Google claims to validate U2F internally. Is phishing's end near?

Google is making some serious claims this week. It’s telling anyone who’ll listen that it’s prevented internal phishing attacks—by issuing U2F keys to its entire workforce.

Let’s face it, la GOOG certainly has a huge target painted on its back. So “no successful phishing in 18 months” is a fine claim.

But (there’s always a but) widespread support for the standards is still a bit of an issue. In this week’s Security Blogwatch, we jingle our key rings.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Detecting data breaches with MATH 

State of Security Operations 2018: Go Inside World SOCs

2FA USB FTW?

What’s the craic? Brian Krebs recycles Google—Security Keys Neutralized Employee Phishing:

Google has not had any of its … employees successfully phished on their work-related accounts since … it began requiring all employees to use physical Security Keys in place of passwords … the company told [me].

The basic idea behind two-factor authentication is that even if thieves manage to phish or steal your password, they still cannot log in … unless they also hack or possess that second factor. [But] a Security Key implements a form of multi-factor authentication known as Universal 2nd Factor (U2F), which allows the user to complete the login process simply by inserting the USB device and pressing a button on the device.

U2F is an emerging open source authentication standard. … With any luck, more sites soon will begin incorporating the Web Authentication API — also known as “WebAuthn”.

Probably the most popular maker of Security Keys is Yubico, which sells a basic U2F key for $20. … In general, using SMS and automated phone calls to receive a one-time token is less secure than relying on a software token app [but] if the only 2FA options offered … are SMS and/or phone calls, it is still better than simply relying on a password.

O RLY? John E. Dunn done “churned out a pessimistic blog”:

Given that Google has 85,050 employees—all of whom would be prized targets for phishing attacks—this is a remarkable advert for tokens.

Google’s systems can ask employees to present their keys in a number of contexts and not only when logging on to email when they start work. It’s a secondary trend in which regular re-authentication slows attackers who do somehow compromise an account.

[But] why do so few people beyond Google use [U2F or WebAuthn]?

And making a fine distinction, it’s Joseph Steinberg:

Did [Google] really say "not successfully phished"? Or was it more of "people were successfully phished, but there were no successful account takeovers"?

Security Keys do not stop phishing - they render it impotent.

So Raj Goel draws a Pareto-style analogy:

This … solves the 99% problem. Just like seatbelts.

Doesn't solve every edge case, extreme cases or incredibly stupid drivers.

This is a seatbelt. We still need IIHS, drivers licenses & auto insurance.

But is this still vulnerable to social engineering? Christopher Schmidt suspects not:

If you lose [your keys], in-person help desk validates you with your employee badge combined with photo lookup in employee database. (There is no recovery method that isn't in person, in my experience.)

What’s next? Here’s @Lucky225:

The next problem is going to be people leaving the USB key in the USB port due to laziness by the end user.

USB keys are great if you treat it like a car key and don't leave it in the ignition.

It turns out this story isn’t just about Google employees. Here’s Google’s Prabhakar Raghavan:

 

But what if you ignore the issue? Steve Ragan seasons the story—Samsam infected thousands of LabCorp systems via brute force RDP:

LabCorp, one of the largest clinical labs in the U.S., said the Samsam ransomware attack that forced their systems offline was contained quickly. … However, in the brief time between detection and mitigation, [it] was able to encrypt … 7,000 systems and 1,900 servers. … Of those 1,900 servers, 350 were production servers.

The source of the attack [was] a brute forced RDP instance. … LabCorp will likely implement two-factor authentication in the future. … One of the key recommendations from security experts dealing with Samsam … is to implement two-factor authentication.

In March, based on the current value of Bitcoin at the time, it was estimated that the group had earned nearly $850,000 USD from their victims, who paid the ransom demands.

Meanwhile, Richard Goodwins snarks it up, corrupting the familiar 2FA mantra:

Something you've forgotten, and something you've lost…

The moral of the story? Support U2F and/or WebAuthn already!

And finally …

Detecting data breaches with MATH

More info: In the spirit of transparency


You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Conor Patrick (S-BSD)

Topics: Security