Here’s How an Attacker Can Bypass Your Two-Factor Authentication

Secure Yourself by Using Two-Step Verification on These 16 Web Services

Two-factor authentication, also known as 2-step verification, provides additional security for your online accounts. Even if someone discovers your password,... [Read Article]

The two-step authentication systems on many websites work by sending a message to your phone via SMS when someone tries to log in. Even if you use a dedicated app on your phone to generate codes, there’s a good chance your service of choice offers to let people log in by sending an SMS code to your phone. Or, the service may allow you to remove the two-factor authentication protection from your account after confirming you have access to a phone number you configured as a recovery phone number.

This all sounds fine. You have your cell phone, and it has a phone number. It has a physical SIM card inside it that ties it to that phone number with your cell phone provider. It all seems very physical. But, sadly, your phone number isn’t as secure as you think.

If you’ve ever needed to move an existing phone number to a new SIM card after losing your phone or just getting a new one, you’ll know what you can often do it entirely over the phone — or perhaps even online. All an attacker has to do is call your cell phone company’s customer service department and pretend to be you. They’ll need to know what your phone number is and know some personal details about you. These are the kinds of details — for example, credit card number, last four digits of an SSN, and others — that regularly leak in big databases and are used for identity theft. The attacker can try to get your phone number moved to their phone.

There are even easier ways. Or, For example, they can get call forwarding set up on the phone company’s end so that incoming voice calls are forwarded to their phone and don’t reach yours.

Heck, an attacker might not need access to your full phone number. They could gain access to your voice mail, try to log in to websites at 3 a.m., and then grab the verification codes from your voice mailbox. How secure is your phone company’s voice mail system, exactly? How secure is your voice mail PIN — have you even set one? Not everyone has! And, if you have, how much effort would it take for an attacker to get your voice mail PIN reset by calling your phone company?

Two-factor authentication secures your accounts with an additional authentication method, often a time-limited code generated by a mobile app. But... [Read Article]

Your phone number becomes the weak link, allowing your attacker to remove two-step verification from your account — or receive two-step verification codes — via SMS or voice calls. By the time you realize something is wrong, they can have access to those accounts.

This is a problem for practically every service. Online services don’t want people to lose access to their accounts, so they generally allow you to bypass and remove that two-factor authentication with your phone number. This helps if you’ve had to reset your phone or get a new one and you’ve lost your two-factor authentication codes — but you still have your phone number.

Theoretically, there’s supposed to be a lot of protection here. In reality, you’re dealing with the customer service people at cellular service providers. These systems are often set up for efficiency, and a customer service employee may overlook some of the safeguards faced with a customer who seems angry, impatient, and has what seems like enough information. Your phone company and its customer service department are a weak link in your security.

Protecting your phone number is hard. Realistically, cellular phone companies should provide more safeguards to make this less risky. In reality, you probably want to do something on your own instead of waiting for big corporations to fix their customer service procedures. Some services may allow you to disable recovery or reset via phone numbers and warn against it profusely — but, if it’s a mission-critical system, you may want to choose more secure reset procedures like reset codes you can lock in a bank vault in case you ever need them.

It’s not just about your phone number, either. Many services allow you to remove that two-factor authentication in other ways if you claim you’ve lost the code and need to log in. As long as you know enough personal details about the account, you may be able to get in.

Try it yourself — go to the service you’ve secured with two-factor authentication and pretend you’ve lost the code. See what it takes to get in. You may have to provide personal details or answer insecure “security questions” in the worst case scenario. It depends on how the service is configured. You may be able to reset it by emailing a link to another email account, in which case that email account may become a weak link. In an ideal situation, you may just need access to a phone number or recovery codes — and, as we’ve seen, the phone number part is a weak link.

Here’s something else scary: It’s not just about bypassing two-step verification. An attacker could try similar tricks to bypass your password entirely. This can work because online services want to ensure people can regain access to their accounts, even if they lose their passwords.

For example, take a look at the Google Account Recovery system. This is a last-ditch option for recovering your account. If you claim to not know any passwords, you’ll eventually be asked for information about your account like when you created it and who you frequently email. An attacker who knows enough about you could theoretically use password-reset procedures like these to get access to your accounts.

We’ve never heard of Google’s Account Recovery process being abused, but Google isn’t the only company with tools like this. They can’t all be entirely foolproof, especially if an attacker knows enough about you.

Whatever the problems, an account with two-step verification set up will always be more secure than the same account without two-step verification. But two-factor authentication is no silver bullet, as we’ve seen with attacks that abuse the biggest weak link: your phone company.

