon also got hacked because of an IT firm that got hacked (see this source for more information)o and not to mention, the military also uses windows XP.
sounds like a military i'd definitely be working for...
I think only small businesses, and organizations that for whatever reason cannot have an IT guy on site are the orgs who need managed services, not government agencies who have multiple IT guys sitting around ready to work.
my organization (blindsofts) had at least 2 IT guys ready to work.
yes, we had cloudflares for our filtering and internet solution, but we never allowed another company to manage our IT services, including servers. we always deployed servers ourselves, including cloud servers.
now I myself am a hacker, so I have had some experience in the field of IT, so i'd be the1 who not only deals with executive operations (sense i'm the CEO of the business) but also making the security policies.
and yes, this included FIDO2 policies.
now at times we would use cloudron TOTP.
but i'm gonna do an experiment with cloudron when I can get a server up and running (fuckin AWS you all are idiots for charging us a thousand dollars by the way) what I'm gonna do is i'm gonna use cloudrons AD or ldap solution. and the, i'm gonna setup duo security to use it, then i'm gonna require all users to use passkey or, i I can help it, password less, signing to their accounts.
I prefer openID connect, but in this case, I gotta use active directory to import.
it'd also would have been nice if they allowed SAML auth, but right now all we got is AD and openID connect, so we're gonna do that.
this could work while cloudron does not have FIDO2. and when I do that, I will document it in another thread.