dumb computer security question

Non-investing personal finance issues including insurance, credit, real estate, taxes, employment and legal issues such as trusts and wills.
Topic Author
bb
Posts: 389
Joined: Wed Apr 25, 2007 10:04 pm

dumb computer security question

Post by bb »

Being a neophyte regarding computer security was wondering why can't someone hack
your web browser software such that userid/password is not more secure than
userid/password/2 factor authentication?

If hacker could install bogus browser software seems like they could sit between you
and the outside world, present fake websites, grab your 2FA key when you enter it and
use it to login your account, etc.

Granted I know little to nothing about computer security.
funyun
Posts: 86
Joined: Tue Oct 31, 2023 11:07 am

Re: dumb computer security question

Post by funyun »

2fa is generally a code that should change each time, so it's unique each time you log in. Or in the case of yubikey, you need to physically touch the key to log in which totally prevents the problem.
User avatar
id0ntkn0wjack
Posts: 196
Joined: Wed Nov 30, 2022 3:12 pm

Re: dumb computer security question

Post by id0ntkn0wjack »

bb wrote: Sun Feb 11, 2024 12:18 pm If hacker could install bogus browser software seems like they could sit between you
and the outside world, present fake websites, grab your 2FA key when you enter it and
use it to login your account, etc.
Anything is possible, but how does your scenario make sense? The likelihood of a hacker hijacking my UID + PW AND stealing my 2FA that renews every 30 seconds using a Authenticator app seems like a ton of work for next to no payoff. Perhaps it would make sense if I hosted top secret documents or was a major financial institution, but I'm more worried about the rocks in space that are hurtling towards Earth every day than this theoretical (to be clear, I'm not super worried about comets, either).

I guess let's flip the script: What's your concern?
I moved 10% of my equities into BLV (Vanguard Long Term Bond ETF) in January 2021. Follow my advice at your own peril.
Topic Author
bb
Posts: 389
Joined: Wed Apr 25, 2007 10:04 pm

Re: dumb computer security question

Post by bb »

What is to prevent user thinking they are logging into a website with userid/password but
the hacker is really the one logging into the real site, then hacker requests the 2FA code,
user gets the code (since they are expecting it) and then hacker intercepts the code
and completes login to the account.
funyun
Posts: 86
Joined: Tue Oct 31, 2023 11:07 am

Re: dumb computer security question

Post by funyun »

modern password programs help to deter users from logging into fake websites - generally speaking, you should always be careful what sites you go to. Never go to a site by clicking a link in an email, for example. And use the safe links that are already in your password manager instead of typing them in yourself (just in case you mistype something).
scintillator
Posts: 174
Joined: Mon Apr 08, 2019 9:30 pm

Re: dumb computer security question

Post by scintillator »

This is why it's important to have a secure connection and to make sure you don't follow links blindly, since they may direct you to a dummy page (a clone of the actual website). It's also why most brokerages will inform you and ask for more info (answers to security questions) if you log on from a new device. For an example of what you're describing, you may get an email telling you to log into Schwab for some reason, and you click the link in the email, but it doesn't take you to Schwab; it takes you to Shcwab (not spelling), which looks identical to Schwab. You type in your username and password, and the scammer who sent the email types what you typed into the actual Schwab site. Then you're sent a text, which you type in to the scammer's site, and he types that in at the actual Schwab site. But as I said, he's likely to get a message saying he's logging in from a new IP and on a new device. Your phone may also get that alert, and you'd be wise to think something is afoot at this point. It would be kind of hard for a dummy page to then replicate the security questions to you, but it's doable. If you also typed those in for him, then you'd expect to see your account, but you wouldn't because that would be impossible for the scammer to recreate in real time. The scammer would probably have a page set up that says that Schwab is down for routine maintenance and to log in again later. That's the next point where alarm bells should be ringing for you. But if you still didn't figure it out, and allowed days to pass, it's conceivable the scammer could transfer your funds out somehow to himself. But Schwab is going to be very resistant to your sending funds to some other account, or trading some super illiquid stock, or whatever means the scammer is using to try to get your funds out. Schwab would be emailing you and calling you by this point, I'm pretty sure.
Northern Flicker
Posts: 15159
Joined: Fri Apr 10, 2015 12:29 am

Re: dumb computer security question

Post by Northern Flicker »

bb wrote: Sun Feb 11, 2024 12:18 pm Being a neophyte regarding computer security was wondering why can't someone hack
your web browser software such that userid/password is not more secure than
userid/password/2 factor authentication?

If hacker could install bogus browser software seems like they could sit between you
and the outside world, present fake websites, grab your 2FA key when you enter it and
use it to login your account, etc.

Granted I know little to nothing about computer security.
The fake browser software is called a trojan horse. The attack could be as simple as capturing keystrokes or data to be transmitted from the browser, or could be more sophisticated, such as a man-in-the-middle (MITM) attack.

The activity you are doing is called threat modeling. Many if not most information security techniques are designed either by threat modeling or by analyzing actual attacks that have been employed.

Security solutions are generally designed with layers of protection so that if one fails, another may protect you. Controls can be a preventive (prevent the attack), detective (detect it when it happens), or compensating (mitigating feature to neutralize the effectiveness).

Preventive controls would include firewalls, login accounts, other things designed to keep attackers out of your machines, and the services you use. If you login with a Yubikey with the Fido2 protocol, the protocol would use previously exchange public-private key pairs to generate a session key to encrypt the session so that even if you get hit with a MITM attack, the attacker only sees encrypted data. This is a compensating control.

