What is two-factor authentication and why should I care?

806152_48409889The password is a really old way to protect computer systems, yet many systems we use rely solely on them when authenticating users. A simple password might have been a good idea when we used only a handful of systems, but times are changing. Today we need accounts for all the social media we are on, the mail accounts, accounts for on-line shops, the bank, the workplace, you name it… Frankly speaking, I have no idea how many on-line accounts I have. And I can make one confession. I use the same password on some of them, even if the important ones naturally have strong unique passwords.

And here we are at the core problem with passwords. They should be complex enough to withstand brute force and dictionary attacks (that is when hackers systematically try a large number of passwords in hope of finding the right one) and they should be different on all systems you use (to limit the damage if one account is compromised). Many complex passwords and limited brain capacity, that doesn’t work. There are systems to create and remember many complex passwords, but many people aren’t motivated enough to use them. That’s one reason why two-factor authentication is spreading fast.

Another reason to raise the security is that hackers may target a particular system. They may break into it to steal passwords or use phishing techniques to trick you into revealing your password to them. Or plant a keylogger in your system. They may get the password, but still fail to get access to your account if you use two-factor authentication.

But what is two-factor authentication? Let’s start with some theory. An authentication mechanism can use several factors like what you know (a password you remember), what you have (a smartcard or a mechanical key) or what you are (biometrics, retina or fingerprint scans for example). A two-factor or multi-factor authentication system uses at least two of these factors. The best known example is an ATM-card that you have combined with a PIN-code that you know.

The most common way to utilize this for an on-line service is to rely on your mobile phone. You start by entering your user ID and password normally. After that the system sends a unique one-time code to your phone. You type the code and get access to the system. Your phone is the “what you have” -item as the message is directed to that particular device and can’t be read by others. This requires two things; that you have registered your phone number with the service and that you have turned on two-factor authentication. Some services do promote this option actively and ask if you want to use it.

So should I turn it on? Yes, if the service is important to you. You gain a lot of security for a quite small extra effort. You may have noticed several news reports lately about hacked Twitter-accounts. One of the incidents did even impact the stock market. Twitter happens to be one of the major on-line services that doesn’t support two-factor authentication yet. Many of these incidents could have been avoided if they had support for it. Needless to say, if you tweet for a global news agency you really need more security than just a password. But most ordinary people have services that also are important enough to justify this extra security.

Nothing is perfect so what are the downsides with two-factor authentication? The extra effort to type the code after login is of course obvious. But many systems mitigate this by remembering your device and only requiring the code when using a new device. You also must have your phone with you when you log in, which you probably have anyway. Except if you have lost it, which could prevent you from accessing your accounts. Some configuration settings in your browser may also prevent two-factor authentication from working or force you to authenticate every time you log in, even on the same device. Apps that access your account may require some extra attention. They need an extra application specific password that you can create under security settings in the account’s web interface. And last but not least. The service provider must know your phone number, which normally is linked directly to your true identity. This is usually OK, but becomes a problem if you want to be truly anonymous on the site, or have other reasons to not trust them with your number.

And remember that two-factor authentication improves security a lot, but there is no such thing as perfect security. The skimming attacks against ATMs is a classic example. The malware Perkele targets Android devices and works together with desktop malware to defeat on-line banks. Perkele proves that on-line services’ two-factor authentication can be attacked, but this is not a major threat yet.

So the verdict is that two-factor authentication is good. Turn it on if you can. Here’s some examples of where to look for these settings:

Facebook: Security settings / Login approvals.
Google: Accounts / Security / 2-step verification.
MS Hotmail/Live: Micosoft Account / Security info / Two-step verification.
WordPress: Settings / Security / Two Step Authentication.
Twitter: Not supported yet. :(

Safe surfing,

UPDATE: Twitter got their act together just hours after posting this article. Now they also provide two-factor authentication. Great! :)

UPDATE2: Seems like Twitter was in a rush to get two-factor authentication out. The implementation is still far from perfect. But it’s a step in the right direction. I’m sure they will get things right, let’s hope it doesn’t take too long.

