Anyone got anything good or bad to say about them?

Do they work with linux as well as Windows?

I don't have a clue about them, but a youtube channel I watch has been
hacked twice in a month despite 2FA and all that jazz. He mentioned it
might be time for a security key, hense my question here.

Also, if 2FA hasn't stopped a hacking attempt, what use is it?!

Thanks for reading, and thanks for any answers being written at a 5 year
old's level!

On 26/02/2024 22:24, David Paste wrote:
> Anyone got anything good or bad to say about them?
>
> Do they work with linux as well as Windows?
>
> I don't have a clue about them, but a youtube channel I watch has been
> hacked twice in a month despite 2FA and all that jazz. He mentioned it
> might be time for a security key, hense my question here.

> Also, if 2FA hasn't stopped a hacking attempt, what use is it?!

The main problem with 2FA on sites like youtube is that it is not really
being used that well. It is setup for convenience and ease of use rather
than strong securty.

The 2FA is used to establish a session, but that session is then made
semi permanent by use of session cookies. So once the platform has
passed the 2FA, it is then in effect left logged in for an extended
periods of time. Most of the compromises seem to be based on stealing
those session cookies, and then transplanting them to the attackers
system. Low and behold, their browser is then automatically logged into
the account with no need for further 2FA checks.

2FA ought to be required for every login, with a inactivity timeout that
logs out of the account if not used for 30 mins etc.

It is also not a good idea to use the machine that is used for
interacting with the account, uploading etc, for non related tasks like
admin and email. If you only have one machine, do all the admin stuff
inside a virtual machine, that is never used to access the account. That
way even if it is compromised, there are no sessions to hijack.

> Thanks for reading, and thanks for any answers being written at a 5 year
> old's level!

--
Cheers,

John.

/=================================================================\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\=================================================================/

On Mon, 26 Feb 2024 22:24:41 +0000, David Paste wrote:

> Anyone got anything good or bad to say about them?
>
> Do they work with linux as well as Windows?
>
> I don't have a clue about them, but a youtube channel I watch has been
> hacked twice in a month despite 2FA and all that jazz. He mentioned it
> might be time for a security key, hense my question here.
>
> Also, if 2FA hasn't stopped a hacking attempt, what use is it?!
>
> Thanks for reading, and thanks for any answers being written at a 5 year
> old's level!

TL;DR is that they are better thank nothing. Think of them as locking
your car which deters 90% of casual attacks.

I know SMS based 2FA is susceptible to hijacking (due to poor security on
the telcos part). But (and this applies to a lot of cases) there is a
certain amount of effort needed which tends to eliminate a lot of
potential victims.

On 27/02/2024 02:26, John Rumm wrote:
> On 26/02/2024 22:24, David Paste wrote:
>> Anyone got anything good or bad to say about them?
>>
>> Do they work with linux as well as Windows?
>>
>> I don't have a clue about them, but a youtube channel I watch has been
>> hacked twice in a month despite 2FA and all that jazz. He mentioned it
>> might be time for a security key, hense my question here.
>
>> Also, if 2FA hasn't stopped a hacking attempt, what use is it?!
>
> The main problem with 2FA on sites like youtube is that it is not really
> being used that well. It is setup for convenience and ease of use rather
> than strong securty.
>
> The 2FA is used to establish a session, but that session is then made
> semi permanent by use of session cookies. So once the platform has
> passed the 2FA, it is then in effect left logged in for an extended
> periods of time. Most of the compromises seem to be based on stealing
> those session cookies, and then transplanting them to the attackers
> system. Low and behold, their browser is then automatically logged into
> the account with no need for further 2FA checks.
>
> 2FA ought to be required for every login, with a inactivity timeout that
> logs out of the account if not used for 30 mins etc.
>
> It is also not a good idea to use the machine that is used for
> interacting with the account, uploading etc, for non related tasks like
> admin and email. If you only have one machine, do all the admin stuff
> inside a virtual machine, that is never used to access the account. That
> way even if it is compromised, there are no sessions to hijack.
>
>
>> Thanks for reading, and thanks for any answers being written at a 5 year
>> old's level!
>

Windows 11 (and I think Windows 10 too) comes with Sandbox..... you will
need to enable VT-D or virtualisatino in the BIOS and also enable it in
the add/remove programs option in control panel.