Brute-Force Attacks Explained: How All Encryption is Vulnerable

Brute-Force Basics

Brute-force attacks are simple to understand. An attacker has an encrypted file — say, your LastPass or KeePass password database. They know that this file contains data they want to see, and they know that there’s an encryption key that unlocks it. To decrypt it, they can begin to try every single possible password and see if that results in a decrypted file.
They do this automatically with a computer program, so the speed at which someone can brute-force encryption increases as available computer hardware becomes faster and faster, capable of doing more calculations per second. The brute-force attack would likely start at one-digit passwords before moving to two-digit passwords and so on, trying all possible combinations until one works.
A “dictionary attack” is similar and tries words in a dictionary — or a list of common passwords — instead of all possible passwords. This can be very effective, as many people use such weak and common passwords.

Why Attackers Can’t Brute-Force Web Services

There’s a difference between online and offline brute-force attacks. For example, if an attacker wants to brute-force their way into your Gmail account, they can begin to try every single possible password — but Google will quickly cut them off. Services that provide access to such accounts will throttle access attempts and ban IP addresses that attempt to log in so many times. Thus, an attack against an online service wouldn’t work too well because very few attempts can be made before the attack would be halted.
For example, after a few failed login attempts, Gmail will show you a CATPCHA image to verify you aren’t a computer automatically trying passwords. They’ll likely stop your login attempts completely if you managed to continue for long enough.

On the other hand, let’s say an attacker snagged an encrypted file from your computer or managed to compromise an online service and download such encrypted files. The attacker now has the encrypted data on their own hardware and can try as many passwords as they want at their leisure. If they have access to the encrypted data, there’s no way to prevent them from trying a large number of passwords in a short period of time. Even if you’re using strong encryption, it’s to your benefit to keep your data safe and ensure others can’t access it.

Hashing

Strong hashing algorithms can slow down brute-force attacks. Essentially, hashing algorithms perform additional mathematical work on a password before storing a value derived from the password on disk. If a slower hashing algorithm is used, it will require thousands of times as much mathematical work to try each password and dramatically slow down brute-force attacks. However, the more work required, the more work a server or other computer has to do each time as user logs in with their password. Software must balance resilience against brute-force attacks with resource usage.

Brute-Force Speed

Speed all depends on hardware. Intelligence agencies may build specialized hardware just for brute-force attacks, just as Bitcoin miners build their own specialized hardware optimized for Bitcoin mining. When it comes to consumer hardware, the most effective type of hardware for brute-force attacks is a graphics card (GPU). As it’s easy to try many different encryption keys at once, many graphics cards running in parallel are ideal.
At the end of 2012, Ars Technica reported that a 25-GPU cluster could crack every Windows password under 8 characters in less than six hours. The NTLM algorithm Microsoft used just wasn’t resilient enough. However, when NTLM was created, it would have taken much longer to try all these passwords. This wasn’t considered enough of a threat for Microsoft to make the encryption stronger.
Speed is increasing, and in a few decades we may discover that even the strongest cryptographic algorithms and encryption keys we use today can be quickly cracked by quantum computers or whatever other hardware we’re using in the future.

Protecting Your Data From Brute-Force Attacks

There’s no way to protect yourself completely. It’s impossible to say just how fast computer hardware will get and whether any of the encryption algorithms we use today have weaknesses that will be discovered and exploited in the future. However, here are the basics:

• Keep your encrypted data safe where attackers can’t get access to it. Once they have your data copied to their hardware, they can try brute-force attacks against it at their leisure.
• If you run any service that accepts logins over the Internet, ensure that it limits login attempts and blocks people who attempt to log in with many different passwords in a short period of time. Server software is generally set to do this out of the box, as it’s a good security practice.
• Use strong encryption algorithms, such as SHA-512. Ensure you’re not using old encryption algorithms with known weaknesses that are easy to crack.
• Use long, secure passwords. All the encryption technology in the world isn’t going to help if you’re using “password” or the ever-popular “hunter2″.

---

Brute-force attacks are something to be concerned about when protecting your data, choosing encryption algorithms, and selecting passwords. They’re also a reason to keep developing stronger cryptographic algorithms — encryption has to keep up with how fast it’s being rendered ineffective by new hardware.

What to Do When Your iPhone or iPad Won’t Turn On

iPhones and iPads are supposed to “Just work,” but no technology is perfect. If you’ve pressed the Power button and the screen won’t turn on or you see an error message, don’t worry. You can probably make it boot again.
The instructions here will make any iPhone or iPad boot up and work properly. If they don’t, your device has a hardware problem preventing it from booting.

