Re MUST READ: NYTimes: Cyberwar for Sale

["Dave Farber" <dave () farber net>]

---------- Forwarded message ---------
From: Kurt Buff <kurt.buff () gmail com>
Date: Wed, Jan 4, 2017 at 6:22 PM
Subject: Re: [IP] Re MUST READ: NYTimes: Cyberwar for Sale
To: Dave Farber <dave () farber net>


Using a cell phone as a second factor is problematic. That's because in
many use cases it's not really a second factor. If the user/owner of the
phone is performing a function on the phone that requires the second
factor, the phone is no longer, by definition, the second factor - this
includes reading email, gaining access to a VPN, etc.


NIST had something to say on the subject as well:
https://pages.nist.gov/800-63-3/sp800-63b.html
     "Note: Out-of-band authentication using the PSTN (SMS or voice)
     is

deprecated, and is being considered for removal in future editions
     of

this guideline."

Kurt

On Wed, Jan 4, 2017 at 2:43 PM, Dave Farber <dave () farber net> wrote:


---------- Forwarded message ---------
From: Patrick W. Gilmore <patrick () ianai net>
Date: Wed, Jan 4, 2017 at 5:19 PM
Subject: Re: [IP] Re MUST READ: NYTimes: Cyberwar for Sale
To: Dave Farber <dave () farber net>, Roger Bohn <Rbohn () ucsd edu>
Cc: Patrick W. Gilmore <patrick () ianai net>


There is no silver bullet, no one magic way to fix all problems. Defense in
depth is required to stop determined attackers - in “cyberwarfare” or any
other area.

Multi-factor authentication (“MFA”) is a good part of a defense in depth
strategy.

If Podesta had MFA, but entered his one-time MFA key (plus user/pass,
obviously) into the phish link _and_ the phish server was sending that to
Google _at the same time_, then the miscreants had one-time access to his
email. They could have absolutely downloaded everything at that time.
However, if they tried to store the user/pass/MFA key and use it later, it
would not have worked. Or even if they tried to come back and get new
emails after the first attempt, it would not have worked. Etc. Plus he
might have gotten notified that someone was attempting to access his
account.

Obviously we need more than just MFA. But MFA stops a lot of attack
vectors, and as you say, mobile phones make it far less annoying than
carrying a fob. So why not use it?



-- 
TTFN,
patrick





On Jan 4, 2017, at 5:02 PM, Dave Farber <farber () gmail com> wrote:




Begin forwarded message:

*From:* "Roger Bohn" <Rbohn () ucsd edu>
*Date:* January 4, 2017 at 4:28:30 PM EST
*To:* dave () farber net, ip <ip () listbox com>
*Cc:* lauren () vortex com
*Subject:* *Re: [IP] MUST READ: NYTimes: Cyberwar for Sale*

I don’t think there is any doubt about the need for 2-factor
authentication. Some organizations have been using it for a decade, and
with ubiquitous cell-phones its more convenient than before, as mentioned.

But, I ask from ignorance, how does this help with the main problem
discussed in this article, namely installing malware *inside* a system?
That malware can still be sent by any of the 3 methods. Where 2-factor does
help is “daisy chaining” attacks that use logins from one phishing victim
to get into multiple sites. But that’s not what happened to Podesta, for
example.

Roger Bohn


Professor of Technology Management


School of Global Policy and Strategy


UC San Diego


+1 858 381-2015 <(858)%20381-2015> cell/text Blog: Art2science.org
<http://art2science.org/>

On 4 Jan 2017, at 9:28, Dave Farber wrote:




Begin forwarded message:

*From:* Lauren Weinstein <lauren () vortex com>
*Date:* January 4, 2017 at 11:57:55 AM EST
*To:* nnsquad () nnsquad org
*Subject:* *[ NNSquad ] MUST READ: NYTimes: Cyberwar for Sale*


MUST READ: NYTimes: Cyberwar for Sale

http://www.nytimes.com/2017/01/04/magazine/cyberwar-for-sale.html

     There are three methods, Scarafile explained, for getting the
   Remote Control System onto a target's device.  Customers can
   gain physical access to the device and then infect it with a
   USB stick or memory card. They can beam the R.C.S. in over a
   Wi-Fi network. Or they can send the customer an email and get
   him to click on an infected attachment -- usually a file from
   a brand-name program like Microsoft Word or PowerPoint ...

- - -

I am increasingly considering the possibility that 2-factor
authentication systems will need to be made mandatory for all users,
not just optional as is usually the case today at least in
non-corporate environments. Of course 2-factor isn't foolproof, and
there is some user hassle factor involved in using 2-factor (though a
well designed 2-factor system, such as Google's, reduces the hassle
notably). But it's just too easy to phish accounts that are only
protected by a simple password. It's probably time to bite the bullet
on this one.

--Lauren--
REPORT Fake News Here! - https://factsquad.com
CRUSHING the Internet Liars - https://vortex.com/crush-net-liars





















Archives <https://www.listbox.com/member/archive/247/=now>

<https://www.listbox.com/member/archive/rss/247/4007892-2c55af24>

| Modify
<https://www.listbox.com/member/?&;>

Your Subscription | Unsubscribe Now
<https://www.listbox.com/unsubscribe/?&&post_id=20170104174409:4C21B9C6-D2CF-11E6-A654-9D81489E89AF>



<http://www.listbox.com>



-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/18849915-ae8fa580
Modify Your Subscription: https://www.listbox.com/member/?member_id=18849915&id_secret=18849915-aa268125
Unsubscribe Now: 
https://www.listbox.com/unsubscribe/?member_id=18849915&id_secret=18849915-32545cb4&post_id=20170104193619:F784FA58-D2DE-11E6-84F0-FEDE3110B0DD
Powered by Listbox: http://www.listbox.com