Its easier to start up and use albeit a cut down version of full fat
windows and has Edge browser. once you exit Sandbox, its literally
thrown away and you start with a completely fresh new Sandbox, whereas a
VM would be persistent across restarts and reboots, If you get infected
in a VM, you'd have to roll back opr rebuild the VM, whereas with
Sandbox, just close down and restart.

If you want to print or have a diff browser then thats a bit of a faff
as you'd have to install every time you use Sandbox as its non-persistent.

SH

John Rumm <see.my.signature@nowhere.null> wrote:
> On 26/02/2024 22:24, David Paste wrote:
>> Anyone got anything good or bad to say about them?
>>
>> Do they work with linux as well as Windows?
>>
>> I don't have a clue about them, but a youtube channel I watch has been
>> hacked twice in a month despite 2FA and all that jazz. He mentioned it
>> might be time for a security key, hense my question here.
>
>> Also, if 2FA hasn't stopped a hacking attempt, what use is it?!
>
> The main problem with 2FA on sites like youtube is that it is not really
> being used that well. It is setup for convenience and ease of use rather
> than strong securty.
>
> The 2FA is used to establish a session, but that session is then made
> semi permanent by use of session cookies. So once the platform has
> passed the 2FA, it is then in effect left logged in for an extended
> periods of time. Most of the compromises seem to be based on stealing
> those session cookies, and then transplanting them to the attackers
> system. Low and behold, their browser is then automatically logged into
> the account with no need for further 2FA checks.
>
> 2FA ought to be required for every login, with a inactivity timeout that
> logs out of the account if not used for 30 mins etc.
>
> It is also not a good idea to use the machine that is used for
> interacting with the account, uploading etc, for non related tasks like
> admin and email. If you only have one machine, do all the admin stuff
> inside a virtual machine, that is never used to access the account. That
> way even if it is compromised, there are no sessions to hijack.

Or set the browser to clear cookies each time it is closed?

On 27/02/2024 07:46, SH wrote:
> On 27/02/2024 02:26, John Rumm wrote:
>> On 26/02/2024 22:24, David Paste wrote:
>>> Anyone got anything good or bad to say about them?
>>>
>>> Do they work with linux as well as Windows?
>>>
>>> I don't have a clue about them, but a youtube channel I watch has been
>>> hacked twice in a month despite 2FA and all that jazz. He mentioned it
>>> might be time for a security key, hense my question here.
>>
>>> Also, if 2FA hasn't stopped a hacking attempt, what use is it?!
>>
>> The main problem with 2FA on sites like youtube is that it is not
>> really being used that well. It is setup for convenience and ease of
>> use rather than strong securty.
>>
>> The 2FA is used to establish a session, but that session is then made
>> semi permanent by use of session cookies. So once the platform has
>> passed the 2FA, it is then in effect left logged in for an extended
>> periods of time. Most of the compromises seem to be based on stealing
>> those session cookies, and then transplanting them to the attackers
>> system. Low and behold, their browser is then automatically logged
>> into the account with no need for further 2FA checks.
>>
>> 2FA ought to be required for every login, with a inactivity timeout
>> that logs out of the account if not used for 30 mins etc.
>>
>> It is also not a good idea to use the machine that is used for
>> interacting with the account, uploading etc, for non related tasks
>> like admin and email. If you only have one machine, do all the admin
>> stuff inside a virtual machine, that is never used to access the
>> account. That way even if it is compromised, there are no sessions to
>> hijack.
>>
>>
>>> Thanks for reading, and thanks for any answers being written at a 5 year
>>> old's level!
>>
>
>
> Windows 11 (and I think Windows 10 too) comes with Sandbox..... you will
> need to enable VT-D or virtualisatino in the BIOS and also enable it in
> the add/remove programs option in control panel.

Yup Win 10 has it as well.

> Its easier to start up and use albeit a cut down version of full fat
> windows and has Edge browser.    once you exit Sandbox, its literally
> thrown away and you start with a completely fresh new Sandbox,

Indeed - it can be quite handy for testing software installs and all
kinds of things where you don't persistent storage of anything.

