These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

EVE General Discussion

 
  • Topic is locked indefinitely.
Previous page123Next page
 

General Warning: Two way authentication is useless

First post
Author
Linus Gorp
Ministry of Propaganda and Morale
#21 - 2017-06-16 18:15:22 UTC  |  Edited by: Linus Gorp
Nalia White wrote:
How many of the people here actualy even use a second auth method on their e-mail?

I can tell you that I don't. I'm administrating my own mail server and I care a lot more about keeping that tightened up than about the possibility of someone really managing to crack a random 120-byte string.
But I'm also a itsec professional and have the knowledge to keep my infrastructure reasonably secure. 2FA is definitely worth it for average Joe.

Nalia White wrote:
would a skript kiddy go to the length to try and circumvent a sms authentication? man i am just a gamer not a specific target :)

Script kiddies are too dumb for that. All they can do is use tools and run scripts written by others without any understanding about them or the underlying techniques. Script kiddies are no threat to anyone remotely intelligent.

Nalia White wrote:
already wrote everything down just a post above you. would be happy to get a clue my friend. :)

3 month old unique password
12 letters, one upper, 2 digits, a small sentence in my native language (swiss german, only a spoken language, so the words are not in any dictionary :))
it's clear my e-mail got breached, i just have not a clue how... just checked, of course the login site would shut down after some attempts so brute force should be out...

on the site https://haveibeenpwned.com/ only my e-mail is there, not one of my usernames

what i have done:

searched the 2 computers i use for logging in to my mail for threats to no avail...
enabling sms authentication on e-mail, should do the trick for the future
changed password again... this time to something i have to write down and pin it at my pinwall :)
sadly country blocking is not available for my e-mail service or for eve online
yeah i have all my gaming services on this one e-mail...

That doesn't really tell me anything useful, short of the fact that you were registered on one or more websites that have been breached. Since you claim to have used a unique password for your mail account, it's unlikely that's the cause.

You can scan your PC for viruses all you want. Almost all AV solutions are junk that don't reduce the attack vector, but increase it by an exponential factor.

So let's go down the checklist.

  • Is your OS up-to-date with the latest patches?
  • Do you have an adblocker installed? (Seriously, that is THE #1 source for malware; If not, install UBlock Origin a.s.a.p.)
  • Do you have a Intel CPU with AMT (active management technology) provisioned?
  • Have you opened any dubious emails?
  • Remember someone claiming to be customer service, technician, w/e, asking for your passwords or personal information? (Social engineering attempts)
  • Browser up-to-date?


There are way more attack vectors than I could possibly list here, but these are among the most common ones.

When you don't know the difference between there, their, and they're, you come across as being so uneducated that your viewpoint can be safely dismissed. The literate is unlikely to learn much from the illiterate.

Nalia White
Tencus
#22 - 2017-06-16 18:40:13 UTC  |  Edited by: Nalia White
Linus Gorp wrote:
Nalia White wrote:
How many of the people here actualy even use a second auth method on their e-mail?

So let's go down the checklist.

  • Is your OS up-to-date with the latest patches?
  • Do you have an adblocker installed? (Seriously, that is THE #1 source for malware; If not, install UBlock Origin a.s.a.p.)
  • Do you have a Intel CPU with AMT (active management technology) provisioned?
  • Have you opened any dubious emails?
  • Remember someone claiming to be customer service, technician, w/e, asking for your passwords or personal information? (Social engineering attempts)
  • Browser up-to-date?


There are way more attack vectors than I could possibly list here, but these are among the most common ones.


Thanks for your time. It's very much appreciated. As said I work in IT my whole life and while I am no expert in security (didn't knew about the ATM vulnerability, thanks a lot for this, will have to look at it at work too!) i know how to handle myself :)

OS is win10 home always updated. in the company it's still windows 7 over wsus with staggered updates so yeah, not so good i know...
no adblocker. I use noscript for an always uptodate firefox. in the company nothing... I will have a look into that, thank you
my cpu is fine at home. I checked it with the intel tool. have to check at work too. Again, thanks a lot for this!
the last points i know to handle well. but funny enough once an uncle got called by a supposed microsoft technician... crazy times...