Despite such attempts, there may still be attacks that get around those controls. If your browser is compromised, Fido2 can be compromised, including the session encryption, and preventive controls already failed to allow the browser to be compromised. Detective controls are important because the sooner an intrusion or attack is detected, the sooner you can take action to limit the damage. Antivirus software scans are a detective control. (Real-time protection by AV software is a preventive control). Turning on alerting for withdrawals or transactions at financial services would be a detective control.

Effective security has layers of protection so that multiple controls have to fail for an attack to be successful. Ideally, one will have preventive and detective controls in place, and when possible, compensating controls as well.
Last edited by Northern Flicker on Sun Feb 11, 2024 1:04 pm, edited 1 time in total.
User avatar
Lee_WSP
Posts: 10268
Joined: Fri Apr 19, 2019 5:15 pm
Location: Arizona

Re: dumb computer security question

Post by Lee_WSP »

bb wrote: Sun Feb 11, 2024 12:36 pm What is to prevent user thinking they are logging into a website with userid/password but
the hacker is really the one logging into the real site, then hacker requests the 2FA code,
user gets the code (since they are expecting it) and then hacker intercepts the code
and completes login to the account.
A password manager has safeguards which prevent such fishing attempts.
User avatar
id0ntkn0wjack
Posts: 196
Joined: Wed Nov 30, 2022 3:12 pm

Re: dumb computer security question

Post by id0ntkn0wjack »

bb wrote: Sun Feb 11, 2024 12:36 pm What is to prevent user thinking they are logging into a website with userid/password but
the hacker is really the one logging into the real site, then hacker requests the 2FA code,
user gets the code (since they are expecting it) and then hacker intercepts the code
and completes login to the account.
If you were using a PIN# or similar, I suppose entering the data on a spoofed website could allow your credentials to then be used on a legitimate site. That's why it's likely better to use a hardware token (Yubikey), SMS (text message) or software (Authy, Google Authenticator) which randomizes the 2FA response and would make whatever data was collected on the spoofed site obsolete in a relatively short period of time.

https://authy.com/what-is-2fa/
I moved 10% of my equities into BLV (Vanguard Long Term Bond ETF) in January 2021. Follow my advice at your own peril.
Topic Author
bb
Posts: 389
Joined: Wed Apr 25, 2007 10:04 pm

Re: dumb computer security question

Post by bb »

id0ntkn0wjack wrote: Sun Feb 11, 2024 1:10 pm That's why it's likely better to use a hardware token (Yubikey), SMS (text message) or software (Authy, Google Authenticator) which randomizes the 2FA response and would make whatever data was collected on the spoofed site obsolete in a relatively short period of time.
If fake browser software is between you and outside world how does 2FA change anything?
Seems like most people are not even taking the time to understand the question.
eigenperson
Posts: 241
Joined: Mon Nov 09, 2015 6:16 pm

Re: dumb computer security question

Post by eigenperson »

bb wrote: Sun Feb 11, 2024 12:18 pm Being a neophyte regarding computer security was wondering why can't someone hack
your web browser software such that userid/password is not more secure than
userid/password/2 factor authentication?

If hacker could install bogus browser software seems like they could sit between you
and the outside world, present fake websites, grab your 2FA key when you enter it and
use it to login your account, etc.

Granted I know little to nothing about computer security.
Yes, you are right, they could.

All of these authentication techniques are designed to prevent someone from impersonating you casually, without actually gaining control of your machine. They don't work if someone actually compromises your computer. In general, if that happens, you lose, even if you have two-factor enabled.

The main way to prevent that from happening is to avoid installing malware in the first place.

Companies are often able to detect compromised machines by monitoring their network traffic or system logs, but I don't know of any consumer-level tools to do this. And, as Northern Flicker pointed out, you can also detect this kind of attack through things like transaction notifications, although an attacker could try to disable or redirect them.
bb wrote: Sun Feb 11, 2024 12:36 pm What is to prevent user thinking they are logging into a website with userid/password but
the hacker is really the one logging into the real site, then hacker requests the 2FA code,
user gets the code (since they are expecting it) and then hacker intercepts the code
and completes login to the account.
Nothing prevents it. This is why one-time codes are an inferior method of 2-factor authentication, compared to hardware security keys (which are immune to this).

It's still better than just a password.
Topic Author
bb
Posts: 389
Joined: Wed Apr 25, 2007 10:04 pm

Re: dumb computer security question

Post by bb »

eigenperson wrote: Sun Feb 11, 2024 2:30 pm Nothing prevents it. This is why one-time codes are an inferior method of 2-factor authentication, compared to hardware security keys (which are immune to this).
How are hardware security keys immune to this type of attack. If the user has to type something, and hacked
browser software sits between you and the outside world I don't see how any security method that only relies
on you entering info into a browser is immune.

Seems like for really good 2 factor I would need more than 1 data input method, for example, if you entered
your userid/password into a browser and then the 2 factor was a phone call where you enter a hardware key
over the phone. Then the hacker would never have the information to log in.
funyun
Posts: 86
Joined: Tue Oct 31, 2023 11:07 am

Re: dumb computer security question

Post by funyun »

bb wrote: Sun Feb 11, 2024 2:16 pm If fake browser software is between you and outside world how does 2FA change anything?
Seems like most people are not even taking the time to understand the question.
Or are you not taking the time to understand our answers? If you have good 2fa, the attacker shouldn't be able to get access to your 2fa code. You'd be getting either through physically touching your yubikey which an attacker cannot do, or through an authenticator app that most likely is not even on your computer. If you have good 2fa, it absolutely can halt an attack.
Doctor Rhythm
Posts: 2999
Joined: Mon Jan 22, 2018 2:55 am

Re: dumb computer security question

Post by Doctor Rhythm »

My standard reply to these questions is to distinguish between what can happen and what does happen. The former includes a wide range of hypothetical risks that would drive you crazy or paralyze you with fear if you took them all seriously. What does happen is that hundreds of millions of users log in to their accounts each day with a vanishingly small number of them being compromised, either with or without 2FA.

