Google Adds 2-Factor Security to Gmail, Apps

Discussion in 'other security issues & news' started by diginsight, Sep 21, 2010.

Thread Status:
Not open for further replies.
  1. diginsight

    diginsight Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    225
    Location:
    Netherlands
    krebsonsecurity
     
  2. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Do you know what I really would like to see happening?

    Web browsers to have strong keylogging protection! Why don't they do it? For the free market sake? At what cost?

    Is not like like they're all dumb people, is it?
     
  3. diginsight

    diginsight Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    225
    Location:
    Netherlands
    Do you think it's possible to implement keylogging protection in a browser if malware is already present?
     
  4. Eice

    Eice Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    1,413
    Exactly. :thumb:

    I'll never understand the obsession people seem to have with anti-keyloggers and anti-rootkits. They have their place, but it's a rather specialized one, and certainly not for mainstream, everyday use where the main concern should be to keep your operating environment clean in the first place.
     
  5. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Do you think it's necessary any sort of antimalware protection, if the system is already compromised?
    Do you think it's necessary any snapshot application, considering most wouldn't even know whether or not any of the snapshots would already had been compromised?
    Do you think it's necessary any O.S security updates, if infections can occur from other vectors?

    Do you think browsers should have their security holes patched, considering infections can occur from other vectors?

    etc, etc...

    In the end, no need for anything.

    And, when I mention anti-keylogging protection, I don't mean it for me. I know how to cover my ~ Snipped as per TOS ~, using what the O.S already offers me.
    I'm rather talking about Jane/Joe. For them, a strong anti-keylogging feature, already has part of the web browser, and again, I repeat, a strong anti-keylogging, makes all the difference, within the context of an in-depth security implementation.

    I'm not sure about your skills to know whether or not your system is clean in the first place; but to be honest, I'm not that much concerned about you. I'm more concerned about people I know, and that having (which they do) a strong anti-keylogging mechanism, sure makes all the difference, and again, within the context of an in-depth security implementation.

    Rather than a damn mobile phone code feature, which not everyone has a mobile phone. An anti-keylogging feature sure would be a lot better, IMHO.

    Edit: I guess that you mean by "mainstream" the Joe/Jane, right? If not suitable for them, suitable for the user with enough knowledge to cover their asses? Your thought makes no sense, at all. At least, not to me.
     
    Last edited by a moderator: Sep 22, 2010
  6. Eice

    Eice Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    1,413
    The point of antimalware software IS to prevent infection.

    One can easily take a snapshot of a known good configuration, e.g. right after a fresh OS install.

    That depends. If your usage patterns means that the majority of your infections come from the OS or browser vulnerabilities, then obviously you need to keep them upgraded accordingly. If not, why bother? Personally, I keep my browser updated, but I haven't got a single security patch installed for my OS.

    Don't be silly. These things need to be looked at on a case-by-case basis. Just because X isn't necessary doesn't mean EVERYTHING else is unnecessary.

    You haven't answered the question. Do you think it's possible to implement keylogging protection in a browser if malware is already present?

    Effective keylogging protection within the browser means that the browser needs to run with admin rights, or at least be able to communicate with a component that does. I'm sure you see where this is leading to...
     
  7. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Wrong. Something that cannot detect 100% of malware will never prevent infections.

    I'm not saying this to lead people into believing they shouldn't be using one. They should, if they have no other ways, or don't know otherways, of protecting themselves. But, obviously, as part of a layered security.

    And, what exactly lets you know the clean install is 100% clean? Are you talking about just the O.S? Otherwise, how do you know you can fully trust that any of the applications you just installed, that comes from a known vendor, hasn't been compromised, and you even checked the checksum and they matched... Does that mean is the real thing? Let's face it... this can happen.

    I'm not saying it would happen to you or me. But, do you really think most would know how to previously test whether or not it would be safe to use certain application or not?

    I'll give you an example. IE7Pro adblocker. The forum has been taken over sometime ago, for what I heard. Do you think most users who be aware of such?

    I'd never trust such an application. But, for all that matters for most of users, the checksum matches. It's safe, right? Think again.

    So, again... How can most tell they have a clean snapshot? Or, if they ever had one, except for just the O.S. And, for all they know, they do have.

    Why bother with browser updates? Or even O.S updates, if other infection vectors exist? You need to cover them all up.

    And, again, I ask: Is the Jane/Joe up to that very same task? I'm afraid not.

    Exactly. Just because you see an anti-keylogger or anti-rootkit of no importance (Because you do know how to cover your ~ Snipped as per TOS ~!), the same doesn't apply to everyone else, now does it?

