Home | Blog | Software | Reviews and Features | Forum | Help | Donate | About us
topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • October 01, 2016, 08:49:02 AM
  • Proudly celebrating 10 years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: two-factor entrance authentication  (Read 1570 times)

Steven Avery

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 807
    • View Profile
    • Donate to Member
two-factor entrance authentication
« on: February 16, 2015, 05:23:13 PM »
Hi,

Two factor-authentication can help a lot when you wonder what is your password and contact the company.

Often they call back your cell phone and you use a one-time number.  I appreciate the method as adding a lot
of security pizazz.

========================================================

What if you have a mission critical website?   I was reading how passwords get hacked (one discussion related
to programs like Filezilla not having encryption, but there are 1,000 ways.)

Then the bad guys can sign in.  One thing they do is place some sort of malware into index.html, which then
affects future entrants to the site.

Oops.

This type of corruption can have a huge effect on the trust of a website and company.  It is a huge problem
on an individual company level, as well as the general individual malware issue.

So there really should be a way to prevent someone who simply has a password from doing real damage.  Some
sort of two-factor entry.  

A thought.  The second-factor could be something arcane like hitting one of a couple of dozen
little places that are only known by you and the host.

Is this done?  If not, why not?
Seems simple enough.  You add a check about limited number of errors, checking the ip, stuff like that.

I'm not saying its foolproof.  A screen recorder on your pc might pick this up.  However, that is 100 times
more sophisticated than simply a password hack.

Your thoughts?

Granted, possibly the best security is simply ip security only allowing specific places to enter.  However,
sometimes we are on the move. So the two ideas are complementary.

Steven

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 8,277
  • "In my dreams, I always do it right."
    • View Profile
    • Donate to Member
Re: two-factor entrance authentication
« Reply #1 on: February 16, 2015, 09:57:26 PM »
I'm not really getting the point.  There's already 2 factor in a lot of places that you can enable.  In many cases, you even use a hardware key or a security program similar to a hardware key.

Is this for a specific application?

Ath

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 2,753
    • View Profile
    • Donate to Member
Re: two-factor entrance authentication
« Reply #2 on: February 17, 2015, 06:43:41 AM »
Then the bad guys can sign in.  One thing they do is place some sort of malware into index.html, which then
affects future entrants to the site.
That are 2 statements, totally not related to each other.
If anybody, bad or good, can log into your site then why/how do they get to change something like index.html? I've never been able to achieve that, neither as an admin nor as a regular user.
Most webservers require a separate, (s)ftp connection to the server for up/down-loading of website related files. Any account allowed to access that does have proper strength, and because of the assumed required 's' prefix can't be man-in-the-middled, if you don't blindly accept a non-standard/weird certificate (that your ftp-client WILL inform you about).

For absolute foolproof secure client/server connections you need a two-sided certificate-signed 'ssl'-connection (tls is the current connection protocol, ofc.), where both the server and the client need a matching certificate before a connection is even established. The hassle of securely exchanging and then installing the certificates, and the time spent on daily maintenance (adding new certs, and removing expired/lost/stolen certs) usually makes the use of this feature very low-frequent. But, combined with strong, often changing, passwords this system is water-tight.

Steven Avery

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 807
    • View Profile
    • Donate to Member
Re: two-factor entrance authentication
« Reply #3 on: February 17, 2015, 08:19:15 AM »
Hi,

Not yet a techie on this stuff. Basically, I was going by a discussion I read yesterday that said that this was a vector of mass malware distribution.  As I remember, they specifically indicated index.html but we can also talk about any admin hacking of the site.  

On index.html the idea was that, after a bad guy gains entrance as an admin, the visitors could be mauled, unknown to either the site itself (for awhile) and, unless well defended, the visitor.  I didn't bookmark this well, although I will go back into Firefox history and see what I can find.

The first part of the discussion I was reading about was simply how easily Filezilla sending passwords can be hacked and the blase approach of the developer.  The discussion of malware distribution might have been a separate topic and website. I was simply following the logical implications.

Notice how you say that the cumbersomeness of the extra certificate-signed approach ends up meaning that it is simply not done.  And this would be true also for hardware keys, great ideas infrequently implemented (putting aside banks, etc.)  

What I am suggesting is a hack-resistant method that is relatively strong yet informal and might be easy to implement, although it may need the control panel people allowing a hook.  A second-factor entrance software implementation to stop an improper admin (whether or not they can get to index.html.)  One that would be complementary to IP checking.  If the admin signing in fails x times to hit the secret dot, then alarm bells ring to the web host and to the real admin's cell phone, tablet, etc.

If there is something that accomplishes this end already ... great!  Tell me how it is done.  

What damage can a false admin do? And how is it prevented? Is it not the equivalent of the root for your site?
We agree, I think, that no matter how strong the passwords and secretly guarded, that has a significant gap of safety below 100%.