The other point is, “So what are you going to do that’s safer?” Write checks? Bank or invest by phone? Walk around with a wad of cash? Never check your account balance and activity, except by going to a branch office?
Topic Author
bb
Posts: 389
Joined: Wed Apr 25, 2007 10:04 pm

Re: dumb computer security question

Post by bb »

If you have to enter the 2FA code into the browser, same as the userid/password why couldn't the
hacked browser software be used to capture your 2FA code after you type it same as the fake
browser captures the userid/password?

I am just trying to understand how 2FA is better than userid/password for the case of hacked
browser software.

Yes I am taking the time to read the responses and trying to educate myself.
eigenperson
Posts: 241
Joined: Mon Nov 09, 2015 6:16 pm

Re: dumb computer security question

Post by eigenperson »

bb wrote: Sun Feb 11, 2024 2:39 pm
eigenperson wrote: Sun Feb 11, 2024 2:30 pm Nothing prevents it. This is why one-time codes are an inferior method of 2-factor authentication, compared to hardware security keys (which are immune to this).
How are hardware security keys immune to this type of attack. If the user has to type something, and hacked
browser software sits between you and the outside world I don't see how any security method that only relies
on you entering info into a browser is immune.

Seems like for really good 2 factor I would need more than 1 data input method, for example, if you entered
your userid/password into a browser and then the 2 factor was a phone call where you enter a hardware key
over the phone. Then the hacker would never have the information to log in.
They are not immune to someone controlling your computer. But in the question I'm responding to, it sounded like you changed the scenario to "What is to prevent user thinking they are logging into a website with userid/password but the hacker is really the one logging into the real site." If the user is merely tricked into entering their credentials into the wrong site, the security key will stop that. However, if the user's computer or software is compromised, then you are right, no security key can protect them.

An extra data input method for login will not help you either. If an attacker controls your computer, they can do anything you could do with the computer. They might not be able to independently log into the site, because that requires your phone. However, as soon as you log into the site, your phone is no longer needed. At this point, the attacker can take control and secretly do whatever they want, without you seeing any trace of it.

The takeaway message is that 2FA is not designed to solve this problem. It solves a different problem. You need to use other techniques to mitigate the kind of attack where there is malicious software on your machine, because 2FA will not help you very much against that kind of attack.
Topic Author
bb
Posts: 389
Joined: Wed Apr 25, 2007 10:04 pm

Re: dumb computer security question

Post by bb »

eigenperson wrote: Sun Feb 11, 2024 3:11 pm However, if the user's computer or software is compromised, then you are right, no security key can protect them.
Thank you. It seems this point if often glossed over. So far the only computer setup that I have
trusted has been live boot linux. It does not seem possible to get to the same level of confidence
that software on a windows pc has not been compromised in some way.
Last edited by bb on Sun Feb 11, 2024 3:19 pm, edited 1 time in total.
rich126
Posts: 4407
Joined: Thu Mar 01, 2018 3:56 pm

Re: dumb computer security question

Post by rich126 »

I believe that is one reason why you have to be careful using browser plugins. I think they are often given a lot of permissions and could capture data and pass it onto someone.
----------------------------- | If you think something is important and it doesn't involve the health of someone, think again. Life goes too fast, enjoy it and be nice.
Nummerkins
Posts: 672
Joined: Tue Jun 01, 2010 4:41 pm

Re: dumb computer security question

Post by Nummerkins »

bb wrote: Sun Feb 11, 2024 12:36 pm What is to prevent user thinking they are logging into a website with userid/password but
the hacker is really the one logging into the real site, then hacker requests the 2FA code,
user gets the code (since they are expecting it) and then hacker intercepts the code
and completes login to the account.
Kudos to you for noticing this. Yes, it is very possible and just requires a little more work from an attacker to build a fake but legit looking page. If you are not vigilant then yes, you can input your credentials into a fake page along with a 6 digits code which the attacker can trivially use to log into a real site within 30s. So, as usual, humans are the weakest link in computer security.

The only foolproof way so far (as is currently known — anything can be exploited eventually) has been security keys which have something in them that is used to validate a connection to a real site. An attacker could replicate everything above but as a man in the middle, they will not have access to the keys as they have been paired to the real site. See this article from 2017 when Google released such a key. https://www.cnet.com/news/privacy/physi ... -security/

Why doesn’t everyone use this? Because it’s expensive for companies to support and difficult for people to understand. Most would also see this as an annoyance. Maybe someday.
Today's high is tomorrow's low.
eigenperson
Posts: 241
Joined: Mon Nov 09, 2015 6:16 pm

Re: dumb computer security question

Post by eigenperson »

bb wrote: Sun Feb 11, 2024 3:17 pm
eigenperson wrote: Sun Feb 11, 2024 3:11 pm However, if the user's computer or software is compromised, then you are right, no security key can protect them.
Thank you. It seems this point if often glossed over. So far the only computer setup that I have
trusted has been live boot linux. It does not seem possible to get to the same level of confidence
that software on a windows pc has not been compromised in some way.
As a rule of thumb, fully updated Android, Chrome OS, and iOS are reasonably secure. Of course there is malware for these systems, but catastrophic vulnerabilities are hard to come by, and it's hard to trick a user into completely compromising their system on these platforms.