    Yes, I have. And, again, as part of an in-depth security.

    I never said within the browser itself. As part of the browser, as in bundled it with, as a separate application.

    I'm sure the developers of the main web browsers are more than capable people to develop a strong anti-keylogger, provided free for their user base. They're not dumb people...

    Edit: For most users certain tools make all the difference.

    Also... diginsight is assuming most would know the system is infected. If the antivirus/antimalware is able to detect it, then it will tell them... But, not that more or no more infections still have place.
    An anti-keylogger may make all the difference between being completed ****** ** their (_|_)s or not.
     
    Last edited by a moderator: Sep 22, 2010
  8. Eice

    Eice Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    1,413
    You're missing the point. I've never claimed that antivirus software is perfect. What I said was that it's a step towards the correct goal (prevention), instead of focusing on a futile strategy.

    That is up to your personal discretion. The examples you mentioned are exceedingly rare that they can be statistically discounted from consideration, much like how you don't consider the possibility of being blindsided by a Mack truck on your first step out of your door.

    I know you're enthusiastic to shout out your point of view, but please do read what I said unless you're just interested in a monologue. To repeat myself: it depends on your usage patterns. You need to plug the infection vectors that are relevant to your usage patterns, and whether you decide to bother with the rest is up to you.

    No, you've just thrown a completely irrelevant answer. As part of in-depth security, obviously it needs to contribute to your security baseline in some way, otherwise there's no point for it being there. A tool that is incapable of properly carrying out its intended function does not improve security.

    Again, the question is: do you think it's possible to implement keylogging protection in a browser if malware is already present?
     
    Last edited by a moderator: Sep 22, 2010
  9. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I don't know why you make it be about me or you. I'm pretty sure we're more than capable of mitigating any infecting vector.

    I did mentioned the Jane/Joe, but for whatever reason, you seem not to be taking them into consideration.

    I did answer the question, and in my previous post I stated it out clearly, and I'll quote my self.

    It's up to each individual person to decide whether or not an anti-keylogger or any other malware fighting tool is of use.
    And, then it is up to those who know a little bit more to help those who don't know nothing at all, and help them accordingly to what they can handle.

    And, you now start to confuse me with this statement of yours:

    I can assume that what you're saying is that, part of an in-depth security, it contributes to help users.
    That's the same as assuming that an infection may still occur, despite some other means users may have set in place, and the anti-keylogger may be what prevents a major damage, as in users wallets.
    Is that what you're saying? Or, am I misunderstanding you?
     
  10. Eice

    Eice Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    1,413
    I think you may be.

    You seem to be under the assumption that an anti-keylogger can be counted on to provide effective protection - or any protection at all - when the operating environment is compromised. That is an incorrect assumption. Once the keylogger is running with at least equal privileges as the anti-keylogger, all bets are off.

    It doesn't matter who's using it. Whether the user is wushi or my grand aunt, an unreliable tool is an unreliable tool.
     
    Last edited: Sep 22, 2010
  11. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    OK. But, you said that "As part of in-depth security, obviously it needs to contribute to your security baseline in some way".

    Now, you say it doesn't? Are you also saying that no anti-keylogger can help, at all? Like, say, Prevx SafeOnline, Trusteer Rapport or KeyScrambler, etc.

    Please, note that I'm not saying that people should let their systems infected, if they know they're infected, and believe they're 100% safe against keyloggers. If they're antimalware applications report an infection, they should take all the steps to make sure they're systems are 100% clean.

    I'm saying that in a scenario where users have no idea, that a good anti-keylogging technology will help better secure them.
    And, the use of an anti-keylogging technology may make all the difference.

    I truly would like to hear what you have to say about those technologies I mentioned above, and maybe others you're aware of.
    Because, from what I can understand, they do nothing and are misleading tools?

    I believe that an anti-keylogging technology serves to do what it means it does. Obviously, not as the only thing to protect a system, specially because it won't.
     
  12. chrisretusn

    chrisretusn Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    1,322
    Location:
    Philippines
    I though this thread was about the new 2-step Google log in. Pehaps I misread the title?

    This is Google implementing a procedure to protect users that do not use stong passwords. This does appear to be optional or at least will be for individuals. I use a strong password and Google does not have my cell phone number and I will not provide it.