> whereas a
> VM would be persistent across restarts and reboots, If you get infected
> in a VM, you'd have to roll back opr rebuild the VM, whereas with
> Sandbox, just close down and restart.

First thing to consider is that the sandbox *is* a VM - sat atop
Hyper-V. It is just configured so that it boots from a known checkpoint
each time. You can achieve the same functionality with any VM platform
using checkpoints. You in effect just stick a stake in the ground, give
it a name, and then you can always revert to that point in time -
including reverting to the VM's file system as it was at the time of the
checkpoint. (although if you connect to a real network drive etc and
make changes to that, then those will not revert)

For your general email platform, you may want some persistence, since
you probably don't want to re-install and configure your email system
every morning, and wait for it to synch however many gig of email.

> If you want to print or have a diff browser then thats a bit of a faff
> as you'd have to install every time you use Sandbox as its non-persistent.

You can always create your own sandbox, where the starting point
includes all your baseline software and setup.

--
Cheers,

John.

/=================================================================\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\=================================================================/

On 27/02/2024 08:09, Handsome Jack wrote:
> John Rumm <see.my.signature@nowhere.null> wrote:
>> On 26/02/2024 22:24, David Paste wrote:
>>> Anyone got anything good or bad to say about them?
>>>
>>> Do they work with linux as well as Windows?
>>>
>>> I don't have a clue about them, but a youtube channel I watch has been
>>> hacked twice in a month despite 2FA and all that jazz. He mentioned it
>>> might be time for a security key, hense my question here.
>>
>>> Also, if 2FA hasn't stopped a hacking attempt, what use is it?!
>>
>> The main problem with 2FA on sites like youtube is that it is not really
>> being used that well. It is setup for convenience and ease of use rather
>> than strong securty.
>>
>> The 2FA is used to establish a session, but that session is then made
>> semi permanent by use of session cookies. So once the platform has
>> passed the 2FA, it is then in effect left logged in for an extended
>> periods of time. Most of the compromises seem to be based on stealing
>> those session cookies, and then transplanting them to the attackers
>> system. Low and behold, their browser is then automatically logged into
>> the account with no need for further 2FA checks.
>>
>> 2FA ought to be required for every login, with a inactivity timeout that
>> logs out of the account if not used for 30 mins etc.
>>
>> It is also not a good idea to use the machine that is used for
>> interacting with the account, uploading etc, for non related tasks like
>> admin and email. If you only have one machine, do all the admin stuff
>> inside a virtual machine, that is never used to access the account. That
>> way even if it is compromised, there are no sessions to hijack.
>
>
> Or set the browser to clear cookies each time it is closed?

Do you make sure you close all browser windows every time you access
email? Do you make sure that your machine does a secure erase of the
cookie storage every time as well?

--
Cheers,

John.

/=================================================================\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\=================================================================/

On 2/27/2024 3:09 AM, Handsome Jack wrote:
> John Rumm <see.my.signature@nowhere.null> wrote:
>> On 26/02/2024 22:24, David Paste wrote:
>>> Anyone got anything good or bad to say about them?
>>>
>>> Do they work with linux as well as Windows?
>>>
>>> I don't have a clue about them, but a youtube channel I watch has been
>>> hacked twice in a month despite 2FA and all that jazz. He mentioned it
>>> might be time for a security key, hense my question here.
>>
>>> Also, if 2FA hasn't stopped a hacking attempt, what use is it?!
>>
>> The main problem with 2FA on sites like youtube is that it is not really
>> being used that well. It is setup for convenience and ease of use rather
>> than strong securty.
>>
>> The 2FA is used to establish a session, but that session is then made
>> semi permanent by use of session cookies. So once the platform has
>> passed the 2FA, it is then in effect left logged in for an extended
>> periods of time. Most of the compromises seem to be based on stealing
>> those session cookies, and then transplanting them to the attackers
>> system. Low and behold, their browser is then automatically logged into
>> the account with no need for further 2FA checks.
>>
>> 2FA ought to be required for every login, with a inactivity timeout that
>> logs out of the account if not used for 30 mins etc.
>>
>> It is also not a good idea to use the machine that is used for
>> interacting with the account, uploading etc, for non related tasks like
>> admin and email. If you only have one machine, do all the admin stuff
>> inside a virtual machine, that is never used to access the account. That
>> way even if it is compromised, there are no sessions to hijack.
>
>
> Or set the browser to clear cookies each time it is closed?
>

You have to clean out DOM storage as well (search for +++ and branded items) .
And webappsstore.sqlite is also abused on a browser (some web sites pound
on that, so that must be part of advertising). That's for Firefox. Chrome
may well have details like this, but Chrome is very careful to spray
shit all over the place (for the obvious reasons).

