A Quantum Immortal

Followup to yesterday’s post on how someone hacked my gmail account:

If you choose to add Google Authenticator instead of SMS messages as a two-factor authentication scheme, be aware of the following:

There is a good chance you will add Authenticator as a “primary” authentication scheme, but SMS messages will remain as an alternative option.
This means that an attacker could always bypass Authenticator and just use SMS, which is weak with Pushbullet/any sync-SMS-to-desktop scheme.
If you sync your SMS messages to your phone, you have to make sure to remove SMS messages as an alternative authentication method, not just add Authenticator.

Thanks Eyal Brosh for alerting me to this fact.

Update: See also this important followup.

—

Or: why 2-factor authentication is important, and how to use and misuse it.

This is a really important post, and everyone should read it. There’s even a bonus at the end.

I’ve been using 2-factor authentication since forever now. A while ago, I had horrible security practices – I was basically using the same simple password everywhere “because it didn’t matter and I was lazy”.

Then, someone hacked into Pizza Hut’s website and got to my email. Not fun.

I’ve upgraded my security practices significantly since then. I use a very strong password, coupled with two-factor authentication. Sweet, right?

Well, it turns out there are edge cases.

My chosen method of doing two-factor auth was using SMS codes. Whenever I logged in to a service, a unique code was sent to me via SMS. Well, I recently started using the wonderful Pushbullet chrome extension that lets me send SMS messages from my laptop, and all kinds of wonderful thngs. Problem is: it’s a security hazard, especially when you’re using SMS as your two-factor component.

The whole point of two-factor auth is this: You separate your authentication into two factors: One thing you remember (password), and one thing you have (your phone). An attacker might take possession or guess one of these factors, but it’s much more difficult to simultaneously guess/know your password while having possession of your physical phone.

Using extensions such as pushbullet, or whatever equivalent thing Apple users do, defeats this purpose. If someone hacks into your computer and sniffs your password, they also have access to your phone because it’s synced to the computer. So they basically OWNz you.

So, my solution was to switch to the Google Authenticator app which is the standard solution to the problem I just described. Its purpose is to generate login codes in a secure way, and it is in no way synced to anywhere, so an attacker would still have to have your physical phone in order to use it. Problem solved, right?

Well, yes and no.

So the good news is that this covers most issues and works well most of the time. But, there are caveats. One major caveat is this: in some cases, if your phone is lost or damaged, you are fucked. Since the authentication isn’t based on something like a phone number / SIM card that you can recover if needed, but rather on an app that isn’t backed up anywhere by design … if your phone is lost you just cannot recreate these codes.

There are a few workarounds.

The common workaround is a “backup phone number“. You can enter a friend’s phone number (one that doesn’t use Pushbullet!), so that if your own phone is lost, you can contact your friend and have them help you log in.

Another, argubaly more secure alternative is backup codes. Now, this is rather advanced so I assume 99% of the people who use two-factor auth don’t do this, but you can prepare in advance and print out backup codes that help you login if your phone is lost. I haven’t been doing this systematically until now, but will start using them today on every supported service. Note: depending on your level of paranoia, you should keep this codes somewhere safe from burglars, loss, cats etc.

So, why did I pick today to start using backup codes? Because I was just hacked. Yes, me with all my paranoia… hacked.

What just happened? I don’t really know the full story.

TL;DR – I disabled my 2-factor auth for a few days for technical reasons. A hacker used this time to login into my account.

How do I know I was hacked? Because of this:

I just woke up to find two emails from Google that my account was accessed, one from Safari (which I never use), and another  from Android. These emails are normal when you log in from a new device, but these login attempts happened while I was asleep/busy and from a device I never use which is a big freaking warning sign. I’m lucky the attacker wasn’t able to use their access to delete these emails, because otherwise I wouldn’t have known the hack even happened.

Note: The key icon which indicates this is not a phishing attempt, but rather  the emails really came from Google. Note: the emails were addressed to “rongrosslaw@gmail.com” and not “ron.gross@gmail.com” or “rongross@gmail.com”, but they were sent to rongross@gmail.com – this is a detail that still puzzles me … if anyone can explain this inconsistency, they’ll earn my gratitude.

To summarize this post: Login security is still an unsolved problem. All the details I described above are way too difficult for the average user to bother  to understand and follow. Accounts are not safe, but you can significantly upgrade your security by learning and  applying some techniques. Stay safe.

P.S – Why did I disable 2-factor auth in the first place?

My primary phone had a malfunctioning GPS device, so I was having it fixed and I was using an alt phone. Before I put my phone in the repair shop, I had to switch my Google Authenticator from my primary phone to my alt one (you must do this for every account/service you use Authenticator with! Remember, you have to have your physical phone with you in order to login!)

The problem was that my alt phone was rather shitty and braindead. After a bit of usage, its charger outlet gave out, and now it can never be recharged again! As soon as I noticed this I made a mental note to myself that I need to keep a little bit of battery in order to move Authenticator apps from my alt back to my primary phone, after I get it back from the shop.