    Google Online Security Blog: Moving security beyond passwords
     
  13. Eice

    Eice Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    1,413
    The problem is a very fundamental and simple one, and is not limited to anti-keyloggers: once a process or driver is running with equal privileges as another process or driver, there's nothing to stop them from doing whatever they want to each other (it's actually a bit more complicated, but that's the general gist of it). Once it successfully infiltrates a system, a keylogger - or any malware - can freely tamper with or terminate any present defense mechanisms. Some anti-malware software implement self-defense techniques, but it's essentially a cat-and-mouse game.

    Same goes for antivirus software, where some vendors have resorted to building ever-increasing layers of self-protection at the risk of kernel stability, and anti-rootkits, which should be used alongside with inspecting the system from a live environment if you're really dealing with a serious rootkit infection. It's not that anti-keyloggers don't work, it's that they're only useful when you're already compromised, and by then you can't really be sure if anything is working as it should anymore, especially when a keyloggers are by nature designed to hook APIs, subvert the kernel, or otherwise hijack the OS in subtle ways.

    Prevention, on the other hand, is something that can be pulled off really well with minimal effort. If you keep your software patched, don't run an administrator account, install a good antivirus, and employ basic common sense, you're essentially invulnerable. Popular sentiment is that antivirus software isn't 100% foolproof, but the fact is that an antivirus with well-written detection routines can be EXTREMELY effective against exploit code, which are often harder to obfuscate as well as binary code.

    And chrisretusn is right, we're apparently getting a bit OT. My last post regarding this subject in this thread.
     
  14. diginsight

    diginsight Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    225
    Location:
    Netherlands
    If we assume malware is already present and the user does not know it, how do you prevent your passwords from being compromised?

    Under those circumstances I think two-factor authentication provides a method to prevent unauthorized access. Gmail will now provide this for free. If you don't want to submit your mobile phone number to Google, you can also use a yubico key with e.g. Lastpass premium to implement two-factor authentication and use lastpass to login to your gmail account.

    As to mainstream users, I don't think they will be going to use two-factor authentication as it's not very user friendly to always carry around your mobile or key when you want to access your gmail account.
     
  15. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    diginsight, my point was that have some sort of anti-keylogging technology bundled with the web browser, whether something like, say Keepass or similar, or like some of the tools I mentioned, and which most folks have no idea about them, would prove to be more useful than what Google is going to do. Sure, what Google is going to do is useful... I never said otherwise... But, not everyone has a mobile phone nor anyone wants the hassle of always having to do that.

    And, you said that if the system is already compromised... then, that means that the antimalware the user is using alerted him/her. Then, if the user is perfectly sane of his/her head, then every precaution must be taken.

    Then, I answered that if a system is already compromised, and the user has no idea, then, what good would an antimalware, etc., do for this users? The thing is, more than 90% of users won't know whether or not their systems are compromised until their antimalware applications alerts them, and the same doesn't mean that the infection occured or tried to occur at that very specific moment.
    Now, should these users simply stop using antimalware applications? Stop updating their O.Ss, browsers, etc? No.

    I mentioned an anti-keylogging system as part of an in-depth security, and for some reason, it was took in a way that an anti-keylogging system would be the only thing that would be there to protect users' interests.

    That would be insane.

    But, I don't know whether you agree with me or not, but in a scenario where a system is compromised, and users have no idea, simply because no alert has been given to them by their antimalware applications, for all they care about their systems are clean. This is the reality. It's what I deal with. And, in such scenarios a layered security, where anti-keylogging technology is present (Not alone.), then it sure will make them be better protected than if they hadn't one at all.

    And, an anti-keylogging technology could be a mix of something like Keepass, which encryts passwords and types them for users, resulting in no key strokes, with some technology that prevents what is being "typed" by something like Keepass, from being captured.

    Those solutions are out there, but does everyone know about them? Sadly, no. So, in my opinion, they'd be better with such, than with a mobile code, considering most wouldn't want the hassle or wouldn't have a mobile, at all.

    And, Eice, if malware runs with equal rights, as you say than is game over for everything. There would be no point of using anything... Everything would be useless.
    Let us advice everyone not to use such protection mechanisms, simply because if malware gets equal rights, than gave is over.
     
  16. Eice

    Eice Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    1,413
    m00nbl00d, either we're terrible at explaining ourselves, or you refuse to read. I'm not sure which.

    I suggest you sit down and try to really answer the question diginsight posed in post #3. And no, "part of an in-depth strategy" isn't an answer, for reasons already explained. The question here is "how".
     
  17. diginsight

    diginsight Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    225
    Location:
    Netherlands
    Hi m00nbl00d,

    We agree on an in-depth strategy.

