Oasis Security Research Team Discovers Microsoft Azure MFA Bypass: We Expect More From An Enterprise Provider Though

Oasis Security’s research team uncovered a critical vulnerability in Microsoft’s Multi-Factor Authentication (MFA) implementation, allowing attackers to bypass it and gain unauthorized access to the user’s account, including Outlook emails, OneDrive files, Teams chats, Azure Cloud, and more. Microsoft has more than 400 million paid Office 365 seats, making the consequences of this vulnerability far-reaching.

The bypass was simple: it took around an hour to execute, required no user interaction, and did not generate any notification or provide the account holder with any indication of trouble.

The news surfaced now in the last week, so Microsoft has addressed the issue already. For me, though, the real news is that a global enterprise level IT company should not have had such basic guardrails missing. It appears really that Microsoft had knowingly relaxed some measures around its 2FA to allow for convenience. But surely a lack of attack rate limiting is just unforgivable. One of the basics I always employ on my servers and blog, is attack rate limiting with lengthy blocks in place. If anyone has to guess a password or 2FA more than 3 times, there is something wrong.

Microsoft has had so many security fumbles over time that it is quite amazing that their monopoly in the workplace goes unchallenged. It seems Microsoft has very little care about their customers, as long as the money is rolling in, and if that eases, they just change the licensing parameters a bit. The recent Microsoft Recall feature was just another example of completely not appreciating their customers’ privacy, and that was also only addressed after a major outcry.

Microsoft probably has too much inertia, but actually there are some pretty good alternatives around if one takes a little trouble to rise out of the deep rut. The combination of pretty admin tools, AI, and cloud services has unfortunately made many admins way too lazy today. I think the quality of our admins on the edge, is a lot weaker than it used to be two decades back. All this usually means an even greater reliance on Microsoft where it is used in a corporate environment.

Security is about keeping it simple, and having a reasonable depth of knowledge about what is being managed.

See oasis.security/resources/blog/…
#Blog, #2fa, #security, #technology

Second Factor #SMS: Worse Than Its Reputation

Source: https://www.ccc.de/en/updates/2024/2fa-sms

IdentifyMobile, a provider of 2FA-SMS, shared the sent one-time passwords in real-time on the internet. The #CCC happened to be in the right place at the right time and accessed the data. It was sufficient to guess the subdomain "idmdatastore". Besides SMS content, recipients' phone numbers, sender names, and sometimes other account information were visible.

#news #security #internet #2fa #mobile #cybersecurity #problem #password

A leaky #database spilled #2FA codes for the world’s tech giants

source: https://techcrunch.com/2024/02/29/leaky-database-two-factor-codes/

A #technology company that routes millions of #SMS text messages across the world has secured an exposed database that was spilling one-time #security codes that may have granted users’ #access to their #Facebook, #Google and #TikTok accounts.

#news #fail #cybersecurity #problem #economy #internet #account #login #authentication #mobile #software

GitHub macht 2FA verpflichtend

https://linuxnews.de/github-macht-2fa-verpflichtend/ #github #2FA

GitHub macht 2FA verpflichtend

GitHub macht die Zwei-Faktor-Authentisierung verpflichtend für Konten, die Code einstellen und verwalten dürfen. Wer die Aufforderung erhält, hat 45 Tage Zeit.

The Best Hardware Security Keys of 2023

A hardware security key makes your online accounts even more secure. When you sign in, you’ll have to plug in your key and press a button—or touch it to your phone. They work on websites like Google, Facebook, and many more.

If you’ve been on the internet, then you’ve probably heard of two-factor authentication, usually abbreviated as 2FA. Typically, 2FA involves receiving a code you have to insert after you enter your password correctly. You can receive this code either through an SMS message, an email, or an authenticator app.

These solutions can have problems though, especially since SMS messages can be intercepted through SIM-swapping attacks, emails can be broken into with social engineering, and authenticator apps lose their value if your phone is stolen or you forget it somewhere.

This is where security keys come in. Using Multi-Factor Authentication, or MFA for short, means using more than just one authentication vector, so 2FA is part of MFA.

Where physical security keys shine is that they don’t have the issues stated above regarding interception or breaking in. Of course, they can be stolen, but some keys have biometrics in them or require another PIN, making it a true MFA key so that even if it’s stolen, people can’t hack into your accounts.

The linked article goes into a bit more detail about what to look for in a hardware key, and it provides some comparisons of what the most popular keys offer. I did not even know about the open source option one.