Once I got my primary phone, I realized the repair shop had formatted it completely, despite my explicit instructions (it’s Eline, don’t buy anything there!). Long story short, my alt phone with a working Authenticator was quickly running out of battery as I was trying to switch my Authenticator app to my new App. I was literally racing against time, because if my phone reached 0% battery then I would be locked out of my account. So in this race, I only had time to disable 2 factor auth, because installing the Authenticator app on my new formatted phone took a bit more time than I had battery left. I thought to myself “well, I’ll just turn off 2-factor auth for a few days, it won’t hurt … I have a strong password”. Well, guess I was wrong. In the 3 days since I did that, someone already hacked my account. I don’t know how, I had a working assumption that my laptop was mostly hacker free, but perhaps that’s not the case. In any case, another important thing you should take away (Luckily I already know this) – assume your laptop can be hacked, and don’t keep anything really important on it 🙂

P.S.S – Bonus

For those who survived this post until this point: A new website I just discovered and starting to use is haveibeenpwned.com. You can check if your login information is found in any known major hacking, and get notified on future hacks. Here is how I was pwned:

So, apparently I had an account at Forbes.com (I didn’t even remember this), and this account was haccked on Feb 2014. It’s not really critical to me since I don’t use the same password there, but it’s still nice to know a little bit about known hacks that uncover my details. Are you pwned?

A PGP-signed version of this post can be found here.

So .. Roger Ver, the Bitcoin Jesus, just got his (first?) death threat (http://tinyurl.com/rogerreply). I knew this day would come. He just posted an outstanding bounty of  37.6 BTC for whoever provides the authorities with information that will lead to the arrest and conviction of the criminal making these threats. Roger, we are all with you, and I pray and hope nothing bad will happen to your or your family. I will also take this chance to post an identical preemptive bounty on myself:

MY BOUNTY FOLLOWS:

While this post is standing on my site – ripper234.com, I hereby offer an outstanding bounty of 37.6 BTC (currently about 25,000 USD) for whoever provides concrete evidence that will lead to the apprehension (by a ‘legal authority’), trial and conviction of any individual or group that make similar death threat or other criminal offence against me, my family, or my friends. I pray and hope such a day would never happen, and that this post always remain just a deterrent. I wish you all peace, love, and a wonderful day.

P.S As someone pointed out to me, this post actually incentives people to send me death threats if the value they attach to 37.6 BTC is greater than the penalty. The purpose of this post is to deter “real” death threats and serious crimes. So – I will amend the bounty conditions – the bounty will only be paid if I deem the death threat or crime “real”, and/or causing a monetary damage of at least 37.6 BTC. E.g., if someone actually plots to steal my scooter which is worth about 3K USD, and then an accomplice “reveals him”, I won’t pay 37.6 BTC for a 3K USD scooter. I hope you get my drift. I will be the final judge of “how real the criminal intent is”.

P.S.S Yes, the threat that Roger received might be a fake one. I don’t know, and I don’t want to find out whether a death threat I receive is real or not. As a public figure in the Bitcoin space, I want to make sure any such death threats are never made, and that bad people stay the fuck away. I realize that posting this post may be perceived as a taunt or drawing fire … but the truth of the matter is that I’m drawing enough fire as it is. I’m a public figure in the Bitcoin space, and I have had paranoias about similar threats targeting me for a while. This post is aimed at making sure these paranoias never become real. Some people would say this post actually serves the opposite purpose. I respectfully disagree. References:

• Bitcoin’s Dystopian Future

This is obvious to anyone who understands web, but a lot of browser extensions can read all the data on all the websites you visit. If you use any Bitcoin web wallets, exchanges, or anything financial in a browser – please for your own good, make sure to do it in a browser that’s completely clean.

You can use an alternate browser (Firefox if your default is Chrome), use an anonymous/incognito browser tab, or setup a unique profile for that … what is important is that the browser you use for financials does not have any extensions.

Extensions do declare their requested permissions … but these change over time and it’s hard to keep track – the safest approach is to make sure no extensions are installed on that browser.

This has been exploited already in the wild by some Bitcoin-specific extensions, but a Bitcoin-stealing module can be added to other unrelated extensions – better safe than sorry.

I was asked how I use a Yubikey. This is how I do it:

1. I ordered a Yubikey from Yubico. An Mt. Gox Yubikey is only good on Mt. Gox, you need a generic Yubikey.
2. Actually, I ordered two. If one of them is lost the other can’t be used to access it, but I don’t want to waste time ordering another one … I want to have a backup.
3. On blockchain.info I attach my Yubikey to one of our more secure wallets.
4. Then, whenever I log in to blockchain.info, my Yubikey is required.
5. I still retain the complete encrypted backup of my wallet, which of course does not require a Yubikey to decrypt.
   This is why Yubikey only semi-protects you … against a specific type of attack (for further security, use a cold wallet).

If my primary Yubikey will ever be lost or destroyed, I will decrypt my backup, open a new blockchain.info account, import my previous wallet, and secure that with my new Yubikey.

FYI, my new PGP key can be found here.

Quick – go to your Gmail account –> Options –> Always Use HTTPS

And your future sessions with Gmail will be SSL secured.
(This came as a response to a tool that automatically breaks into Gmail accounts, and is a long time overdue IMO).

For those who don’t know or forgot this, Shlomo posted how in 3 easy steps you can view all stored usernames & passwords on Firefox.

Not that scary, because you should only save password on a computer you trust. But still, I would have removed that feature or at least have a master password to access it.