    Even if anti-keylogging technology like e.g. Keepass' Two-Channel Auto-Type Obfuscation is implemented in the browser as part of in-depth security layer, this will only raise the bar for keyloggers. As soon as this becomes mainstream it will also be targeted by malware.

    In the Netherlands two-factor authentication is often mandatory for logging in to your bank account, but I understand not every bank uses this and that for everyday webmail use not every user wants the hassle of using two-factor authentication or has the resources to acquire them.

    As such I see two solutions: use defensive lines to prevent the malware from successfully executing and compromising the system or use two-factor authentication to avoid the consequences of the malware's behaviour (e.g. stealing passwords), once the malware has been executed and has compromised the system.

    I don't think it's very realistic both will be implemented by mainstream users, so the problem will remain to exist.
     
  18. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Hmmm... You truly lost me with this part, I must confess:

    1. You say they work.
    2. You say they're useful when a system is compromised.

    I ask: Isn't what they're suppose to do? To protect against keystroke logging?

    Now, decide which opinion you have. Because, either they are useless and won't protect a damn thing, or they have use and will protect against keystroke logging.

    And, yes, part of an in-depth security, is the answer.

    To be honest, with that statement of yours, you have answered diginsight question.
    Your answer is that they work, and that in a compromised system they're useful. Which, for what I see, they're useful to have, just in case the system becomes compromised, and the users wouldn't even know.

    Please, Eice and diginsight, note that I'm not arguing the prevent part. Prevention is the first step. I'm not neglecting this factor. I'm only adding the anti-keylogging factor to the prevention factor.

    diginsight, you say:

    I do agree with you. I never said I didn't.

    Prevention is the first step. And, a prevention for most of users can be divided into two steps:

    1. Prevent infections, by offering them means they can handle with.

    Not even on purpose, moments ago, I was convincing someone to create a system image just in case. I was answered it gives too much trouble.

    Then, among other stuff, I suggested the following: I'd place a website loading along side the search engine, when first opening the web browser, and before entering a site, to right-click on a link and paste it into the search form of that other website which verifies whether or not websites are malicious, by searching a few other services.
    I was told: I'm not sure I will even remember it.
    There are people who really are stubborn.

    If that doesn't work with such people, even less a two-factor authentication.

    So, a strong anti-keylogging feature sure is better than nothing, but not alone, obviously. And, Eice, don't come saying an in-depth security has nothing to do with it. It has everything to do with everything.

    Anyway, the thread, for what I'm concerned has grown too far on this matter, and I leave it here.

    I guess that we're gonna have to agree to disagree.


    Regards
     
  19. Eice

    Eice Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    1,413
    *facepalms*

    I meant "useful" as in it's after you get infiltrated by a keylogger that anti-keyloggers would have anything to protect against. Except that you can never be sure if they're reliable anymore when you're compromised.

    So your answer to the question of "how do you prevent your passwords from being compromised when you're running in an infected environment" is "anti-keyloggers are part of an in-depth security strategy"?

    Please, take a moment to sit back and read that. Did that make any sense whatsoever?
     
  20. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    My truly last comment.

    Where the hell did I ever say that I'd run a damn anti-keylogging technology in a system I know to be compromised?
    Point me any sentence where I've stated that. Or, point me to any sentence where I've stated people should be using anti-keylogging technology no matter what.

    All I've said, and don't put words on my "mouth", was that: More than 90% of users won't know the system is compromised in the first place, and for these users an anti-keylogging security implementation will be useful, because it may protect their keystrokes, when their other antimalware applications failed to detect, hence to prevent the infection in the first place.

    For those users to know their systems are infected, they need to know their systems are infected, don't they?

    So, there exists a difference, in the scenario of an infected system, which those users have NO idea, between having or not having an anti-keylogging security in place, doesn't it?

    I could simply say: They all should make a default-deny policy with their firewall, blocking Internet access to everything, except their trusted applications. But, would this be something those more than 90% Joes and Janes would be able to deal and handle with? NO

    So, again, sorry to say that, in such scenario, an anti-keylogging security is better than not having it at all.

    All you have in mind, is that, they will know before hand their systems are infected, while it is not the case. Those users won't know something hit them, until their antimalware application spots something, that could had been in their systems for weeks if not months without detection.

    And, when I mentioned anti-keylogging technologies coming with the web browsers, I didn't mean to specifically being for Gmail. Every use, like banking.

    Those more than 90% Joes and Janes, will do home banking, in their systems, as long as their antimalware applications report nothing. But, does this mean all is great? Again, NO.

