Tag Archives: security

twitter and two factor take two

Posted on by
Reply

In 2014, I tried to enable two factor on Twitter and had to turn it off. Given the recent news that Twitter encourages everyone to change passwords, I decided to take another stab at it. I also learned that Twitter has more options for two factor now like Google authenticator.

Step 1: Changing the password

First, I changed the password. I clicked on the drop down with my picture and chose “settings and privacy”. Then I choose password and changed it. I got an email letting me know the password changed. Good.

Step 2: Surprise step – review apps

Twitter then reminded me that I have 18 applications that can access my account and asked if I wanted to review them. 18 sounds high so I said yes. There were a few general categories:

  • Apps with read only access – given that pretty much everything on twitter is public, I don’t mind that I gave a few sites access to read my profile. I did find one that was just for a one time test and doesn’t need it anymore.
  • Piping my tweets to Facebook – yes. I definitely want this.
  • Various twitter clients – some I don’t use anymore so cleaned this up a bit as well.
  • “social reputation monitoring” – it says I gave this site read/write/direct message access in 2015.  I don’t remember this and I certainly don’t want them to have it anymore. Revoke!
  • Linked in – While I don’t mind them having read access, I don’t want them having write access. Revoke. Same with Disqus. I wasn’t nearly paranoid enough in 2013.

Now I have 13 apps with read (or read/write) access. Still a lot, but at least I know what they are. It’ll be interesting to see which of the read only ones break. “I don’t mind” is different from “I really want it to work”

Step 3: Login verification (two factor)

As I was looking for two factor, I saw “login verification” under account options. That turns out to be what Twitter is calling two factor. I guess it sounds less scary.

However “setup login verification” was disabled. It says I need to confirm my email to turn this on. Ok. So how do I do that? It appears the only way to get a confirmation email is to change your email address. It was a bunch of steps, but I did:

  1. Change to myRealEmail+twitter@gmail.com (because gmail lets you add a plus and more text and still sends to you)
  2. Enter twitter password to confirm it is me
  3. In email, click confirmation
  4. Repeat these three steps to switch back to and confirm my “short form” email. (so I remember what I gave them)

Ok time to turn on two factor with SMS

  1. In account settings, click “setup login verification”
  2. Click start
  3. Enter twitter password to confirm it is me
  4. Send SMS code
  5. Enter SMS code from phone
  6. Generate a backup code in case I ever have issues

Now I have the option to setup alternate two factor methods

  1. In account settings, click “review your login verification methods”
  2. Click “setup” next to mobile security app
  3. Use google authenticator to scan the barcode
  4. Enter the generated code from google authenticator into twitter

Finally, I clicked “edit” next to text message verification so I am just using google authenticator and not text message.

Step 4: My twitter clients

Ok. Now for the test. Can I use Twitter in the devices I care about most? Things seem to work. Will post an update if that no longer stays the case!

Updates:

  • I can still use twitter on all my devices. So I don’t get prompted to login after the password change or two factor. It only takes effect for new logins. (This is good; I have a lot of places that I am logged into twitter.)
  • I got an email from an identify monitoring service that they no longer have access to my twitter. This service only told me about my own tweets so I’m leaving them without access. I was hoping they would tell me about other people’s tweets. I know what I tweet. And as fun as it is to be told I used the word “password” in my twitter…

JavaOne – The Hacker’s Guide to Session Hijacking

Posted on by
Reply

“The Hacker’s Guide to Session Hijacking”

Speaker: Patrycja Wegrzynowicz

For more blog posts from JavaOne, see the table of contents

Dropbox and Yahoo passwords sold on black market last year

HTTP

  • stateless
  • JSessionId – cookie, header, parameter, hidden field
  • OWASP top 10 – A2 – Broken Authentication and Session Management

Session Hijacking

  • Easy targets
  • Session theft – steal session id from URL, sniffling, logs, XSS.
  • Session fixation – trick user into using the (fixed) session id of the hacker’s choosing
  • Session prediction – server uses weak algorithm so hacker cn guess session id. Least common in Java world. About 5 years ago, Jetty had this issue

How protect

  • Need to disable URL rewriting in an app server.
  • Alternatively can set up tracking mode in the web.xml: <tracking-mode>COOKIE</tracking-mode> starting Java EE 6/Servlet 3
  • Use HTTPS to avoid session exposure during transport
  • Set &ltsecure>true&lt/secure> under cookie-config in web.xml so only sent over https. Also added in Java EE 6/Servlet 3
  • Set &lthttp-only>true&lt/http-only> under cookie-config in web.xml so only sent over https.
  • Java EE 7/Servlet 4 has request.changeSessionId() so can have diferent id
  • Shorter timeouts – 2-5 minutes for critical apps; 15-30 minutes for typical apps. By default they aren’t supposed to timeout
  • Write logic to see if IP/user agent changes during session and invalidate session if does
  • CSRF token, double submit cookie (if no server side session), SameSite cookie flag in Chrome (not yet upported by Java EE)

