Tag Archives: two factor authentication

EA Resolves Origin Login Vulnerablities

Last Thursday, security firms CheckPoint Software and CyberInt disclosed details of a collection of vulnerabilities found within the login process of the Origin online gaming platform operated by Electronic Arts. They worked with EA to resolve them.

TL DR: EA Origin users should enable 2 factor authentication (see this link for details) and only use the official Origin website to download or purchase games. Also, please make certain the version of the Origin client you are using is the most up to date; version 10.5.38 for PC adds additional security measures. Finally; always be cautious when receiving links from unknown sources:

How could have attackers exploited these vulnerabilities?
EA use Microsoft’s Azure to provide global access to for players to games, allowing the purchase of games and to access their Origin social network. The chain of vulnerabilities did not require the user to hand over any login details but instead made use of authentication tokens, oAuth single sign-on (SSO) and the TRUST mechanism used during the login process. Definitions of these terms are provided in the glossary below.

Various services offered by EA are each present on a separate sub-domain e.g. eaplayinvite.com But the researchers found one which no longer pointed to the correct DNS record ea-invite-reg-azurewebsites.net With an empty domain name now known the researchers purchased it.

Due to some issues discovered by the researchers within the TRUST login mechanism; they re-directed where the SSO token pointed to; namely their newly acquired domain. With this accomplished the researchers could access an Origin account of their choice and the data it contains and could buy games but charge the original user of the account for these purchases.

What can we learn from this disclosure?
For online accounts operated by corporations; they need to carry out validation checks on the login pages their users interact with. The domains used by their services should also be checked to make certain they don’t contain now unused domains.

For the users of these services; enabling two-factor authentication will mean new devices accessing an account will be prompted for a security code an attacker will not have access to. Parents and children should be aware that cyber criminals will attempt to trick them with legitimate looking links. Please only access the official pages by typing the address into your browsers address bar (or make use of a saved known safe bookmark).

Thank you.

=======================
Glossary:
=======================
Authentication Token:
=======================
After a user logs in using their username and password; the current logged in user and various attributes of your account e.g. what type of content they can access are stored within a token (e.g. a JSON web token) in encrypted form and then sent to the client (the device the user is accessing the service from). The token (similar to ID/access card) is stored on the client device and can be presented at any time to the server replacing the need to enter a username and password to verify the user’s identity. The server will validate the token before granting the user access to the requested service.

=======================
Single sign-on:
=======================
When a user logs onto a device or service; their identity can be validated using a username and password and possibly another factor of authentication e.g. a code sent to their phone or email address. Once validated; the user is provided with a token which can be shared with a central user authentication service known as single sign-on. This service can then act on the user’s behalf authenticating them to multiple services or applications without the need to request further usernames or passwords. Online examples would Google or Facebook accounts used to log into other accounts/services using the same already entered credentials.

=======================

Security of Selected IoT Devices Tested

The current level of security present in Internet of Things (IoT)(defined) devices continues to be low and is in need of further maturity and consideration given to security and best practices.

A recent study carried out by researchers from Brazil’s Federal University of Pernambuco and the University of Michigan found that 31% of the apps (equating 37 out of 96 devices tested) used to control the IoT devices used no encryption while a further 19% used hard coded encryption keys (which can’t be changed). An attacker may be able to reverse engineer these.

The researcher then developed proof of concept attacks against five devices which are controlled by four apps:

Belkin’s WeMo for IoT
Broadlink’s e-Control app
TP-Link’s Kasa app
LIFX app used with that company’s Wi-Fi enabled light bulbs

From these 3 used no encryption while three apps communicated via broadcast messages that can provide an attacker a means of monitoring the nature/contents of the app to device communication. The researchers elaborated “A remote attacker simply has to find a way of getting the exploit either on the user’s smartphone in the form of an unprivileged app or a script on the local network”.

For the TP-Link Smart Plug which was reviewed more than 10k times on Amazon shares an encryption key across a given product line while the initial set up is performed using the app without strict authentication.

How to secure your IoT devices:
The researchers pointed out that Google’s Nest thermostat app was a better example of how security should be done. Its configuration can be carried out over TLS to the cloud or via Wi-Fi with WPA. This app also offers 2 factor authentication (defined) (albeit only via SMS messages which are themselves not best practice).

However, the Nest and any IoT rely on you to practice good security e.g. not re-using passwords for researching how best to secure that device. This story linked to is an example of what can happen if you don’t:

Further tips on securing IoT devices are listed provided below with a further tip of “Track and assess devices” from CSO Online. Devices such as Amazon Echo, Apple HomePod and Google Home require even more steps (final link below):

7 tips for securing the Internet of Things by Chester Wisniewski (Sophos Security)

8 tips to secure those IoT devices by Michelle Drolet (CSO Online)]

Securing the Internet of Things (US-CERT)

9 things to check after installing wireless access points by Eric Geier (Computerworld)

Securing Your Smart TV

Increasing the privacy and security of virtual assistants

Thank you.

Blog Post Shout Out: Security Advice for Summer Holidays/Travel

With the Summer holiday season approaching I wanted to provide a respectful shout out to the following security tips/articles while travelling. Even when we are out of the office and our homes; we should maintain vigilance to stay secure and safe.

Many of these tips you may already be using and many of them are simple to use but can make a real difference to ensure your time away runs smoothly and with no unwanted surprises when you return back home:

Tips such as being mindful before using a public charging station I have discussed before but these series of tips group them together for ease of use and convenience.

Some of the most important tips are:

  • Ensuring your portable devices are encrypted
  • Portable devise are carried with you or safely locked away
  • Ensure you changes passwords (from a system you own) after you have used a publically available computer
  • Enabling two factor authentication (more on this below)
  • Not making it obvious you have expensive devices with you (the tips from the US CERT below will clarify this advice)

Securing Mobile Devices During Summer Travel: US CERT
Holiday Traveling with Personal Internet-Enabled Devices: US CERT
Protecting Portable Devices: Physical Security: US CERT
International Mobile Safety Tips: US CERT
Cybersecurity for Electronic Devices: US CERT

====================
How to set up 2FA on eBay – go do it now!: Sophos Naked Security blog: by Maria Varmazis
Enabling 2FA for any online account is a great security measure and will be particularly useful when travelling to provide that every layer of security.
====================

How digital spring cleaning can protect your personal information: WMBF News: Christina Lob
Digital spring cleaning involves (among other steps) removing apps from your smartphones/tablets/computer systems that you don’t use. This enhances security since there will be less for attackers to target in terms of software vulnerabilities (reduced attack surface (defined) and the personal information these apps may store or provide access to. It will make it easier for you to maintain the device while travelling since there will fewer apps to update and the device will have more free space should you need it.

When you are back home; this spring cleaning advices further steps e.g. regularly checking your bank account and credit cards for signs of unusual or unknown transactions and reporting them as soon as possible. This is a good practice just in case any of your cards were unknowingly compromised while abroad.

For the final tips this article describes; I wanted to provide clarification:

Clearing out email inboxes is a good idea but will only enhance security if your account was compromised or you are being shoulder surfed by those around you; if you are following password and email best practices this shouldn’t happen.

Its advice on passwords could be better (this advice from Sophos is more secure) and emptying recycle bins while useful doesn’t truly delete data beyond recovery.

Thank you.