    So, won't an anti-keylogging security, be what makes all the difference, at some point?

    Cheers
     
  21. Eice

    Eice Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    1,413
    From what I can understand, it looks like you're happy with a placebo. To each his own, I suppose.
     
  22. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    OK. This one did touch my nerve.

    So, now you state they're placebo, and for two times already, you've mentioned the following:

    You need to clear your thoughts. Because, either it's placebo or they have some use.

    Make a decision. They can't be one thing, at a given moment, and then be something else entirely different.
    Either they have use, or they don't, at all.

    I do agree with you. They're only useful when the system has been compromised. And, for those who have no idea their systems have been compromised, they may be what saves their wallets, in the end of the day.

    So, everything is a placebo. After reading all your posts, I interpret this:

    If some person knows how to tell whether or not his/her system is infected, then this person is OK.

    If some person knows nothing, he/she still should not make use of antimalware applications, etc. Because, deep down, they are all placebo and won't protect him/her.

    So, if all more than 90% of users can handle with are antimalware applications, which I will include anti-keylogging technology, they should not be using them, because they're nothing but placebo.

    They're better off with nothing. OK.

    I guess I'm glad you're not one of those users. :)


    Cheers
     
  23. Eice

    Eice Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    1,413
    I've already answered that question and "cleared my thoughts", in good faith and more than once, regarding the context of my words and the facts to back them up.

    If doing so 2-3 times only results in you repeating the same tired old rhetoric that doesn't even acknowledge - much less touch on - what I said, I guess it's a sign I should stop wasting my time.

    Cheers.
     
    Last edited: Sep 23, 2010
  24. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    As a way of saying goodbye to this thread and any discussion with you, let me recapitulate the following:

    User diginsight starts a thread about Google going to introduce a new two-authentication factor.

    I stated that I'd rather like to see web browsers to come with anti-keylogging technology. Not within the browsers themselves, but bundled with them, as separate applications.

    Then, user diginsight in all his/her right asked if I thought that
    Then you came stating you
    This is actually one more moment where you admit they do have their own place; a reason to exist.

    I asked why would anyone want to have (as in, install) any antimalware application, etc., in a system already compromised.

    This, by itself, clearly states that no one in his/her perfect mind, would access anything where would be needed to input an username and password, access codes.
    It also states that the system ought to be completely clean.

    But, this is assuming we're talking about users who are aware their systems are infected. And, since the start, for many times, I've clearly made a distinction beetwen those who enough knowledge to the point of not needing any antimalware, etc., and those who do need.

    And, to those who need, because otherwise, they'd be in deep crap, an anti-keylogging technology is a sure allie. And, it's an allie, in situations where other security measures they have in place, and security measures they can deal with, fail to detect. Obviously, and as I've countless times mentioned, these users won't know their security implementations failed to protect against infections; hence, for all they know, their systems are clean.

    Again, in a scenario where those users access, say, their bank account, an anti-keylogging technology may be all there's left between an infected system, say, with a keylogger and the credentials of their bank account.
    And, once again, they wouldn't know the system is infected, because their other measures haven't alert them for that fact, in the first place. They accessed their bank account, because according to their security, the system is safe and sound.

    But, anyway... since the start you mentioned things like
    I can't possible understand why, but since the start you always assumed I was talking about me and that I'd know my system is infected/compromised, etc., etc...

    Unfortunately, I never talked about myself. I say unfortunately, because if everyone were like me or you or diginsight, I suppose, we wouldn't need an anti-keylogging technology... Not even antimalware applications.
    Personally, most of my security, is what the O.S already provides me with.

    But, I was never talking about my self. Since the start I was talking about dear Jane and dear Joe, who would have no idea that their systems could be compromised. I say an anti-keylogging technology could be what could saved them from a worse situation... You seem not to think so. Your right to think it so... or to say it so.

    Bye
     
  25. Eice

    Eice Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    1,413
    The answer is simple: because you refuse to read, preferring to engage in a monologue instead. If by any chance you're really interested, the answer is in the last sentence of post #10.

    You keep harping on that the user may not know if he's already infected, perhaps under the assumption that will change anything about the effectiveness or reliability of anti-keyloggers. You also keep harping on how anti-keyloggers could be the last line of defense, all while beating around the bush and refusing to answer the very straightforward question of how do you expect them to work reliably in an infected environment, and actually carry out their intended purpose as a line of defense, last or otherwise.

    Oh well.
     
Loading...
Thread Status:
Not open for further replies.