Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror

Comment: Reason not to use mobiles for authentication. (Score 1) 97

by Mattpw (#37586308) Attached to: Security Vulnerabilities On HTC Android Devices
The security community needs to stop pushing mobile based token authentication. There is no reason why mobile OS's should get some kind of protected status vs their notebook counterparts. In my neck of the woods bad guys just forward all a victims calls for a few hrs anyway regardless of OS but clearly the trojan writers can make the usb jump to the users phone (EU charging mandate now) and carry on the same old tricks.

Comment: Re:No information about cracking the encryption (Score 1) 83

by Mattpw (#37581028) Attached to: The Inside Story of the Kelihos Takedown
Thanks so much for the reply, I am relatively clueless abou the nuts and bolts. So from what you are saying they are using a sync crypto scheme where the password can be intercepted? I read in a bot master Q&A they use AES however why couldnt they just switch to async RSA or some kind of PKI based system?

Comment: No information about cracking the encryption (Score 1) 83

by Mattpw (#37563856) Attached to: The Inside Story of the Kelihos Takedown
I see they made some tools to analyze the traffic but no information about actually cracking any encryption. Seems to me this was mostly about hijacking and sinkholing contact peer domain lists. Perhaps they left out pertinant bits for their own safety but from reading this the controllers could bypass the sinkhole if their backup list was implemented correctly.

Comment: Marketing departments with too much money (Score 1) 131

by Mattpw (#37437658) Attached to: The Saga of the Virtual Wallet
Ive been to several conferences where companies are rolling out this phone as a payment platforms.. Its a scam designed to get gulible journalists interested and either boost company exposure, dupe investors into buying shares or prove that X manager is being "innovative". Some are literally RFID credit card sim cards sticky taped onto the back of a mobile I kid you not. The reality is that everyone has a physical wallet/purse and that isnt going away any time soon. Also there are many things in that wallet which cannot be replaced by a mobile phone. Also are these the same journalists who write the "New Android Malware" articles which come out every week?

Comment: Flee to Singapore (Score 1) 235

by Mattpw (#37427464) Attached to: Startup Flees To Seattle Amid Amazon's Tax Fight
If they were really serious they would have fled to Singapore http://en.wikipedia.org/wiki/Income_tax_in_Singapore 0%-max 20% GST 7% corp taxes almost non existent. I laugh when I see the online "raise US taxes" brigade. And a commited well educated workforce. Whats more Singapore is booming like most of East Asia so the real market is just next door. The only thing is they dont have an open immigration door policy like America so getting in the front door could be hard but life is good and if you are in there is zero chance you will become a victim of crime.

Comment: Re:Time for 2FA authentication to be rolled out ov (Score 1) 642

by Mattpw (#36494344) Attached to: Bitcoin Price Crashes
Im not sure you have looked into https://www.shieldpass.com/ which is using the passwindow mutual authentication method not just OTP's used by the SecureID, I agree the RSA one time passwords are "over" being completely vulnerable to various MITM attacks including phishing etc as the codes contain no information to the user about what exactly it is being authenticated. This is the same problem with many tokens etc where a attacker can inject themselves at various point on the network, mobile or terminal itself with a trojan. *It should be noted however in RSA's defense that in this particular case you refer to it wasnt any of these usual methods they used to defeat the tokens but the fact they didnt airgap the machine holding the secret keys.

If you watch the demo video you can see that the transaction specific information ie could be something bitcoin specific is encoded into the challenge alongside the OTP so the user is informed as to what they are authenticating and the MITM fails. They cant switch challenges and they cant remove the transaction information from the challenge. Being a non humanly communicable key (the visual segmented pattern) they cant easily interrogate the user for key information either.

Its not perfect, for that we would need the server to be able to scan your soul however its cheap, convenient and more secure than the alternatives unless you have a better suggestion.

Comment: Time for 2FA authentication to be rolled out over (Score 1) 642

by Mattpw (#36493796) Attached to: Bitcoin Price Crashes
Time for 2FA authentication to be rolled out over bitcoin operators. The anonymity element makes it a huge juicy target for hackers, they need to start connecting it to something physically offline. I am working on a bitcoin wallet for shieldpass.com access tokens and then mutually authenticating each transaction.