Because security is a bit more serious with the hardware key option, you can (hopefully) expect the service not to just issue a new password reset via e-mail if you lose your key. For this reason, it is vitally important you note down any backup codes for that key – preferably also written on a piece of paper and stored in a safe. I do this not only for me to regain access to any accounts, but also in case anything happens to me, that my family can access it in a usable form.

See https://www.howtogeek.com/785677/best-hardware-security-keys/
#Blog, #2fa, #security, #technology

Bitwarden finally brings 2FA logins to free users

Previously, you had to pay for Bitwarden’s premium plan to add 2FA for your stored logins. Bitwarden is claiming they are the only password manager to now include 2FA logins for free.

As a paying customer, I’ve long been using Bitwarden’s 2FA for logins, and it is pretty seamless. Bitwarden places the 2FA number ready in the device’s clipboard, to just paste in straight after completing the login screen process.

Today, 2FA is absolutely essential for any login security, until passkeys are the norm. It sounds like Bitwarden’s own passkey management for logins, will go live during October, and their own passkey access to Bitwarden, a while after that. It is not clear to me yet whether free tier users now also have 2FA login into Bitwarden itself. I’m using a Yubikey device for my 2FA when logging into Bitwarden, and that may still be for the paid service only.

I also noted when last renewing my Bitwarden subscription that they forced us to up our vault encryption iterations to 600,000. This was also a lesson learnt after the LastPass hack, where it was found the encryption iterations were way too low.

I’m eagerly awaiting to see how Bitwarden implements passkeys in October, as I’m dead set against using passkeys that tie me to any particular device or operating system. I have too many passwords to just lose or have to change.

See https://www.androidpolice.com/bitwarden-2fa-free-passkey/
#Blog, #2fa, #bitwarden, #security, #technology

2FAS is a private, free and open-source two-factor authenticator for Android and iOS, and Desktop Browsers

2FAS is an interesting app as it focusses more on privacy than Google and Microsoft’s 2FA authenticators do (we all know Google and Microsoft love to know where you log in, from where, and when). To this end, the app operates on its own and, if you choose to, it syncs between devices using your own iCloud or Google Drive. It requires NO account registration to be used.

It has a dark mode, as well as the ability to group your 2FA tokens, and can also show the upcoming 2FA token (useful if there is say 15 seconds to go, and you don’t want to wait). It is compatible with any service that supports the TOTP and HOTP standard, including Google, Microsoft, and Dropbox.

There are two potential downsides right now: Firstly, this works with one or more mobile devices, so the desktop browser extension does not run its own tokens (it calls the mobile device for an OK). Secondly, this could be a problem if you use an Android as well as an iOS device, as there is no syncing between the iCloud and Google Drive storages. However, migrating from one OS to the other should not be a problem as the app can export and import the tokens.

If you want to work offline without the cloud sync, just remember to make a copy of the backup codes or save (with a password) the tokens to a file, and move that file off your mobile device.

Their code is open-source, including the server side, which can install using a Docker image.

See https://2fas.com/
#Blog, #2fa, #opensource, #privacy, #security, #technology

Any #hacker ever had a look in the #swiss #postfinace #banking app, all in one app with banking and #2FA in one app? They pretend it is safe to have both in one app and give full access to the whole bank account and I wonder how they can pretend this.

#switzerland

Hackaday Prize 2023: Sleek Macro Pad Makes 2FA a Little Easier

#contests #thehackadayprize #2023hackadayprize #2fa #cherrymx #esp32s3 #feather #ntp #rfc6238 #salt #tft #totp #twofactorauthenication #usbhid #hackaday
posted by pod_feeder_v2

Hackaday Prize 2023: Sleek Macro Pad Makes 2FA A Little Easier

We all know the drill when it comes to online security — something you know, and something you have. But when the “something you have” is a two-factor token in a keyfob at the bot…

Hackaday Prize 2023: Sleek Macro Pad Makes 2FA a Little Easier

#contests #thehackadayprize #2023hackadayprize #2fa #cherrymx #esp32s3 #feather #ntp #rfc6238 #salt #tft #totp #twofactorauthenication #usbhid #hackaday
posted by pod_feeder_v2

Hackaday Prize 2023: Sleek Macro Pad Makes 2FA A Little Easier

We all know the drill when it comes to online security — something you know, and something you have. But when the “something you have” is a two-factor token in a keyfob at the bot…