I rarely even use my private e-mail in the company and now that i have such a complex password that i had to write it down it's even better so i will never log in anyway.

Syndicate - K5-JRD

Home to few, graveyard for many

My biggest achievement

Linus Gorp
Ministry of Propaganda and Morale
#23 - 2017-06-16 19:28:53 UTC
Nalia White wrote:
I rarely even use my private e-mail in the company and now that i have such a complex password that i had to write it down

https://www.keepassx.org/

When you don't know the difference between there, their, and they're, you come across as being so uneducated that your viewpoint can be safely dismissed. The literate is unlikely to learn much from the illiterate.

Aedaxus
Country House
Goonswarm Federation
#24 - 2017-06-17 09:41:56 UTC
Linus Gorp wrote:
Nalia White wrote:
I rarely even use my private e-mail in the company and now that i have such a complex password that i had to write it down

https://www.keepassx.org/

That is the security equivalent of posting it on Facebook.
Axhind
Eternity INC.
Goonswarm Federation
#25 - 2017-06-17 10:32:35 UTC
Aedaxus wrote:
Linus Gorp wrote:
Nalia White wrote:
I rarely even use my private e-mail in the company and now that i have such a complex password that i had to write it down

https://www.keepassx.org/

That is the security equivalent of posting it on Facebook.



While it is true that android is a security disaster it is far more difficult to breach his exact android phone than it is to brute force bad passwords that humans can remember.

In this case it is better to use keepass on the phone (better would be on a PC which is far easier to secure than android) than the alternative.
Linus Gorp
Ministry of Propaganda and Morale
#26 - 2017-06-17 17:17:32 UTC
Axhind wrote:
While it is true that android is a security disaster it is far more difficult to breach his exact android phone than it is to brute force bad passwords that humans can remember.

In this case it is better to use keepass on the phone (better would be on a PC which is far easier to secure than android) than the alternative.

KeepassX doesn't run on Android.

Aedaxus wrote:
Linus Gorp wrote:

That is the security equivalent of posting it on Facebook.

I'm sorry, what? Does the clueless person have anything meaningful to say, or is spreading idiotic misinformation all you're good for?

When you don't know the difference between there, their, and they're, you come across as being so uneducated that your viewpoint can be safely dismissed. The literate is unlikely to learn much from the illiterate.

Axhind
Eternity INC.
Goonswarm Federation
#27 - 2017-06-17 20:16:14 UTC
Linus Gorp wrote:
Axhind wrote:
While it is true that android is a security disaster it is far more difficult to breach his exact android phone than it is to brute force bad passwords that humans can remember.

In this case it is better to use keepass on the phone (better would be on a PC which is far easier to secure than android) than the alternative.

KeepassX doesn't run on Android.


My bad. I mixed it up with the android version. Anyway keepass is excellent software that I also use and I have no idea why anyone would not use it. Offline password manager is far safer than online ones like lastpass.
Aedaxus
Country House
Goonswarm Federation
#28 - 2017-06-17 21:07:59 UTC
Linus Gorp wrote:
Aedaxus wrote:
Linus Gorp wrote:
https://www.keepassx.org/

That is the security equivalent of posting it on Facebook.

I'm sorry, what? Does the clueless person have anything meaningful to say, or is spreading idiotic misinformation all you're good for?

One small vulnerability will make your heart bleed. Open source is something I like, but make sure it's funded enough to put secrets behind. But yes, "clueless person" is a good technical explanation why it is secure. Good job...
Axhind
Eternity INC.
Goonswarm Federation
#29 - 2017-06-17 23:54:29 UTC
Aedaxus wrote:
Linus Gorp wrote:
Aedaxus wrote:
Linus Gorp wrote:
https://www.keepassx.org/

That is the security equivalent of posting it on Facebook.

I'm sorry, what? Does the clueless person have anything meaningful to say, or is spreading idiotic misinformation all you're good for?