I would rate linux (assuming it's just a generic Ubuntu and not a specifically security-focused distro) as OK. It's a lot easier to compromise a linux system than Android or iOS, because of the much looser security model, but linux's market share as a consumer or endpoint OS is so low that I'm pretty sure no one is even trying to target it, and that is the main advantage. Attacks against linux are mainly focused on servers and production systems, and tend to be more targeted or focus on specific server software.

Also, you had better keep that boot image up to date!
Nummerkins
Posts: 672
Joined: Tue Jun 01, 2010 4:41 pm

Re: dumb computer security question

Post by Nummerkins »

bb wrote: Sun Feb 11, 2024 3:17 pm
eigenperson wrote: Sun Feb 11, 2024 3:11 pm However, if the user's computer or software is compromised, then you are right, no security key can protect them.
Thank you. It seems this point if often glossed over. So far the only computer setup that I have
trusted has been live boot linux. It does not seem possible to get to the same level of confidence
that software on a windows pc has not been compromised in some way.
Keep in mind — liveboot Linux is a snapshot in time as to when it was produced. Unless you first update it after starting it is immediately running out of date and missing security patches as the previous responder alluded to.

The best defense is a layered approach. Keep up date as much as humanly possible and be vigilant.
Today's high is tomorrow's low.
Northern Flicker
Posts: 15159
Joined: Fri Apr 10, 2015 12:29 am

Re: dumb computer security question

Post by Northern Flicker »

bb wrote: Sun Feb 11, 2024 2:16 pm
id0ntkn0wjack wrote: Sun Feb 11, 2024 1:10 pm That's why it's likely better to use a hardware token (Yubikey), SMS (text message) or software (Authy, Google Authenticator) which randomizes the 2FA response and would make whatever data was collected on the spoofed site obsolete in a relatively short period of time.
If fake browser software is between you and outside world how does 2FA change anything?
Seems like most people are not even taking the time to understand the question.
The principle is having authentication not be susceptible to replay attacks wherein information captured in one authentication session is replayed in another. Password or biometric authentication over a network are susceptible to replay attacks. Challenge-response authentication and 2FA authentication are not. The sessions will be different due to non-reuse over time periods of sufficient length of the challenge or 2FA code.

This means that if your browser is compromised, the attacker has to do their bad deed while you are connected with your browser session. That still can happen, but it is more difficult, and you are more likely to notice that something is wrong.

Having your browser compromised is already a significant security breach. At that point, other controls can help contain the damage, but there is no magic that will enable you to operate fully safely with a compromised browser. The goal should be to try as best as is practical to prevent a browser compromise, and to try as best as is practical to detect it as soon as possible after the fact if it happens.
Last edited by Northern Flicker on Sun Feb 11, 2024 4:32 pm, edited 1 time in total.
Northern Flicker
Posts: 15159
Joined: Fri Apr 10, 2015 12:29 am

Re: dumb computer security question

Post by Northern Flicker »

eigenperson wrote: Sun Feb 11, 2024 3:33 pm
bb wrote: Sun Feb 11, 2024 3:17 pm
eigenperson wrote: Sun Feb 11, 2024 3:11 pm However, if the user's computer or software is compromised, then you are right, no security key can protect them.
Thank you. It seems this point if often glossed over. So far the only computer setup that I have
trusted has been live boot linux. It does not seem possible to get to the same level of confidence
that software on a windows pc has not been compromised in some way.
As a rule of thumb, fully updated Android, Chrome OS, and iOS are reasonably secure. Of course there is malware for these systems, but catastrophic vulnerabilities are hard to come by, and it's hard to trick a user into completely compromising their system on these platforms.

I would rate linux (assuming it's just a generic Ubuntu and not a specifically security-focused distro) as OK. It's a lot easier to compromise a linux system than Android or iOS, because of the much looser security model, but linux's market share as a consumer or endpoint OS is so low that I'm pretty sure no one is even trying to target it, and that is the main advantage. Attacks against linux are mainly focused on servers and production systems, and tend to be more targeted or focus on specific server software.

Also, you had better keep that boot image up to date!
Linux may not install in a particularly secure configuration. If someone lacks the technical skills to secure and maintain a Linux system well, they generally will have a more secure system running Windows. MacOS probably is still more secure than Windows, but it no longer is obvious that is the case.

Whether or not a hardware key can still offer protection after a compromise of your machine depends on the nature of the compromise. If the browser is compromised, or malware is running as root or as the user running the browser or as a user with write permission to browser executable or library files, then you are hosed, and the best you can hope for is a detective control.

Look at the machines people are carrying at a security conference. I think you will see alot more Chromebooks than Windows, Mac, or Linux laptops (distinguishing Chrome OS from Linux here).
Scorpion Stare
Posts: 183
Joined: Wed Dec 22, 2021 9:15 am

Re: dumb computer security question

Post by Scorpion Stare »

bb wrote: Sun Feb 11, 2024 2:39 pm
eigenperson wrote: Sun Feb 11, 2024 2:30 pm Nothing prevents it. This is why one-time codes are an inferior method of 2-factor authentication, compared to hardware security keys (which are immune to this).
How are hardware security keys immune to this type of attack. If the user has to type something…
With a FIDO-based hardware token like a Yubikey, the user does not type the 2FA code. The key does a cryptographic handshake directly with the authenticating site. It creates a different cryptographic key for each site, and won't use your vanguard.com key (for example) if you are on a site other than vanguard.com.