10.05.2023 Die Zwei-Faktor-Authentifizierung aushebeln

Schwachstelle Mensch

Jahrelang wurde uns versichert, dass wir mit einer Zwei-Faktor-Authentifizierung (2FA) sicher(er) seien. Allen voran die Banken haben solche Verfahren einführen müssen. Mit der EU Banken-Richtlinie PSD2 wurden sie Standard. Bereits damals hatten wir kritisiert, das das sinnvolle Verfahren durch die Abschaffung des "2. Wegs" wieder amputiert wird. So waren für die 2. Authentifizierung anfangs SMS o.ä. üblich, inzwischen laufen oft beide Wege wieder über ein Gerät - meist das Smartphone.

Nun hat sich herausgestellt, dass beim Kampf der Cybersicherheit gegen die Hacker letztere am Aufholen sind. In 2 Artikeln beschreibt Heise.de die Vorgehensweise der Hacker. Eigentlich ist alles beim alten geblieben - beim Pishing - nur der Aufwand, den die Hacker betreiben müssen, ist größer geworden.

Social Engineering statt neuer Technik

Weiterhin ist die Taktik der Hacker das Opfer solange zu verwirren, bis es Fehler macht. Die Tricks sind

• dein Handy braucht ein Update,
• dein Handy ist defekt,
• ein Systemfehler ist aufgetreten, drücken Sie hier oder da,
• u.v.m. ...

MFA-Fatigue-Angriff

Deshalb kommt ein MFA-Fatigue Angriff meist abends oder am Wochenende, wenn man ermüdet ist und eine technische Hilfe oder KollegInnen nicht erreichbar sind. Dann wird man mit "unlogischem Verhalten" der Technik verwirrt, solange bis man seine Passworte an der falschen Stelle eingibt. Eigentlich dürfte man das nicht tun, schreibt PCspezialist.de, denn:

Eine Authentifizierungsanfrage wird nur dann abgesendet, wenn Sie zuvor das korrekte Passwort in ein System eingegeben haben. Denn genau das ist ja der Sinn der Multi-Faktor-Authentifizierung – der zusätzliche Schutz durch eine zusätzliche Sicherheitsabfrage.

Ein Einmal-Passwort (OTP) kann also vom System nie verlangt, werden, wenn man sich nicht vorher dort einloggen wollte. Passiert dies doch, so ist es mit Sicherheit ein Cyberangriff. Die Angreifer versuchen ihre Opfer jedoch durch wiederholte Abfragen und/oder Abweisungen "des Systems" zu verwirren. So eine Abfrage kann auch ein Anruf "einer technischen Abteilung" sein, die einen angeblichen "Systemfehler" zurücksetzen müsse. Die Schwachstelle der Zwei-Faktor-Authentifizierung (2FA) bleibt der Mensch.

Mehr dazu bei https://www.heise.de/ratgeber/Ausprobiert-Phishing-trotz-Zwei-Faktor-Authentifizierung-8981919.html
und https://www.heise.de/ratgeber/IT-Security-Wie-Angreifer-die-Zwei-Faktor-Authentifizierung-aushebeln-8973846.html
und https://www.pcspezialist.de/blog/2022/11/28/mfa-fatigue-angriff/

Kategorie[21]: Unsere Themen in der Presse Short-Link dieser Seite: a-fsa.de/d/3u1
Link zu dieser Seite: https://www.aktion-freiheitstattangst.org/de/articles/8395-20230510-die-zwei-faktor-authentifizierung-aushebeln.htm
Link im Tor-Netzwerk: http://a6pdp5vmmw4zm5tifrc3qo2pyz7mvnk4zzimpesnckvzinubzmioddad.onion/de/articles/8395-20230510-die-zwei-faktor-authentifizierung-aushebeln.html
Tags: #Schwachstelle #Mensch #Zwei-Faktor-Authentifizierung #2FA #PSD2 #SocialEngineering #MFA-Fatigue-Angriff #Verbraucherdatenschutz #Datenschutz #Datensicherheit #Smartphone #Handy #IMSI-Catcher #Cyberwar #Hacking
Erstellt: 2023-05-10 08:08:28

heise online

Ey, #DiBa - das habt ihr fein gemacht. Eure neuen Sicherheitsmaßnahmen sehen jetzt scheinbar für die Freigaben von Transaktionen zwei mögliche Authentifizierungsmethoden für #2FA vor:

1. Ich kann mir eine wahrscheinlich völlig verwanzte App auf ein Android-Smartphone laden, um mir dann TANs dynamisch generieren zu lassen. Von den drei infrage kommenden Androids ist keines jünger als 3 Jahre und hat noch niemals ein Security-Update erhalten. Nicht eines davon, nicht ein einziges Update!
Und natürlich gibt es die App nur bei #DrecksGoogle im AppStore.