Comment: Re:One-time pads bypassed by Zeus and Spyeye (Score 1) 284

by Mattpw (#36384616) Attached to: Court Rules Passwords+Secret Questions=Secure eBanking
The topic is online banking authentication so your points are mostly off topic. -It could easily be configured for use with email, ssh, imap, ldap, radius, etc -The amount of digits required from the user is configurable to any amount, it is a rolling password so while the demo requires 4 it could be 20 same goes for the amount of transaction information encoded into challenges. Even though its off topic il bite -I dont buy the argument that your phone screen is more personal than any other screen. If ninjas are in your house / office taking secret snapshots then the same kind of photographic attack or other cloning / switching of devices etc could be done against almost any device / terminal display / set of keys and you have bigger problems, that proximity attack argument could go on forever ending in a rubber hose. For what its worth the visual key patterns can be obfuscated with transflective laminates etc very cheaply or for a few bucks extra could be electrochromatic like any device but the cost justification just isnt there when a piece of plastic only costs a few cents and it is designed for online authentication. Personal attacks are beyond the scope and frankly with the developments in remote electronic scanning I feel more secure about these non electronic cards than my RFID cards. For online authentication it solves the MITM attack problem and does it extremely cheaply.

Comment: One-time pads bypassed by Zeus and Spyeye (Score 2) 284

by Mattpw (#36384106) Attached to: Court Rules Passwords+Secret Questions=Secure eBanking
Banks resist the idea because all the major trojans wreaking havoc have MITM /MITB capabilities to bypass the tokens and mobile sms in one way or another as well as cost issues. The 2 European banks in the following article were using transaction signing tokens http://slashdot.org/story/10/07/25/1954216/Online-Banking-Trojan-Stole-Money-From-Belgians and mobile sms trojans have been around for awhile now http://securityblog.s21sec.com/2010/09/zeus-mitmo-man-in-mobile-i.html You might want to investigate https://www.shieldpass.com/ online authentication cards which are cheap and can do mutual authentication passively. For example specific transaction information can be included in the challenges to stop MITM and the process is passive or visual so the trojans or phishers cant walk a target through a transaction as they did with the first link.

Comment: Many of the 2FA ideas proposed on here are broken (Score 1) 284

by Mattpw (#36384038) Attached to: Court Rules Passwords+Secret Questions=Secure eBanking
Many of the 2FA ideas put forward on here are broken Most major trojans have MITM or MITB capabilities to bypass many of the pure OTP type methods put forward here, including the manual transaction signing tokens. http://slashdot.org/story/10/07/25/1954216/Online-Banking-Trojan-Stole-Money-From-Belgians Mobile authentication should be considered broken since there are many more ways past it and many newer trojans come with mobile plugins now too. http://securityblog.s21sec.com/2010/09/zeus-mitmo-man-in-mobile-i.html I use https://www.shieldpass.com/ authentication cards which have the ability to do mutual authentication passively and not be vulnerable to MITM. The plastic cards themselves cost less than a few cents to make so theres no argument why America shouldnt be using them.

Comment: Re:Here we go (Score 1) 223

by Mattpw (#36346540) Attached to: Ask Slashdot: Is SHA-512 the Way To Go?
While I agree two factor is the way to go especially for the poster whos primary goal which seems to have been missed is securing a website I couldnt see anything great/innovative on the Arcot website. Primarily everything they have put forward seems to be vulnerable to localized infection (ie a trojan on the local device performing MITM) and I am particularly concerned with their pushing mobile based authentication which I can tell you most Asian countries are bailing out of there are so many different attack methods. The key to the authentication problem is mutual authentication otherwise you are only protecting against keylogging which is a very 80's attack unfortunately there are very few 2FAs which can do it securely.

Comment: Worry more about user authentication (Score 1) 223

by Mattpw (#36345904) Attached to: Ask Slashdot: Is SHA-512 the Way To Go?
I realise people like to talk about crypto but user authentication is much more pressing security problem and the weak link in all the recent attacks. Im not reading about X breaking X crypto instead I hear static passwords being gotten one way or another and all the crypto being bypassed. A friendly suggestion for your secure site would be to use 2FA dynamic passwords in as many places as you can preferably with mutual authentication capabilities to prevent MITM, further suggestions would be using Yubikeys or ShieldPass cards and I believe Verisign has a service but the former are much easier to implement and relatively cheap.

Comment: Re:Passwords (Score 1) 409

by Mattpw (#35154926) Attached to: Are You Sure SHA-1+Salt Is Enough For Passwords?
You are correct about the security uselessness of the OTP devices however I would suggest you checkout my passwindow 2FA method which isnt vulnerable to phishing / MITM / MITB etc because it can do passive mutual authentication and include transaction information in the window. There are details on the security page. Its also just a cheap piece of plastic which fits in your wallet and is easy to distribute by letter.

* * * * * THIS TERMINAL IS IN USE * * * * *

Working...