This makes it extremely good at preventing phishing attacks, which are one of the most common ways for hackers to compromise accounts. (However, as noted above, if the attacker has already taken over your computer then it’s too late; a hardware key may not stop them from accessing your other accounts.)
Topic Author
bb
Posts: 389
Joined: Wed Apr 25, 2007 10:04 pm

Re: dumb computer security question

Post by bb »

The thing that has always bothered me is I have no way of knowing with a lot of confidence
that the software on my windows pc has not been compromised. That's why I mentioned
the live linux boot. Yes it might not have the latest security fixes. But what are the odds
that during a live boot someone at that exact time targets my machine while my linux
live boot session is up. That's seems to be a more remote scenario than some sort
of malicious software could be installed on my windows pc. Also stressing a live
linux boot - not a linux installation.
User avatar
warner25
Posts: 876
Joined: Wed Oct 29, 2014 4:38 pm

Re: dumb computer security question

Post by warner25 »

Northern Flicker wrote: Sun Feb 11, 2024 4:11 pm Look at the machines people are carrying at a security conference. I think you will see alot more Chromebooks than Windows, Mac, or Linux laptops
Interesting observation. I've only been to IEEE S&P last year, and I wasn't really taking notice of this, but I'm not sure I've ever seen someone in the CS, software, security, etc. field using a Chromebook. Among the CS grad students and faculty that I work with, I'd guess maybe 70% are running macOS, 20% are running Windows, and 10% are running a traditional desktop Linux distro. I don't think that's due to perceptions about security though; it's probably more of a reflection of relative affluence, the convenience of being in the same ecosystem as the iPhone, and the need to work with a lot of Unix/Linux-first tools.
torso2500
Posts: 117
Joined: Wed Sep 14, 2022 11:35 am

Re: dumb computer security question

Post by torso2500 »

the fake browser software scenario- are you referring to a man-in-the-middle attack? I feel like there is a very important step between your machine is targeted => you are hacked, where you have to be manipulated into taking actions that let an attacker access your browser/device/network, is glossed over a bit. But, I think that's crucial- prepare yourself to recognize when you're being prompted to install or change something so you don't go through with it. Yes there are (rare) zero-click exploits; keeping your OS up to date is the main defense.

device compromise might make 2FA useless in a specific instance, but it's not a reason to discredit smaller stakes practices more generally. You just have to use all your tools, all the time: security practices like MFA and take commonsense measures to not infect your computer- vet software, think twice before installing, etc. Don't open or install things that came to you randomly/unsolicited!
Northern Flicker
Posts: 15159
Joined: Fri Apr 10, 2015 12:29 am

Re: dumb computer security question

Post by Northern Flicker »

bb wrote: Sun Feb 11, 2024 5:51 pm The thing that has always bothered me is I have no way of knowing with a lot of confidence
that the software on my windows pc has not been compromised. That's why I mentioned
the live linux boot. Yes it might not have the latest security fixes. But what are the odds
that during a live boot someone at that exact time targets my machine while my linux
live boot session is up. That's seems to be a more remote scenario than some sort
of malicious software could be installed on my windows pc. Also stressing a live
linux boot - not a linux installation.
Your router could be compromised and direct you to a man-in-the-middle attack site without your browser or machine being compromised. You would never know it. A Yubikey running Fido2 would protect you from that. Booting Linux from a USB drive will not.

Unfortunately, many Yubikey implementations, Vanguard included, first ask for a password, they run the Fido2 protocol. By the time the challenge-response protocol is run, the password already is compromised. On the other hand, if the Fido2 protocol in the Yubikey cannot be circumvented, I'm not sure the password matters.
heywhoathere
Posts: 184
Joined: Mon Mar 14, 2022 7:18 pm

Re: dumb computer security question

Post by heywhoathere »

bb wrote: Sun Feb 11, 2024 12:36 pm What is to prevent user thinking they are logging into a website with userid/password but
the hacker is really the one logging into the real site, then hacker requests the 2FA code,
user gets the code (since they are expecting it) and then hacker intercepts the code
and completes login to the account.
Depends what you mean by "thinking they are logging into a website". If you mean a phishing attempt, like you think you're logging into vanguard[.]com but are really logging into vangourd[.]com, then as mentioned hardware security keys would prevent that attack.

If you mean that a hacker is somehow redirecting you to a fake vanguard[.]com website (with the real/correct website name), then you would get a TLS/certificate error and any modern browser would show you a huge warning page with a bunch of scary text telling you not to continue on to the website. The caveat to this is if the hacker somehow managed to compromise your device's certificate trust store then you wouldn't see the error and would have no idea you're navigating to a fake vanguard[.]com.

But if a hacker can do this then that means they already have admin/root access to your device and you've already lost.
mrb09
Posts: 885
Joined: Wed Aug 03, 2016 9:02 am

Re: dumb computer security question

Post by mrb09 »

Northern Flicker wrote: Sun Feb 11, 2024 7:24 pm
bb wrote: Sun Feb 11, 2024 5:51 pm The thing that has always bothered me is I have no way of knowing with a lot of confidence
that the software on my windows pc has not been compromised. That's why I mentioned
the live linux boot. Yes it might not have the latest security fixes. But what are the odds
that during a live boot someone at that exact time targets my machine while my linux
live boot session is up. That's seems to be a more remote scenario than some sort
of malicious software could be installed on my windows pc. Also stressing a live
linux boot - not a linux installation.
Your router could be compromised and direct you to a man-in-the-middle attack site without your browser or machine being compromised. You would never know it. A Yubikey running Fido2 would protect you from that. Booting Linux from a USB drive will not.