One small vulnerability will make your heart bleed. Open source is something I like, but make sure it's funded enough to put secrets behind. But yes, "clueless person" is a good technical explanation why it is secure. Good job...


Are you on drugs or something? You are not making any sense whatsoever. Where is this fancy security issue you are talking about? Heart bleed was in OpenSSL not in keepass.
Aedaxus
Country House
Goonswarm Federation
#30 - 2017-06-18 00:10:34 UTC  |  Edited by: Aedaxus
Axhind wrote:
Aedaxus wrote:
Linus Gorp wrote:
Aedaxus wrote:
Linus Gorp wrote:
https://www.keepassx.org/

That is the security equivalent of posting it on Facebook.

I'm sorry, what? Does the clueless person have anything meaningful to say, or is spreading idiotic misinformation all you're good for?

One small vulnerability will make your heart bleed. Open source is something I like, but make sure it's funded enough to put secrets behind. But yes, "clueless person" is a good technical explanation why it is secure. Good job...


Are you on drugs or something? You are not making any sense whatsoever. Where is this fancy security issue you are talking about? Heart bleed was in OpenSSL not in keepass.

Yes, I am a clueless, dumb, on drugs and not making sense. Let me have another drink of vodka and explain before I pass out ;

OpenSSL = Open Source
Keepassx = Open Source

Heartbleed was caused by lack of funding.

That was probably too hard for you IT Security specialists from CIA/NSA/HomeLand I guess Obama put you guys in charge to fend of the Russian Hackers in the recent elections, right? How did that go? I am to dumb to google that.

Isn't this EVE Online? I should only say "Here's google. Bleep you!" and you guys figure it out all by your selves, right? Right? ;)

Also : https://i.imgflip.com/1r2nlt.jpg
Linus Gorp
Ministry of Propaganda and Morale
#31 - 2017-06-18 06:18:50 UTC  |  Edited by: Linus Gorp
Aedaxus wrote:
OpenSSL = Open Source
Keepassx = Open Source

Heartbleed was caused by lack of funding.

No, it wasn't insufficient funding. Every software has bugs and closed source software is far more dangerous in that regard than open source software. Let alone that closed source software can not be trusted by design.

I don't feel like wasting my time on educating you about why you're wrong.

PS: Intel Management Engine (a security nightmare) isn't limited to Intel vPro CPUs and AMD have the Platform Security Processor, their own version of it. NSA pwnage is bound to be found in both. They've also had spyware code in the Windows Kernel since at least 1999.

When you don't know the difference between there, their, and they're, you come across as being so uneducated that your viewpoint can be safely dismissed. The literate is unlikely to learn much from the illiterate.

Aedaxus
Country House
Goonswarm Federation
#32 - 2017-06-18 08:00:22 UTC
Linus Gorp wrote:

Aedaxus wrote:
OpenSSL = Open Source Keepassx = Open Source Heartbleed was caused by lack of funding.

No

I guess the development team of OpenSSL disagrees with you but as you are probably more security skilled, who are they to question your general x is more secure than y without any arguments backing it up right?

http://heartbleed.com/
"What can be done to prevent this from happening in future?
The security community, we included, must learn to find these inevitable human mistakes sooner. Please support the development effort of software you trust your privacy to. Donate money to the OpenSSL project."


Linus Gorp wrote:
NSA pwnage is bound to be found in both.

OMG You are some badass security guy, NSA has "pwnage" ! They should have used that pwnage against those "Russian Hackers" :D Right

Linus Gorp wrote:
They've also had spyware code in the Windows Kernel since at least 1999.

Imagine that i'm some tinfoil hat wearing freak... just imagine, out of all the people you could nonsense your way out with the load of unsupported general blabla you spew you choose to arguewith me...
How come that when I put the windows updates off and some other services I don't need ZERO information passes my router to the internet. Now you'd blab about _your_ router but why don't you have passive and active scans and reporting and logging like me ? If you would you could know that IF NO PACKETS GO OUT they can't spy on you. I'm sorry that I spend my time talking to some security wannebee but as I saw the news you could as well be the Top Security guy at Homeland Security. Good job, and good luck in the fututre as you will have to crutch on luck instead of skill and knowledge, Mr. SuperSecurity.