More posts from this topic


Android’s Stagefright bug – phone vendors taken with their pants down

You have all heard the classic mantra of computer security: use common sense, patch your system and install antivirus. That is still excellent advice, but the world is changing. We used to repeat that mantra over and over to the end users. Now we are entering a new era where we have to stress the importance of updates to manufacturers. We did recently write about how Chrysler reacted fairly quickly to stop Jeeps from being controlled remotely. They made a new firmware version for the vehicles, but didn’t have a good channel to distribute the update. Stagefright on Android demonstrates a similar problem, but potentially far more widespread. Let’s first take a look at Stagefright. What is it really? Stagefright is the name of a module deep inside the Android system. This module is responsible for interpreting video files and playing them on the device. The Stagefright bug is a vulnerability that allows and attacker to take over the system with specially crafted video content. Stagefright is used to automatically create previews of content received through many channels. This is what makes the Stagefright bug really bad. Anyone who can send you a message containing video can potentially break into your Android device without any actions from you. You can use common sense and not open fishy mail attachments, but that doesn’t work here. Stagefright takes a look at inbound content automatically in many cases so common sense won't help. Even worse. There’s not much we can do about it, except wait for a patch from the operator or phone vendor. And many users will be waiting in vain. This is because of how the Android system is developed and licensed. Google is maintaining the core Linux-based system and releasing it under an open license. Phone vendors are using Android, but often not as it comes straight from Google. They try to differentiate and modifies Android to their liking. Google reacted quickly and made a fix for the Stagefright bug. This fix will be distributed to their own Nexus-smartphones soon. But it may not be that simple for the other vendors. They need to verify that the patch is compatible with their customizations, and releasing it to their customers may be a lengthy process. If they even want to patch handsets. Some vendors seems to see products in the cheap smartphone segment as disposable goods. They are not supposed to be long-lived and post-sale maintenance is just a cost. Providing updates and patches would just postpone replacement of the phone, and that’s not in the vendor’s interest. This attitude explains why several Android vendors have very poor processes and systems for sending out updates. Many phones will never be patched. Let’s put this into perspective. Android is the most widespread operating system on this planet. 48 % of the devices shipped in 2014 were Androids (Gartner). And that includes both phones, tablets, laptops and desktop computers. There’s over 1 billion active Android devices (Google’s device activation data). Most of them are vulnerable to Stagefright and many of them will never receive a patch. This is big! Let’s however keep in mind that there is no widespread malware utilizing this vulnerability at the time of writing. But all the ingredients needed to make a massive and harmful worm outbreak are there. Also remember that the bug has existed in Android for over five years, but not been publically known until now. It is perfectly possible that intelligence agencies are utilizing it silently for their own purposes. But can we do anything to protect us? That’s the hard question. This is not intended to be a comprehensive guide, but it is however possible to give some simple advice. You can stop worrying if you have a really old device with an Android version lower than 2.2. It’s not vulnerable. Google Nexus devices will be patched soon. A patch has also been released for devices with the CyanogenMod system. The privacy-optimized BlackPhone is naturally a fast-mover in cases like this. Other devices? It’s probably best to just google for “Stagefright” and the model or vendor name of your device. Look for two things. Information about if and when your device will receive an update and for instructions about how to tweak settings to mitigate the threat. Here’s an example.   Safe surfing, Micke Image by Rob Bulmahn under CC BY 2.0

July 30, 2015

Is it OK to cheat on the AshleyMadison cheaters? (Poll)

The user register of AshleyMadison has been hacked. You don’t know what that is? Well, that’s perfectly fine. It’s a dating site for people who want to cheat on their spouses. Many dislike this site for moral reasons, but there is apparently a demand for it. The Canadian site has some 37 million users globally! Some user data has already been leaked out and the hackers, calling themselves Impact Team, have announced that they will leak the rest unless the site shuts down. So this hack could contribute to many, many divorces and a lot of personal problems! "We will release all customer records, profiles with all the customers' sexual fantasies, nude pictures and conversations and matching credit card transactions, real names and addresses." The Impact Team This is one hack in a long row, not the first and certainly not the last site hack where user data is leaked. But it is still remarkable because of the site’s sensitive nature. Think about it. What kind of information do you store in web portals and what bad could happen if that data leaks out? If you are cheating on your spouse, then that is probably one the most precious secrets you have. Disclosure of it could have devastating effects on your marriage, and maybe on your whole life. Millions of users have put their faith in AshleyMadison’s hands and trusted them with this precious secret. AshleyMadison didn’t misuse the data deliberately, but they failed to protect it properly. So it’s not that far-fetched to say that they cheated on the cheaters. What makes the AshleyMadison hack even worse is the site’s commercial nature. Users typically pay with a credit card issued in their own name. They can appear anonymously to their peers, but their true identities are known to the site owner, and stored in the database. So any leaked information can be linked reliably to real people. The sad thing is that the possibility of a leak probably never even crossed the mind of these 37 million users. And this is really the moral of the story. Always think twice before storing sensitive information in a data system. You must trust the operator of the system to not misuse your data, but also to have the skills, motivation and resources to protect it properly. And you have very poor abilities to really verify how trustworthy a site is. This is not easy! Refraining from using a site is naturally the ultimate protection. But we can’t stop using the net altogether. We must take some risks, but let’s at least think about it and reflect over what a compromised site could mean. This hack is really interesting in another way too. AshleyMadison is a highly controversial site as cheating is in conflict with our society’s traditional moral norms. The hack is no doubt a criminal act, but some people still applaud it. They think the cheaters just got what they deserved. What do you think? Is it right when someone takes the law in his own hands to fight immorality? Or should the law be strictly obeyed even in cases like this? Can this illegal hacking be justified with moral and ethical arguments? [polldaddy poll=8989656]       Micke   Image: Screenshot from www.ashleymadison.com  