Unfortunately, many Yubikey implementations, Vanguard included, first ask for a password, they run the Fido2 protocol. By the time the challenge-response protocol is run, the password already is compromised. On the other hand, if the Fido2 protocol in the Yubikey cannot be circumvented, I'm not sure the password matters.
It is pretty hard for a man in the middle between a browser and web site to steal anything from a secure HTTPS (TLS) connection just by listening. If the man in the middle tries to impersonate a web site to get decrypted traffic, it would need to somehow get a certificate with the impersonated hostname from a certificate authority trusted by the browser, which is pretty hard to do.
Northern Flicker
Posts: 15159
Joined: Fri Apr 10, 2015 12:29 am

Re: dumb computer security question

Post by Northern Flicker »

That would require tricking the browser into using a fraudulent certificate. There have been a few examples of compromised certificate authorities. It is worth reviewing the list of trusted certificate authorities in your browser, perhaps deleting ones in some countries in which you don't plan to do e-commerce with sites in the country. This will break the ability to connect with some sites, so this should be done judiciously. Pre-shared asymmetric keys with the site to which connecting using the challenge-response protocol such as in Fido2 is a more comprehensive way to prevent such an attack.
Topic Author
bb
Posts: 389
Joined: Wed Apr 25, 2007 10:04 pm

Re: dumb computer security question

Post by bb »

The scenario that I described is your browser software becomes infected with malware. As such I assume this is not a man in the middle attack.
RetiredAL
Posts: 3436
Joined: Tue Jun 06, 2017 12:09 am
Location: SF Bay Area

Re: dumb computer security question

Post by RetiredAL »

An intruder having a gun to my head (or DW's) would likely get full cooperation from me.
Does that happen, yes, but very rarely.

So could your computer be hacked to the point that someone could masquerade as you?
YES, but as some has said, how many hundreds of millions of logons are made each day vs computer takeover's happening. The Financial Institutions appear to consider that small risk acceptable.
Northern Flicker
Posts: 15159
Joined: Fri Apr 10, 2015 12:29 am

Re: dumb computer security question

Post by Northern Flicker »

bb wrote: Sun Feb 11, 2024 8:51 pm The scenario that I described is your browser software becomes infected with malware. As such I assume this is not a man in the middle attack.
The compromised browser can try to effect a trojan horse or mitm attack. A compromised browser by itself is not an issue. It is the attack conducted by the malware in the browser that is the problem.

How would you know if your linux browser were compromised? Several of the browser attack vectors apply equally to Windows and Linux.
gavinsiu
Posts: 4347
Joined: Sun Nov 14, 2021 11:42 am

Re: dumb computer security question

Post by gavinsiu »

One of the attack vectors is to install some sort of malware that bypasses your security. This may take the form of an extension or something that sits on your machine. Usually the method for doing this is to trick you, the human, into installing it.

Note that I mentioned tricking you into installing it. This is because Windows, Mac, Linux, Android, and IOS have fairly good security. It is possible to exploit security holes in the OS or browser, but those exploits are often quickly closed up. You should follow the general recommendation of keeping your OS up to date, make sure you have strong and unique password for every site, and enable 2FA. Make sure you are do not become a victim of phishing.
Northern Flicker
Posts: 15159
Joined: Fri Apr 10, 2015 12:29 am

Re: dumb computer security question

Post by Northern Flicker »

RetiredAL wrote: Sun Feb 11, 2024 9:01 pm An intruder having a gun to my head (or DW's) would likely get full cooperation from me.
Does that happen, yes, but very rarely.
But you still probably lock up your house when you sleep.
MathWizard
Posts: 6500
Joined: Tue Jul 26, 2011 1:35 pm

Re: dumb computer security question

Post by MathWizard »

bb wrote: Sun Feb 11, 2024 2:16 pm
id0ntkn0wjack wrote: Sun Feb 11, 2024 1:10 pm That's why it's likely better to use a hardware token (Yubikey), SMS (text message) or software (Authy, Google Authenticator) which randomizes the 2FA response and would make whatever data was collected on the spoofed site obsolete in a relatively short period of time.
If fake browser software is between you and outside world how does 2FA change anything?
Seems like most people are not even taking the time to understand the question.
This is called a man in the middle attack.
It is not typically done by changing your browser software, but by getting you to go to a fake site instead of where you want to go.
This can be done by having you click on a link which has the correct name, but a bogus numeric IP address.
The same can be done by a "poisoned DNS server": A DNS server translates a text address like www.bogleheads.org into a set of 4 numbers, each in the range 0 to 255. Similar to what was done with phonebooks: translate a human name in a town into a phone number.
A poisoned DNS server gives out false numeric IPs.

Internet service providers do a good job in keeping their DNS servers valid, so poisoned DNS servers are really not an issue anymore.
The biggest vulnerability is always the browser user. I was astonished when otherwise intelligent people could not be trusted to not give out their 2FA code to someone calling on the phone.
A legitimate customer service person will never ask for password or 2FA.
barcharcraz
Posts: 90
Joined: Sat Dec 02, 2023 1:51 am

Re: dumb computer security question

Post by barcharcraz »

Yes if someone manages to install malware on your machine that operates "as you" they have complete control over your accounts. They can log into your accounts and take your passwords and session cookies, email lewd photos to your boss, etc. The thing about 2 factor authentication is that it's time limited, and for hardware keys there's some additional security that prevents phishing, but a program running on your computer can still do things like opening an off screen browser window when you log in and taking actions there. This is a pretty noisy attack, though. Any money transfers, esp to new accounts, likely result in a call or email to you, any investment activity will probably be noticed quickly because it has to occur pretty close in time to when your logged in and using the account. Once you notice you'll kick em off your computer, call your broker, and reverse things (they'll probably go to law enforcement to track down the money as well). That makes this a high risk and low reward criminal enterprise. This kind of malware, esp when it's installed using a security hole and not by tricking you to install it, is nearly impossible to defend against, but it's also expensive to find these security holes and they have a limited shelf-life, so usually the target is information, not money.

