Monday, 27 August 2012

Two-Factor Authentication Example: Dropbox

Update: LifeHacker has a list of places where two-factor authentication is currently available as an option.

I'd Go for the App

Generally less accurately referred to as Two-Step Authentication, the principle of Two Factor Authentication demands the production of two or more out of a set of three authentication factor categories:
  1. A knowledge factor - something you know;
  2. A possession factor - something you have; and
  3. An inherence factor - something you are.
Inherence being problematic - as can be appreciated from consideration of the archetypal examples of fingerprints, voice prints, and iris scans, and in particular their potential vulnerability to replay attacks - it has become common for two-factor systems to employ the ubiquitous mobile phone as the thing the user has, in combination with various little bits of secret information that the user knows.

One of the first two-factor systems to gain popularity was Google's Authenticator app (an open source project) on these platforms:
  • Android 2.1 or later;
  • iPhone iOS 3.1.3 or later; and
  • BlackBerry OS 4.5 - 6.0.
Primarily covering GMail, this system now extends to all other Google Apps, and can be enabled in any third party app using the PAM Module. The first factor comprises your traditional combination of user name and password. Then, the mobile Authenticator application prompts you for an auto-generated verification code.

Now On Dropbox

Anyway, not to bury the lede, Dropbox - perhaps in response to last month's spammage, enabled by a Dropbox employee who had re-used his or her password at another, previously hacked site, resulting in the exposure of many users' email addresses - now offers such a system. Look under the Security tab, in the section labelled Account sign in, for the so-called Two-step verification setting.

Two options are provided for acquiring the new verification code. The first is a simple text message to your mobile phone. This is the easier of the two, but it also introduces a new potential vulnerability. Attackers can use social engineering against your phone provider to have your messages forwarded to another account. This exploit has in fact been documented several times against Google's two-factor system, e.g. at CloudFlare in May of this year.

So yeah, I'd definitely go for option 2, which is to use one of the following mobile apps to generate a unique time-sensitive security code with the help of the standard Time-based One-Time Password (TOTP) algorithm:
You may select either to scan a displayed bar code / QR Code, where supported, or to enter your secret key manually. Note that most apps will still generate the required security codes even when the cellular network or other data service is unavailable, such as when travelling or where coverage is unreliable.

Hat tip: Brian Krebs, as is so often the case!

Wednesday, 22 August 2012

Security (Link) Clearance - August 2012

Another small selection of interesting stories from recent security blogs.

Why passwords have never been weaker - and crackers have never been stronger.

Over at Ars Technica, Dan Goodin explains why, thanks to real-world data, the keys to your digital kingdom are under assault:

The iPhone Has Passed a Key Security Threshold

So thinks Technology Review contributing editor Simson L. Garfinkel:

Does society really want extremely private mobile devices if they make life easier for criminals? Apple's newly toughened standards sharpen the focus on that question.

Is iPhone Security Really this Good?

Meanwhile, Bruce Schneier has his own perspective on that assertion:

Yes, I believe that full-disk encryption -- whether Apple's FileVault or Microsoft's BitLocker (I don't know what the iOS system is called) -- is good; but its security is only as good as the user is at choosing a good password.

Triple DDoS vs. KrebsOnSecurity

With the best security blog of them all, it's unsurprising that Brian Krebs continues to attract the ire and DDoS arrows of the spambot kings:

According to Prolexic, the one used against was Attack Type 4, a.k.a “Max Flood”; this method carries a fairly unique signature of issuing POST requests against a server that are over a million bytes in length.

There ya go.

Thursday, 9 August 2012

Eliot Reads Prufrock

I Come In Value Packs Of Ten

The Love Song of J Alfred Prufrock, by Thomas Stearns Eliot, is my favourite poem. Not that I've read them all, I mean all the poems in the world, before arriving at this objective decision; that is not what I meant at all. There are far too many poems in existence to have done that, seriously, there's literally dozens out there. But of the five or six that I have read, Prufrock is quite definitely the best.

So I quite enjoy listening to the poet's own recitation, and ever since playing the old vinyl record at a friend's house in about 1980, have always been within a lodger's lunge of such a recording. Today, deciding to legalise our relationship, this poem and me, I grabbed a few spoken word MP3s from Amazon: The Waste Land, a scratchy old clipping suite encoded at an average of 62¼ kbps (and extravagant at that if you ask me); Prufrock itself; and one other, The Triumphal March From Coriolan.

Immediately, the 20 minute duration of the Prufrock file caught my attention. You see, Prufrock is my party piece. Well, it's either that or a Pogues-informed The Band Played Waltzing Matilda, Eric Bogle's despairing Gallipoli dirge, which nevertheless does have the advantage of being an actual song. No, I don't get invited to a lot of parties... you knew? You are not blind! How keen you are! On second thoughts it might be more accurate to describe Prufrock as: the piece I would recite on the night bus home from George Square, in order to ensure my evening ended with a good, sound beating up. Playing relentless Status Quo on your ghetto blaster works almost as well.

But I divest. I knew that, even after ten pints of Stella Artois, there's no way to stammer, slur, stretch and deform a recitation of Prufrock over more than about 10 of those 20 minutes. So what was going on? Firing up foobar2000, I discovered that both of the higher bit rate files contained multiple works.

I Call That A Bargain

01 - The Love Song of J Alfred Prufrock.mp3 actually includes the first three poems (which belong together anyway) from Prufrock and Other Observations, and finishes with Mr. Eliot's Sunday Morning Service. Here's the cue sheet:

00:00 - The Love Song of J Alfred Prufrock
08:20 - Portrait of a Lady
15:35 - Preludes
18:20 - Mr. Eliot's Sunday Morning Service
20:00 - [end]

02 - The Triumphal March From Coriolan.mp3 contains the following:

00:00 - Ash Wednesday
13:45 - A Song for Simeon
16:15 - Marina
18:33 - Triumphal March From Coriolan
21:45 - O Light Invisible (from The Rock)
24:20 - Chorus from Murder in the Cathedral
26:30 - Chorus from The Family Reunion
28:20 - [end]

I guess someone read the original LP's bipartite title, T S Eliot reads The Love Song of J Alfred Prufrock & Triumphal March From Coriolan (link goes to a March 1959 Gramophone review), and decided just to rip and label sides A and B accordingly and respectively. So there you have it: get 'em while they're hot, eight and three-halves poems for the price of two. As for The Waste Land, well those files didn't contain any Easter Eggs. Incidentally if you'd like to hear that latter masterpiece in full, the Harper Audio is rebroadcast in various formats (though not MP3) by the Internet Multicasting Service here, and of course less legally throughout YouTube.