I don't use this, but I consider the scripts in here to be a good source of
information regarding cleaning. I read these, rather than execute them.

https://www.bleachbit.org/download/file/t?file=BleachBit-4.6.0-portable.zip # Windows

https://www.bleachbit.org/download/file/t?file=bleachbit_4.6.0-0_all_ubuntu2310.deb # Linux

When webappsstore.sqlite is above 10MB in size, that causes a pretty
obvious performance problem with Firefox (higher latency, move slider nothing
happens). That's why it gets a hair cut here, every one to two days.

Paul

On Mon, 26 Feb 2024 22:24:41 -0000 (UTC), David Paste
<pastedavid@gmail.invalid> wrote:

>Anyone got anything good or bad to say about them?
>
>
I looked into them a few weeks ago but couldn't work out whether there
would be any benefit for me in having one in my situation, using a PC
mostly and a phone sometimes.
So I bought one of these, https://www.amazon.co.uk/dp/B07VK71TST, a
fingerprint reader that works with Windows Hello (don't know about
Unix) to avoid the niggle of entering the password on the rare
occasions that Windows is restarted. I leave it plugged into to one of
the USB ports of the top of the PC case so it's convenient to use.

On 27/02/2024 15:05, Peter Johnson wrote:
> On Mon, 26 Feb 2024 22:24:41 -0000 (UTC), David Paste
> <pastedavid@gmail.invalid> wrote:
>
>> Anyone got anything good or bad to say about them?
>>
>>
> I looked into them a few weeks ago but couldn't work out whether there
> would be any benefit for me in having one in my situation, using a PC
> mostly and a phone sometimes.
> So I bought one of these, https://www.amazon.co.uk/dp/B07VK71TST, a
> fingerprint reader that works with Windows Hello (don't know about
> Unix) to avoid the niggle of entering the password on the rare
> occasions that Windows is restarted. I leave it plugged into to one of
> the USB ports of the top of the PC case so it's convenient to use.

Just make sure that you have a backup for when your fingerprint is not
recognised.

I find that when doing some forms of DIY such as plastering, handling
sandpaper etc. neither of my devices that have fingerprint readers will
recognise my finger(s). Also when my hands have been immersed in water
for some time or perhaps handling bleach I get the same problem.

--
mailto : news {at} admac {dot} myzen {dot} co {dot} ukaa

John Rumm <see.my.signature@nowhere.null> wrote:
> On 27/02/2024 08:09, Handsome Jack wrote:
>> John Rumm <see.my.signature@nowhere.null> wrote:
>>> On 26/02/2024 22:24, David Paste wrote:
>>>> Anyone got anything good or bad to say about them?
>>>>
>>>> Do they work with linux as well as Windows?
>>>>
>>>> I don't have a clue about them, but a youtube channel I watch has been
>>>> hacked twice in a month despite 2FA and all that jazz. He mentioned it
>>>> might be time for a security key, hense my question here.
>>>
>>>> Also, if 2FA hasn't stopped a hacking attempt, what use is it?!
>>>
>>> The main problem with 2FA on sites like youtube is that it is not really
>>> being used that well. It is setup for convenience and ease of use rather
>>> than strong securty.
>>>
>>> The 2FA is used to establish a session, but that session is then made
>>> semi permanent by use of session cookies. So once the platform has
>>> passed the 2FA, it is then in effect left logged in for an extended
>>> periods of time. Most of the compromises seem to be based on stealing
>>> those session cookies, and then transplanting them to the attackers
>>> system. Low and behold, their browser is then automatically logged into
>>> the account with no need for further 2FA checks.
>>>
>>> 2FA ought to be required for every login, with a inactivity timeout that
>>> logs out of the account if not used for 30 mins etc.
>>>
>>> It is also not a good idea to use the machine that is used for
>>> interacting with the account, uploading etc, for non related tasks like
>>> admin and email. If you only have one machine, do all the admin stuff
>>> inside a virtual machine, that is never used to access the account. That
>>> way even if it is compromised, there are no sessions to hijack.
>>
>>
>> Or set the browser to clear cookies each time it is closed?
>
> Do you make sure you close all browser windows every time you access
> email? Do you make sure that your machine does a secure erase of the
> cookie storage every time as well?
>