Session created when call requeest.getSession(true) explicitly or implicity (ex: when visit JSP page)

How attack

  • Get session id from log
  • Use JavaScript to get cookie
  • Get user to click link with URL
  • Go to site anonymously and close tab so user gets that session id [requires physical access]
  • XSS
  • CSRF

My take:
She did interative demos of the issues. She posted a URL with session id on twitter and a bunch of people clicked real time; fun to see. Then she did the opposite where she got into our session. Then she stole the cookie with JavaScript using an image to bypass same source policy. [That I’m not doing. Intentionally sharing all my cookies; no thanks! She only displayed the cookie with the jsession id for her site which is good]. Finally she did an interactive CSRF demo

lessons learned from fighting nation states in cyberspace – live blogging from qcon

Posted on by
Reply

Lessons Learned from Fighting Nation States in Cyberspace
Speaker: Dmitri Alperovitch

See the list of all blog posts from the conference

Dmitri and his team uncovered 2016 DNC hack – not focus of talk because not that technically interesting
Focus on collecting a lot of data and applying AI to big data
Store data in ThreatGraph (their product) and Apollo/Hadoop

Today’s threatscape

  • Whatever business you think you’re in, you’re in the security business – hacktivists, money, etc. If have nothing of value, why in business?
  • In past, only government entities had to worry about nation state attack. Now commercial entities have to protect IP and info.
  • Examples of China stole weapons design from United States.
  • North Korea using random ware attacks – largely in South Korea – to fund weapons
  • Once you use a cyberweapon, others can use it. Ex: WannaCry is good example of reuse.
  • Inserting fake data in real data makes it hard to determine what is true.
  • Track over 40 different threat entities in China, over 10 criminal entities worldwide, 6 activitist groups worldwide, 8 in Russia and a few others around the world. Code names have animal last name – Chinese panda, criminal spiders, etc. The analyst who discovers it picks the first name.
  • Criminal actors are opportunistic. Will move on if costs too much to atack you. Nation states are more like a dog with a bone. They aren’t giving up because only one source has the information.

War stories

  • Hurricane Panda (China) – Focus on telecom for economic esponiage to benefit China.
    • webshells – web scripts to get control of webservers. They get it on the web server and then can use a browser to run any command via get requests. Typically password protect script so doesn’t return anything unless supply right password – prevents scans from finding. Attack went undetected for a year. Stole credentials and tried to remove evidence. Persisted after attack remediated.
    • Sticky keys – modify Windows registry key and then can get in without admin password. Ex: on screen keyboard runs before login. If tell Windows to run debugger first, get command prompt with full admin privilege
    • Only need a PowerShell command to steal credentials.
    • Once fixed, got thrown out in minutes. Started making typos as rushed. Continued trying to get in for four months.
    • Then they found a zero day to get admin access to machine
    • Then they finally went away and found a new victim. Dmitri’s company repeated the pattern.
    • Crowdstrike won. (article) – hackers moved on if saw CrowdStrike software on server
  • Large defense company noticed problem but couldn’t figure out how got in. CrowdStrike asked to find malware, but wasn’t one. The problem was the RSA SecurID two factor keys were compromised. Chinese thread actors stole the seeds for the token. RSA said would send seeds to company rather than storing them. However, the Chinese stole the seeds from the company directly and could VPN in using two factor.
  • Cloud VM data theft. Again no malware. Adversary had stolen API keys.
  • Other attack method to get into environment: phishing, embed powershell in a .lnk (windows shortcut files) and make .lnk file look like word doc or pdf
  • Bypassing Windows Access Control is a bunch of steps. But there is an open source tool to do all of it
  • Anti-forensic methods – delete log files, wipe data to obsfucate their activity.

Lessons learned

  • Windows is scary 🙂 [seriously though; the talk focused on Windows – presumably their expertise]. Someone asked about this and Dmitri said 95% of intrusions occur on Windows.
  • Embrace visibility/logging and AI – you will always be behind if trying to find last attack. Aggressive logging for all system help. Anonomoly based algorithms help find the unknown
  • Leverage peers – work with other entities and share information
  • Hunt for the adversary – think what you would do if you were the adversary