July 21, 2015
hacking team, hack like a champion, why hacking team matters

3 reasons the Hacking Team story matters from Mikko Hypponen

Hacking is in the news. The U.S. recently disclosed that it was the victim of what may the biggest, most consequential hack ever. We hacked some politicians. And a group called "Hacking Team" was hacked itself. Brian Krebs reports: Last week, hacktivists posted online 400 GB worth of internal emails, documents and other data stolen from Hacking Team, an Italian security firm that has earned the ire of privacy and civil liberties groups for selling spy software to governments worldwide. The disclosure of a zero-day vulnerability for the Adobe Flash Player the team has used has already led to a clear increase of Flash exploits. But this story has a larger significance, involving serious questions about who governs who can buy spyware surveillance software companies and more. Our Chief Research Office Mikko Hyppönen has been following this story and tweeting insights and context. Reporters from around the world have asked him to elaborate on his thoughts. Here's a look at what he's been telling them 1) What is your opinion about the Hacking Team story? This is a big story. Companies like Hacking Team have been coming to the market over the last 10 years as more and more governments wanted to gain offensive online attack capability but did not have the technical know-how to do it by themselves. There's lots of money in this business. Hacking Team customers included intelligence agencies, militaries and law enforcement. Was what Hacking Team was doing legal? Beats me. I'm not a lawyer. Was what Hacking Team was doing ethical? No, definitely not. For example, they were selling hacking tools to Sudan, whose president is wanted for war crimes and crimes against humanity by the International Criminal Court. Other questionable customers of Hacking Team include the governments of Ethiopia, Egypt, Morocco, Kazakhstan, Azerbaijan, Nigeria and Saudi Arabia. None of these countries are known for their great state of human rights. List of Hacking Team customers: Australia - Australian Federal Police Azerbaijan - Ministry of National Defence Bahrain - Bahrain Chile - Policia de Investigation Colombia - Policia Nacional Intelligencia Cyprus - Cyprus Intelligence Service Czech Republic - UZC Cezch Police Ecuador - Seg. National de intelligencia Egypt - Min. Of Defence Ethiopia - Information Network Security Agency Honduras - Hera Project - NICE Hungary - Special Service National Security Kazakstan - National Security Office Luxembourg - Luxembourg Tax Authority Malaysia - Malaysia Intelligene Mexico - Police Mongolia - Ind. Authoirty Anti Corruption Morocco - Intelligence Agency Nigeria - Bayelsa Government Oman - Excellence Tech group Oman Panama - President Security Office Poland - Central Anticorruption Bureau Russia - Intelligence Kvant Research Saudi Arabia - General Intelligence Presidency Singapore - Infocomm Development Agency South Korea - The Army South Korea Spain - Centro Nacional de Intelligencia Sudan - National Intelligence Security Service Thailand - Thai Police - Dep. Of Correction Tunisia - Tunisia Turkey - Turkish Police USA - FBI Uzbekistan - National Security Service 2) What happens when a company of this kind is a victim of an hacking attack and all of its technology assets are published online?  This was not the first time something like this happened. Last year, Gamma International was hacked. In fact, we believe they were hacked by the same party that hacked Hacking Team. When a company that provides offensive hacking services gets hacked themselves, they are going to have a hard time with their customers. In the case of Hacking Team, their customer list was published. That list included several secretive organizations who would rather not have the world know that they were customers of Hacking Team. For example, executives of Hacking Team probably had to call up the Russian secret intelligence and tell them that there's been a breach and that their customership was now public knowledge. The Hacking Team leak also made at least two zero-exploits public and forced Adobe to put out emergency patches out for Flash. This is not a bad thing by itself: it's good that unknown vulnerabilities that are being exploited become public knowledge. But Adobe probably wasn't happy. Neither was New York Times, as they learned that Hacking Team was using a trojanized iOS app that claimed to be from New York Times to hack iPhones. 3) Is it possible to be protected from malware provided by companies like Hacking Team? Yes. We've added detection for dozens of Hacking Team trojans over the years. Hacking Team had a service where they would update their product to try to avoid signature-based antivirus detections of their programs. However, they would have much harder time in avoiding generic exploit detections. This is demonstrated by their own internal Wiki (which is now public). Let me attach a screenshot from their Wiki showing how we were able to block their exploits with generic behavioural detection: Cheers, Sandra [Image by William Grootonk | Flickr]

July 13, 2015