[Linux-aus] Security conferences (was: LUGs)

Info info at petermoulding.com
Sat Jul 8 17:55:27 AEST 2023 

The new systems look good for checking that the current user is the same as the previous user of 
that user id. CACert still appears to be the only system verifying the identity of the user, as in 
the user logging in as fred smith is fred smith. Perhaps the the Google passkey could have a blue 
tick if the user is first verified by CACert.

When using Facebook, something I that was inflicted on me for months on a project where I was 
outvoted, even though we had a budget for a professional note sharing system, the people joining our 
group could be anyone. Verification was based on them typing "yes I am fred smith. Really. Really!" :-)

If we use movies as the predictors of the future, Gattaca had a DNA scanner on every keyboard which 
would work if ignore the movie Twins where one was evil. :-))

On 8/7/23 12:25, Adam Nielsen via linux-aus wrote:
>> MFA works locally and people run into problems when they travel using
>> cheaper local cards. Anyone with serious access should use two
>> telephone and reserve one for the calls back to the office.
>>
>> If you use your telephone number, lose your telephone, then try to
>> get a new telephone with the same number, you can end up in an
>> authentication loop. One friend hit that road block recently.
> 
> Using a phone number for MFA (e.g. with SMS) is considered a very
> poor practice and is not secure at all.  There have been a number of
> cases of employees at phone companies around the world being tricked or
> bribed into porting a number across to a scammer's SIM, allowing the
> scammer to receive SMS texts sent to a target's phone number.  I
> believe it's also possible to clone a SIM which although more of a
> technical challenge, can also allow an attacker to take over someone's
> phone number and negate the benefits of MFA.  This has been happening
> for a long time now, such as this incident from 2018:
> https://www.abc.net.au/everyday/protecting-yourself-from-phone-porting-and-sim-card-scams/100421586
> 
> This is another thing that has been raised for many years at security
> conferences but too many companies and even banks still insist on using
> SMS for MFA, giving only the illusion of security, although some are now
> understanding the risks and moving to custom phone apps instead.
> 
> This is why the best MFA methods do not require third party services,
> as it's one less avenue that can be compromised.  A common and popular
> implementation is Time-based One-Time Passwords (TOTP) which use a
> shared secret and the current time to generate unique passwords (see
> https://en.wikipedia.org/wiki/Time-based_one-time_password).
> 
> As these work entirely offline, they are not susceptible to any of the
> attacks that SMS texts are, they are safe to use in countries where
> Internet access is monitored and restricted or phone service is
> unreliable, and you can copy the secret to multiple devices so for
> example if you lose your phone, you can still generate the passwords on
> a laptop to make it easy to update all the underlying secrets (so by
> the time anyone extracts them from your lost phone they are no longer
> useful).
> 
> Google Authenticator is one Android app that supports TOTP but there are
> many others, and the secrets are generally compatible between them all
> thanks to the RFC standards.  Personally I use the open source oathtool
> to generate the passwords on my Linux machines, and I use them for many
> online services - GitHub, Google, Amazon AWS, etc.
> 
>> CACert was a great idea. I hoped that would lead to key
>> authentication for Facebook and everything instead of just the Musk
>> Blue Tick.
> 
> The problem with certificate authentication is that nobody figured out
> a good way to make it work for end users.  It was too complicated for
> the average person to understand.  Even just getting your certificate
> off a laptop onto a phone without compromising it (e.g. by e-mailing it
> to yourself) is still a challenge today.
> 
> Perhaps WebAuthn and passkeys will be the answer:
> https://arstechnica.com/information-technology/2023/05/passwordless-google-accounts-are-easier-and-more-secure-than-passwords-heres-why/
> 
> Cheers,
> Adam.
> _______________________________________________
> linux-aus mailing list
> linux-aus at lists.linux.org.au
> http://lists.linux.org.au/mailman/listinfo/linux-aus
> 
> To unsubscribe from this list, send a blank email to
> linux-aus-unsubscribe at lists.linux.org.au

More information about the linux-aus mailing list