Linus Gorp
Ministry of Propaganda and Morale
#33 - 2017-06-18 12:22:12 UTC  |  Edited by: Linus Gorp
Aedaxus wrote:
Linus Gorp wrote:

Aedaxus wrote:
OpenSSL = Open Source Keepassx = Open Source Heartbleed was caused by lack of funding.

No

I guess the development team of OpenSSL disagrees with you but as you are probably more security skilled, who are they to question your general x is more secure than y without any arguments backing it up right?

http://heartbleed.com/
"What can be done to prevent this from happening in future?
The security community, we included, must learn to find these inevitable human mistakes sooner. Please support the development effort of software you trust your privacy to. Donate money to the OpenSSL project."


Linus Gorp wrote:
NSA pwnage is bound to be found in both.

OMG You are some badass security guy, NSA has "pwnage" ! They should have used that pwnage against those "Russian Hackers" :D Right

Linus Gorp wrote:
They've also had spyware code in the Windows Kernel since at least 1999.

Imagine that i'm some tinfoil hat wearing freak... just imagine, out of all the people you could nonsense your way out with the load of unsupported general blabla you spew you choose to arguewith me...
How come that when I put the windows updates off and some other services I don't need ZERO information passes my router to the internet. Now you'd blab about _your_ router but why don't you have passive and active scans and reporting and logging like me ? If you would you could know that IF NO PACKETS GO OUT they can't spy on you. I'm sorry that I spend my time talking to some security wannebee but as I saw the news you could as well be the Top Security guy at Homeland Security. Good job, and good luck in the fututre as you will have to crutch on luck instead of skill and knowledge, Mr. SuperSecurity

Your reading comprehension skills are an utter failure. No surprise there.

As I already wrote, I won't waste my time trying to educate the likes of you.

When you don't know the difference between there, their, and they're, you come across as being so uneducated that your viewpoint can be safely dismissed. The literate is unlikely to learn much from the illiterate.

Aedaxus
Country House
Goonswarm Federation
#34 - 2017-06-18 12:32:52 UTC
Linus Gorp wrote:
Your reading comprehension skills are an utter failure. No surprise there.
As I already wrote, I won't waste my time trying to educate the likes of you.

Aw man, i'll be totally insecure unlike the people you advise... :D Anyways have a good day.
Linus Gorp
Ministry of Propaganda and Morale
#35 - 2017-06-18 12:50:50 UTC
Aedaxus wrote:
Linus Gorp wrote:
Your reading comprehension skills are an utter failure. No surprise there.
As I already wrote, I won't waste my time trying to educate the likes of you.

Aw man, i'll be totally insecure unlike the people you advise... :D Anyways have a good day.

Yeah, don't think that would be a bad thing. At least then there's an ever so tiny chance you'll learn from your own misery.

When you don't know the difference between there, their, and they're, you come across as being so uneducated that your viewpoint can be safely dismissed. The literate is unlikely to learn much from the illiterate.

Gogela
The Conference Elite
CODE.
#36 - 2017-06-18 16:38:03 UTC
Axhind wrote:
Linus Gorp wrote:
Axhind wrote:
While it is true that android is a security disaster it is far more difficult to breach his exact android phone than it is to brute force bad passwords that humans can remember.

In this case it is better to use keepass on the phone (better would be on a PC which is far easier to secure than android) than the alternative.

KeepassX doesn't run on Android.


My bad. I mixed it up with the android version. Anyway keepass is excellent software that I also use and I have no idea why anyone would not use it. Offline password manager is far safer than online ones like lastpass.

I'm 100% on the KeePass train too. When you have it, there is absolutely no reason not to have long, strong passwords that are unique to everything you might log into. No recycled passwords. 2 stage authentication anywhere it's available. I do a lot of web work and can't take any chances... but knowing what I know now I would say some kind of password vault it crucial these days. Most of the time when I research a site hack or something it wasn't the site that got hacked... it was a stupid client that used the same 8 character password for everything for the last 10 years.

