close
    • chevron_right

      Recovering Passwords by Measuring Residual Heat

      news.movim.eu / Schneier · Tuesday, 11 October, 2022 - 19:34 · 1 minute

    Researchers have used thermal cameras and ML guessing techniques to recover passwords from measuring the residual heat left by fingers on keyboards. From the abstract:

    We detail the implementation of ThermoSecure and make a dataset of 1,500 thermal images of keyboards with heat traces resulting from input publicly available. Our first study shows that ThermoSecure successfully attacks 6-symbol, 8-symbol, 12-symbol, and 16-symbol passwords with an average accuracy of 92%, 80%, 71%, and 55% respectively, and even higher accuracy when thermal images are taken within 30 seconds. We found that typing behavior significantly impacts vulnerability to thermal attacks, where hunt-and-peck typists are more vulnerable than fast typists (92% vs 83% thermal attack success if performed within 30 seconds). The second study showed that the keycaps material has a statistically significant effect on the effectiveness of thermal attacks: ABS keycaps retain the thermal trace of users presses for a longer period of time, making them more vulnerable to thermal attacks, with a 52% average attack accuracy compared to 14% for keyboards with PBT keycaps.

    “ABS” is Acrylonitrile Butadiene Styrene, which some keys are made of. Others are made of Polybutylene Terephthalate (PBT). PBT keys are less vulnerable.

    But, honestly, if someone can train a camera at your keyboard, you have bigger problems.

    News article .

    • chevron_right

      Bypassing Two-Factor Authentication

      Bruce Schneier · news.movim.eu / Schneier · Wednesday, 30 March, 2022 - 14:38

    These techniques are not new, but they’re increasingly popular :

    …some forms of MFA are stronger than others, and recent events show that these weaker forms aren’t much of a hurdle for some hackers to clear. In the past few months, suspected script kiddies like the Lapsus$ data extortion gang and elite Russian-state threat actors (like Cozy Bear, the group behind the SolarWinds hack) have both successfully defeated the protection.

    […]

    Methods include:

    • Sending a bunch of MFA requests and hoping the target finally accepts one to make the noise stop.
    • Sending one or two prompts per day. This method often attracts less attention, but “there is still a good chance the target will accept the MFA request.”
    • Calling the target, pretending to be part of the company, and telling the target they need to send an MFA request as part of a company process.

    FIDO2 multi-factor authentication systems are not susceptible to these attacks, because they are tied to a physical computer.

    And even though there are attacks against these two-factor systems, they’re much more secure than not having them at all. If nothing else, they block pretty much all automated attacks.