Plug It In, Let It Charge — And Wait

An iPhone, iPad, or iPod Touch may fail to turn on if its battery is completely dead. Generally, you’ll see some sort of “low battery” indicator when you try to turn an iOS device on and it doesn’t have enough battery power. But, when the battery is completely dead, it won’t respond and you’ll just see the black screen.
Connect your iPhone or iPad to a wall charger and let it charge for a little while — give it fifteen minutes, perhaps. If the battery is completely dead, you can’t just plug it in and expect it to respond immediately. Give it a few minutes to charge and it should turn itself on. This will fix your device if its battery was just completely drained.
Make sure your charger is working if this doesn’t work. A broken charger or charging cable may prevent it from charging. Try another charger and cable if you have them available.

Hold Power + Home to Perform a Hard Reset

iPhones and iPads can freeze completely, just like other computers. If they do, the Power and Home buttons will do nothing. Perform a “hard reset” to fix this. This was traditionally performed by removing a device’s battery and reinserting it or pulling the power cable on devices without batteries, which is why it’s also known as performing a “power cycle.” However, iPhones and iPads don’t have a removable battery. Instead, there’s a button combination you can use to forcibly restart your phone or tablet.
To do this, press both the Power and Home buttons and hold them down. Keep holding both buttons down until you see the Apple logo appear on the screen. The logo should appear between ten and twenty seconds after you start holding the buttons. After the Apple logo appears, your iPhone or iPad will boot back up normally. (The Power button is also known as the Sleep/Wake button — it’s the button that normally turns your device’s screen on and off.)
If this button combination doesn’t work, your iPhone or iPad may need to be charged for a while first. Charge it for a while before attempting the Power+Home button hard reset.

Bloatware Banished: Windows 10 Eliminates the Need to Ever Reinstall Windows on New PCs

Windows 10’s New Recovery System

 This news was revealed in a Microsoft blog post titled “How Windows 10 achieves its compact footprint.” Windows 10 has a new recovery system that works in an entirely different way. Most people focused on the storage improvements and missed the implications for manufacturer-installed junkware.

While Windows 8 used a recovery image that manufacturers could customize, Windows 10 uses a more intelligent system that rebuilds Windows in-place without the need for a separate recovery image. The system is cleaned up and the latest files are kept — this means you also won’t have to install Windows Updates after refreshing or resetting your PC. Here’s how Microsoft explained it:

“We are also redesigning Windows’ Refresh and Reset functionalities to no longer use a separate recovery image (often preinstalled by manufacturers today) in order to bring Windows devices back to a pristine state.”

Manufacturers Can Still Add Pre-installed Software, But…

Rather than restoring Windows to a previous point in time using the refresh image, the refresh and reset functionalities will “bring Windows devices back to a pristine state” by restoring them to a known-good state with only built-in Windows software installed.

PC manufacturers will still be able to customize the computer’s state after the refresh or reset — for example, adding their own hardware drivers and any other software they want, including junkware like Superfish. For the average computer user doing a typical refresh or reset, the experience will likely be similar to today.

However, Windows will restore the system to a known-good state before installing the manufacturer-provided software and configuration changes. These changes will be stored separately in a different package. You’ll be able to delete this manufacturer-provided package of software and changes from a Windows 10 PC and then run a refresh or reset. This will restore your computer to a fresh state with only Microsoft’s own Windows software installed and no manufacturer-provided junkware installed.

This doesn’t actually solve the “crapware” problem for everyone. Less knowledgeable users will likely still end up with PCs filled with bloatware after performing a normal refresh or reset. But geeks will at least be able to get a fresh system much more quickly. And average users will be able to find these instructions, make a quick change, and refresh their PCs to get a fresh system — it’s easier than a full reinstall.

We don’t have all the final details — Windows 10 isn’t even finished yet! But the change to the way the refresh and reset image works is a big step in the right direction from Microsoft. If only Windows asked whether you wanted to install the manufacturer-provided software — and which bits of that software — when you refreshed or reset it.

Study reveals We are being tracked by Our Smartphones – Every 3 Minutes

It is a widely known fact that smartphone apps collect huge amount of data regularly. The data usually includes users’ location information. But startling new facts on this data collection spree have been revealed by Researchers at Carnegie Mellon University in their study.

According to the study findings, our smartphones can collect location data very frequently that is, after every 3 minutes.

The Wall Street Journal reports:

    “Even apps that provided useful location-based services often requested the device’s location far more frequently than would be necessary to provide that service, the researchers said. The Weather Channel, for example, which provides local weather reports, requested device location an average 2,000 times, or every 10 minutes, during the study period. Groupon, which necessarily gathers location data to offer local deals, requested one participant’s coordinates 1,062 times in two weeks.”

Few of the apps are already installed on a majority of smartphones and cannot be deleted easily. Researchers also investigated whether users in any way can benefit from these “nudges” imposed by the software or appreciate the fact that sensitive data is being collected by the installed apps.

They found that after learning about the location data collection aspect, many users changed their mobile’s settings.