2. Kauf einer photoTAN-Hardware für schlappe 32€ - die natürlich nicht kompatibel mit anderen Banken ist. Und in ein paar Jahren wieder sinnloser Elektronikmüll ist, wenn neue Richtlinien implementiert werden.

An Ignoranz nicht mehr zu überbieten.

#WTF #ING #Banking #Android

Generating Two-Factor Authentication Codes With a Commodore 64

#classichacks #securityhacks #2fa #commodore64 #commodoresx64 #hardwaretoken #hackaday
posted by pod_feeder_v2

Generating Two-Factor Authentication Codes With A Commodore 64

If you’ve used a corporate VPN or an online-banking system in the past fifteen years or so, chances are you’ve got a few of those little authenticator key fobs lying around, still displ…

Die persönliche #Infrastrukturapokalypse diese Woche: Du liegst in der #Badewanne und willst ins Fediverse. Und zack: bitte den zweiten Faktor eingeben!

Beide Wanzen mit #OTP liegen eine Etage tiefer, der Rechner mit dem Passwordsafe mit den Backupcodes zwei Etagen tiefer und für das VPN ist mangels Nutzung das Zertifikat während Corona abgelaufen.

Ich hab's irgendwie überlebt, aber ich muss da wohl insgesamt noch mal was reflektieren.

#2FA

Mich würd' ja mal interessieren, wie viele Leute es gibt, die einen #openVPN Server betreiben und dabei den Zugang für die Clients via #totp als #2FA absichern.

My work #MailServer requires #2FA for fetching and sending #Email and so I can still use #Thunderbird on my #laptop to read and send mail. Until recently, though, there was no alternative but to use #Outlook on my #MobilePhone, which I used as little as possible. However, since #Thunderbird bought #K-9Mail, it has brough out a new version of the #MobileApp which does support two-factor authentication and so I can purge Outlook. #Progress

#Android

Build Your Own Two-Factor Authenticator With Good USB

#securityhacks #2fa #badusb #hackaday
posted by pod_feeder_v2

Build Your Own Two-Factor Authenticator With Good USB

Two-factor authentication is becoming the norm for many applications and services, and security concerns around phone porting hacks are leading to a phaseout of SMS-based systems. Amidst that backd…

Anyone Can Be The Master Of This Master Lock Safe

#reverseengineering #securityhacks #2fa #gunsafe #locksport #logicanalyser #logicanalyzer #pistolsafe #safe #uart #hackaday
posted by pod_feeder_v2

Anyone Can Be The Master Of This Master Lock Safe

[Etienne Sellan] got one of these lovely $5 logic analyzers. As with any shiny new tool, he started looking for things to investigate with it, and his gaze fell on a Sentry Safe (produced by Master…

#Neuland
#2FA ...wunderbar: die Raiffeisenbank entdecken die 2Faktor-Authentifizierung...
App: es gibt nur eine (!) ! #SecureGo ...erhältlich über den #google-playstore
ich weis jetzt wieder, wie ich damals die #Naturblick appruntergeladen habe, ohne dass #google Zugriff aiif mein handy bekam: #apkdownloader - jetzt #apkcombo (hoff ich zumindest, dass dem so ist)

aber schon bezeichnend, wenn Banken apps der Datenkrake google als Voraussetzung nehmen, um Bankgeschäfte zu machen... ich zahl ja auch nicht über die #app #paypal dieses Psychopathen

mal sehen,ob es klappt... ansonsten kann ich die Bank wechseln .....Alternative zur #Ethikbank ??

Fortunately, I've never used my mobile phone for 2FA.

Rob is a little hyperbolic, but his message is solid.

2FA is a Big Tech Scam! You Must Resist!

#BigTech #scam #2FA #RobBraxman

https://vid.puffyan.us/watch?v=ChKpf5HjcSY

2FA is a Big Tech Scam! You Must Resist!

We are being led to believe that Two-Factor Authentication is about making our accounts secure. Yet there is change underway. The interpretation of what 2FA has been modified. And it is no longer about Texting and Email. But what is the end goal?...