At a certain point you are protected more by law enforcement and the financial system's kyc/aml requirements than any kind of IT security.
barcharcraz
Posts: 90
Joined: Sat Dec 02, 2023 1:51 am

Re: dumb computer security question

Post by barcharcraz »

MathWizard wrote: Mon Feb 12, 2024 1:36 am
bb wrote: Sun Feb 11, 2024 2:16 pm
id0ntkn0wjack wrote: Sun Feb 11, 2024 1:10 pm That's why it's likely better to use a hardware token (Yubikey), SMS (text message) or software (Authy, Google Authenticator) which randomizes the 2FA response and would make whatever data was collected on the spoofed site obsolete in a relatively short period of time.
If fake browser software is between you and outside world how does 2FA change anything?
Seems like most people are not even taking the time to understand the question.
This is called a man in the middle attack.
It is not typically done by changing your browser software, but by getting you to go to a fake site instead of where you want to go.
This can be done by having you click on a link which has the correct name, but a bogus numeric IP address.
The same can be done by a "poisoned DNS server": A DNS server translates a text address like www.bogleheads.org into a set of 4 numbers, each in the range 0 to 255. Similar to what was done with phonebooks: translate a human name in a town into a phone number.
A poisoned DNS server gives out false numeric IPs.

Internet service providers do a good job in keeping their DNS servers valid, so poisoned DNS servers are really not an issue anymore.
The biggest vulnerability is always the browser user. I was astonished when otherwise intelligent people could not be trusted to not give out their 2FA code to someone calling on the phone.
A legitimate customer service person will never ask for password or 2FA.
Both these attacks will present you with a big fat warning page if your computer is not compromised. With HSTS it is not at all trivial to bypass this warning. Also stuff like yubikeys won't work with the fake site.
dboeger1
Posts: 1408
Joined: Fri Jan 13, 2017 6:32 pm

Re: dumb computer security question

Post by dboeger1 »

OP, have you considered running something like Fedora Silverblue? It's not typically pitched as primarily a security solution because it doesn't address many of the concerns other replies have brought up in this thread, and its main purpose is more to ensure a stable and recoverable system. But somewhat similar to many live-boot distros, the idea is that you boot into a static snapshot of system software. When you install new applications, they are applied as atomic updates, a new boot entry is created, and you explicitly choose your boot environment on subsequent reboots.

Admittedly, I am very inexperienced with these sorts of immutable distros, only having briefly used one at work for server container workloads, so I don't really know all the details or implications of using them as a daily driver on a PC. I could very well be glossing over relevant security issues. But my understanding is that such an OS would mitigate the risk of accidentally/unknowingly installing/running compromised software. As long as you boot into the same environment, the applications should all be the same.

Of course, you could achieve similar results by checksumming all of your applications, which could be made into an automated check any time you run them such that you don't have to do it manually. Then again, your script could get compromised. So could the code managing your Silverblue environments. A lightning strike could theoretically flip just the right bits needed for your otherwise working application to leak all your personal data. You have to trust some things at some basic level, or just go mad thinking about how nothing is truly guaranteed (kind of like investment returns, to put a Boglehead spin on it). Realistically, most malware is installed by unaware users being tricked into installing it themselves, as opposed to hackers proactively probing for exploits on random user's machines (they do that for high-value targets, but not Joe Schmo for the most part). Being careful about what you install is usually pretty effective regardless of how many other security measures you have in place.
gavinsiu
Posts: 4347
Joined: Sun Nov 14, 2021 11:42 am

Re: dumb computer security question

Post by gavinsiu »

Note that many of the attacks are probably not to your computer but to the router. For example, if someone hacks your router, they can alter the DNS so that URL goes to their site and even your password manger will not be able to tell the difference. Make sure you get a router that has regular security updates.
eigenperson
Posts: 241
Joined: Mon Nov 09, 2015 6:16 pm

Re: dumb computer security question

Post by eigenperson »

gavinsiu wrote: Mon Feb 12, 2024 8:21 am Note that many of the attacks are probably not to your computer but to the router. For example, if someone hacks your router, they can alter the DNS so that URL goes to their site and even your password manger will not be able to tell the difference.
This statement is incorrect for sites that use HSTS, and that's all the relevant ones these days.

I know you mean well, and your advice to keep router software up to date is good for many other reasons, but the exact attack you described basically does not work.
patrick
Posts: 2560
Joined: Fri Sep 04, 2009 3:39 am
Location: Mega-City One

Re: dumb computer security question

Post by patrick »

This is called a man in the browser attack and can defeat 2 factor authentication because the attacker gets control of a session that the user authenticated. Sometimes this is mitigated by verifying specific transactions -- you might get a second text message asking if you want to send of money to a new destination. If the attacker only controls the browser you would still see the confirmation.

I'm not sure how common such attacks are against consumers. I've certainly read much more about other ways of defeating 2FA, such as social engineering (tricking you into revealing the 2FA code by contacting you and pretending to be the bank) or SIM swaps (tricking phone companies into switching your phone number to another phone, so the attacker receives SMS verification codes meant for you).
SteveInNJ
Posts: 73
Joined: Tue Dec 11, 2018 10:44 am

Re: dumb computer security question

Post by SteveInNJ »

This is one of the thing Passkeys are supposed to solve for.

https://fidoalliance.org/passkeys/

They're not phishable and your browser will only present a passkey to a website it's registered to, so you can't accidentally log into fidelllity.com with a passkey for fidelity.com.