As to why this came up, I am informally handling some aspects of security for a small business.  We had changes of programmer comparnies and workers and changed admin passwords. (Nothing hacked.) I was thinking about the simple fact that I really, really don't want false admin signons, this was prodded by the reading I mention above.

=================

To summarize my understanding, this is how I understand the basic scenario that is more sophisticated than simply hacking and taking data or changing things (forcing downtime and restore from backup). Remember, they could change things like pricing that could cause tremendous problems.

a) bad guys get hold of admin password for a site
b) bad guys get in there under the assumed name and make the site a vector of transmission for malware like a trojan
c) bad guys go home and wait
d) dozens of visitors get infected with a trojan (malware of some type) thinking they are visiting a safe site

Is this wrong?  If so, where.

And also the scenario where they simply change the site or get access to the data. (Understanding that there are internal standard that should prevent any credit card type of availability of information, any data breach remains embarrassing and can be very difficult for a business in many ways. )

Thanks!

=========================

Note, IP checking is nice.  Maybe, in many cases, sufficient.  Not sure how that works in practice.  There has to be flexibility when you are on the move.  Also there is an issue of unauthoized access to a puter that is a registered ID.  Thus, I mention this idea as complementary.

Steven
« Last Edit: February 17, 2015, 09:14:20 AM by Steven Avery »

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 8,277
  • "In my dreams, I always do it right."
    • View Profile
    • Donate to Member
Re: two-factor entrance authentication
« Reply #4 on: February 17, 2015, 09:03:18 AM »
Again, is this for a specific application?  If someone hacks your site, it is either because of a hack of your administrative interface, of the software you run on the site, or the fact that your server is not hardened against such attempts.  As to how it's done, it really depends on the site itself, and what you want to secure.

As an example, this is a guide to two-factor authentication in Wordpress.  You can also do the same on Wordpress itself.

As you can see, these approaches are rooted in the software you want to secure.  It's not a general application.

cpanel itself does not have two-factor authentication, though there has been discussion for quite a while, and apparently they are going to start working on it soon.

http://features.cpan...entication-is-a-must

You can secure FTP by two-factor authentication, but how it's done and if it's possible really depends on the FTP Server software in use.  Apache is also able to be secured by two-factor authentication.  Any of these methods, however, are going to require an SSL cert as ath alluded to above, which is the reason that they are not in use in most places.

Then the bad guys can sign in.  One thing they do is place some sort of malware into index.html, which then
affects future entrants to the site.
That are 2 statements, totally not related to each other.
If anybody, bad or good, can log into your site then why/how do they get to change something like index.html? I've never been able to achieve that, neither as an admin nor as a regular user.
Most webservers require a separate, (s)ftp connection to the server for up/down-loading of website related files.

Actually, sometimes bad and/or insecure code can allow a hack of some vector to allow changing of files on the server without the use of an (s)ftp connection.  That's why I've been asking for what application...

Steven Avery

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 807
    • View Profile
    • Donate to Member
Re: two-factor entrance authentication
« Reply #5 on: February 17, 2015, 09:16:16 AM »
 
The main application under consideration is currently an ecommerce application, that runs under Wordpress.

Shortly, that will be replaced by a dedicated ecommerce platform that is hosted on the server, without the Wordpress middle layer, written largely in PHP/Zend. A more robust ecommerce implementation (something that the Wordpress program, WooCommerce, tries to get around with a gazillion addons.)  Magento is the more robust one and the techie programmer support is stronger.

Both have 1000s of installations.

===========

Thanks for the cpanel and related information.  I will be looking it over.  

"We really need two-factor authentication ...  will even make password theft useless. If this is too much, then the absolute easiest way to this is to require email verification ...."

Basically, I was simply seeing the problem and offering an unusual alternate implementation.   I have notified our website developers that we would like there to be some sort of special admin security.

===========

"the fact that your server is not hardened against such attempts."

We recently switched to Nexcess as a host largely because they seem to be very attuned to techie stuff, quickly.
This has worked out very well.

===========

Steven
 
« Last Edit: February 17, 2015, 04:16:53 PM by Steven Avery »

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 8,277
  • "In my dreams, I always do it right."
    • View Profile
    • Donate to Member
Re: two-factor entrance authentication
« Reply #6 on: February 17, 2015, 10:05:27 AM »

The main application under consideration is currently an ecommerce application, that runs under Wordpress.

Shortly, that will be replaced by a dedicated ecommerce platform that is hosted on the server, without the Wordpress middle layer, written largely in PHP/Zend. A more robust ecommerce implementation (something that the Wordpress program, WooCommerce, tries to get around with a gazillion addons.)  Magento is the more robust one and the techie programmer support is stronger.

Both have 1000s of installations.

I would caution against the idea that just because something has 1000s of installations that it is secure.  If you are really concerned about such, it needs to be a continual consideration.

"the fact that your server is not hardened against such attempts."

We recently switched to Nexcess as a host largely because they seem to be very attuned to techie stuff, quickly.
This has worked out very well.

If you have confidence in your host as far as that aspect, it's one of the best lines of defense.