Signatures should be used responsibly...

Axhind
Eternity INC.
Goonswarm Federation
#37 - 2017-06-19 17:03:02 UTC
Gogela wrote:
Axhind wrote:
Linus Gorp wrote:
Axhind wrote:
While it is true that android is a security disaster it is far more difficult to breach his exact android phone than it is to brute force bad passwords that humans can remember.

In this case it is better to use keepass on the phone (better would be on a PC which is far easier to secure than android) than the alternative.

KeepassX doesn't run on Android.


My bad. I mixed it up with the android version. Anyway keepass is excellent software that I also use and I have no idea why anyone would not use it. Offline password manager is far safer than online ones like lastpass.

I'm 100% on the KeePass train too. When you have it, there is absolutely no reason not to have long, strong passwords that are unique to everything you might log into. No recycled passwords. 2 stage authentication anywhere it's available. I do a lot of web work and can't take any chances... but knowing what I know now I would say some kind of password vault it crucial these days. Most of the time when I research a site hack or something it wasn't the site that got hacked... it was a stupid client that used the same 8 character password for everything for the last 10 years.


One thing to remember is that none of this helps against a spoofed site. If they mess with your DNS you are screwed unless you are lucky enough that your browser has correct cert pinned or you pay a lot of attention. There really needs to be a lot more work done on authenticating the server to the user too.

This is why threema is the only really secure IM. They make the key exchange easy so that even non technical people understand it and that is the only way to have proper security.
Ima Wreckyou
The Conference Elite
CODE.
#38 - 2017-06-20 06:51:50 UTC
Aedaxus wrote:
Heartbleed was caused by lack of funding.

Bugs are caused by lack of founding now? So why did Wannacry happen? Because Microsoft is poor?

OpenSSL is used by a lot of companies who earn money with selling products based on open source. The problem is not that there isn't money around to fix the problems, but that this particular project was neglected for too long by people who should have known better. Well people are aware now and there are multiple new and revived projects to remedy the situation and actually address the core problems of this mess.

But that is kinda offtopic.

Keepass is a very nice program and in my opinion a requirement if you want to keep track of your passwords which should be complex and different for every single site, service and application. I use it on all my devices and distribute the encrypted database with syncthing so it never touches a public cloud.

Even my phone is all free software because I could not use Android. That just reeks of spyware and all the features would be completely useless to me because I could never use them knowing I don't control the device.
Aedaxus
Country House
Goonswarm Federation
#39 - 2017-06-21 07:38:59 UTC
Ima Wreckyou wrote:
Aedaxus wrote:
Heartbleed was caused by lack of funding.

Bugs are caused by lack of founding now? So why did Wannacry happen? Because Microsoft is poor?

OpenSSL is used by a lot of companies who earn money with selling products based on open source. The problem is not that there isn't money around to fix the problems, but that this particular project was neglected for too long by people who should have known better. Well people are aware now and there are multiple new and revived projects to remedy the situation and actually address the core problems of this mess.

But that is kinda offtopic.

Keepass is a very nice program and in my opinion a requirement if you want to keep track of your passwords which should be complex and different for every single site, service and application. I use it on all my devices and distribute the encrypted database with syncthing so it never touches a public cloud.

Even my phone is all free software because I could not use Android. That just reeks of spyware and all the features would be completely useless to me because I could never use them knowing I don't control the device.

Did ms test it maybe did they report it probably did someone fix it? Yes but too late due to lack of resources my intelligent eve friends.
Ima Wreckyou
The Conference Elite
CODE.
#40 - 2017-06-21 08:40:38 UTC
Aedaxus wrote:
Did ms test it maybe did they report it probably did someone fix it? Yes but too late due to lack of resources my intelligent eve friends.

You really bend backwards to make your stupid argument work right? They have billions, so the issue is probably not funding but that software just has bugs my super cyber specialist forum friend.
Previous page123Next page