That said, if your device is compromised all bets are off.
Northern Flicker
Posts: 15159
Joined: Fri Apr 10, 2015 12:29 am

Re: dumb computer security question

Post by Northern Flicker »

barcharcraz wrote: Yes if someone manages to install malware on your machine that operates "as you" they have complete control over your accounts.
Not necessarily. You do not have to use a single account for all activities and certainly should not be operating with admin/root privileges normally. If malware is running with admin or root privileges you certainly are hosed. If it is running with a non-privileged account, you may have time to detect it before it successfully uses a root kit to elevate privileges. And if you use 2FA, you would actually have to login to a service with the compromised machine to give access to the malware.

The point of layered controls is that a breach of the perimeter does not immediately imply full failure and complete control. But yes, once you have taken on malware, all bets are off, and you are in containment and damage control mode.
gavinsiu
Posts: 4347
Joined: Sun Nov 14, 2021 11:42 am

Re: dumb computer security question

Post by gavinsiu »

As for game over if malware gets on your system, keep in mine that malware are written for a specific type of attack. It may be a program that sends your keystrokes or scan through your gmail, etc. The problem is that you have no idea what the malware does, so you have to assume the worse. If you can identify the malware, you can isolate your machine and try to remove the malware. Sometimes, it's easier to just erase your drive and restore from backup assuming the malware is not in the backup, too.
barcharcraz
Posts: 90
Joined: Sat Dec 02, 2023 1:51 am

Re: dumb computer security question

Post by barcharcraz »

Northern Flicker wrote: Mon Feb 12, 2024 12:57 pm
barcharcraz wrote: Yes if someone manages to install malware on your machine that operates "as you" they have complete control over your accounts.
Not necessarily. You do not have to use a single account for all activities and certainly should not be operating with admin/root privileges normally. If malware is running with admin or root privileges you certainly are hosed. If it is running with a non-privileged account, you may have time to detect it before it successfully uses a root kit to elevate privileges. And if you use 2FA, you would actually have to login to a service with the compromised machine to give access to the malware.

The point of layered controls is that a breach of the perimeter does not immediately imply full failure and complete control. But yes, once you have taken on malware, all bets are off, and you are in containment and damage control mode.
Malware doesn't need root privileges to steal your passwords and session cookies. You might need root to mess with the browser in certain ways, but once your running as the main user its typically easy to get root (particularly with window's default UAC setting, which offers little real security). Among other things you can just wait for someone to download some installer program and hook it.

Most "root kits" don't on security vulnerabilities but rather just on the security model itself, and once installed they can be hard to remove.

Basically at some point you have to consider the "mossad vs not mossad" security model (https://www.usenix.org/system/files/140 ... ickens.pdf). At some point a determined attacker who really wants to hurt you can do so and you must rely on trust, human nature, and societal systems to deal with that. It's the same as physical security: at some point you just have to not piss off people who'll kill you in your sleep.
Last edited by barcharcraz on Mon Feb 12, 2024 7:45 pm, edited 1 time in total.
Northern Flicker
Posts: 15159
Joined: Fri Apr 10, 2015 12:29 am

Re: dumb computer security question

Post by Northern Flicker »

I didn't say it did. I was using account privileges as an example of how capabilities of malware can have limits. Different types of attacks are possible with different privileges. My point was that just because malware infiltrates your machine does not mean that everything in your digital life is compromised. The point of layered security is to limit the damage when one control fails.
barcharcraz
Posts: 90
Joined: Sat Dec 02, 2023 1:51 am

Re: dumb computer security question

Post by barcharcraz »

Northern Flicker wrote: Mon Feb 12, 2024 7:45 pm I didn't say it did. I was using account privileges as an example of how capabilities of malware can have limits. Different types of attacks are possible with different privileges. My point was that just because malware infiltrates your machine does not mean that everything in your digital life is compromised. The point of layered security is to limit the damage when one control fails.
Yeah, certainly. The point of 2fa is that they only get in once, so you can log in from a clean device, change your passwords, and go about getting your money back
Northern Flicker
Posts: 15159
Joined: Fri Apr 10, 2015 12:29 am

Re: dumb computer security question

Post by Northern Flicker »

eigenperson wrote: Mon Feb 12, 2024 8:36 am
gavinsiu wrote: Mon Feb 12, 2024 8:21 am Note that many of the attacks are probably not to your computer but to the router. For example, if someone hacks your router, they can alter the DNS so that URL goes to their site and even your password manger will not be able to tell the difference.
This statement is incorrect for sites that use HSTS, and that's all the relevant ones these days.

I know you mean well, and your advice to keep router software up to date is good for many other reasons, but the exact attack you described basically does not work.
HSTS and TLS will protect against MITM as long as you have a valid certificate (public key) for the legitimate site to which you wish to connect.

With challenge-response authentication, as published in 1978, and ultimately implemented in a Yubikey, there is an a priori asymmetric key exchange between user and service, so that the user is not dependent on the integrity of a certificate to defeat a MITM attack.

You can decide if that matters to you. A MITM attack using a compromised certificate authority is not the sort of attack most likely to target an individual currently, but nobody will ring a bell before that status changes.

https://arstechnica.com/information-tec ... authority/

https://www.securityweek.com/nist-issue ... -prepared/

https://www.techrepublic.com/article/co ... -yourself/

You won't see a warning page either if you are using a fraudulently certificate issued by the attacker.
Last edited by Northern Flicker on Tue Feb 13, 2024 10:35 pm, edited 3 times in total.
Post Reply