Not the latter, certainly. Can these "compromises based on stealing session cookies
and then transplanting them to the attackers system" retrieve cookies deleted
by the browser? Seems a bit of a stretch, though I have no idea exactly
how browsers delete cookies.

On 27/02/2024 17:16, Handsome Jack wrote:
> John Rumm <see.my.signature@nowhere.null> wrote:
>> On 27/02/2024 08:09, Handsome Jack wrote:
>>> John Rumm <see.my.signature@nowhere.null> wrote:
>>>> On 26/02/2024 22:24, David Paste wrote:
>>>>> Anyone got anything good or bad to say about them?
>>>>>
>>>>> Do they work with linux as well as Windows?
>>>>>
>>>>> I don't have a clue about them, but a youtube channel I watch has been
>>>>> hacked twice in a month despite 2FA and all that jazz. He mentioned it
>>>>> might be time for a security key, hense my question here.
>>>>
>>>>> Also, if 2FA hasn't stopped a hacking attempt, what use is it?!
>>>>
>>>> The main problem with 2FA on sites like youtube is that it is not really
>>>> being used that well. It is setup for convenience and ease of use rather
>>>> than strong securty.
>>>>
>>>> The 2FA is used to establish a session, but that session is then made
>>>> semi permanent by use of session cookies. So once the platform has
>>>> passed the 2FA, it is then in effect left logged in for an extended
>>>> periods of time. Most of the compromises seem to be based on stealing
>>>> those session cookies, and then transplanting them to the attackers
>>>> system. Low and behold, their browser is then automatically logged into
>>>> the account with no need for further 2FA checks.
>>>>
>>>> 2FA ought to be required for every login, with a inactivity timeout that
>>>> logs out of the account if not used for 30 mins etc.
>>>>
>>>> It is also not a good idea to use the machine that is used for
>>>> interacting with the account, uploading etc, for non related tasks like
>>>> admin and email. If you only have one machine, do all the admin stuff
>>>> inside a virtual machine, that is never used to access the account. That
>>>> way even if it is compromised, there are no sessions to hijack.
>>>
>>>
>>> Or set the browser to clear cookies each time it is closed?
>>
>> Do you make sure you close all browser windows every time you access
>> email? Do you make sure that your machine does a secure erase of the
>> cookie storage every time as well?
>>
>
> Not the latter, certainly. Can these "compromises based on stealing session cookies
> and then transplanting them to the attackers system" retrieve cookies deleted
> by the browser? Seems a bit of a stretch, though I have no idea exactly
> how browsers delete cookies.

You can "undelete" deleted files, so generally yes.

--
Cheers,

John.

/=================================================================\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\=================================================================/

On Tue, 27 Feb 2024 15:19:29 +0000, alan_m <junk@admac.myzen.co.uk>
wrote:

>> I looked into them a few weeks ago but couldn't work out whether there
>> would be any benefit for me in having one in my situation, using a PC
>> mostly and a phone sometimes.
>> So I bought one of these, https://www.amazon.co.uk/dp/B07VK71TST, a
>> fingerprint reader that works with Windows Hello (don't know about
>> Unix) to avoid the niggle of entering the password on the rare
>> occasions that Windows is restarted. I leave it plugged into to one of
>> the USB ports of the top of the PC case so it's convenient to use.
>
>
>Just make sure that you have a backup for when your fingerprint is not
>recognised.
>
>I find that when doing some forms of DIY such as plastering, handling
>sandpaper etc. neither of my devices that have fingerprint readers will
>recognise my finger(s). Also when my hands have been immersed in water
>for some time or perhaps handling bleach I get the same problem.

Yes, I've come across that with the phone.
With the PC it defaults to wanting a password, and the fingerprint
reader has to chosen. I haven't worked out how to make the reader the
default, if it is possible.