assurance - Re: [Assurance] can two-factor be hacked ?

Subject: Assurance

List archive

Re: [Assurance] can two-factor be hacked ?

From: David Langenberg <>
To: "" <>
Subject: Re: [Assurance] can two-factor be hacked ?
Date: Fri, 7 Mar 2014 15:19:21 -0700

Sure, take Mr Bear Bucks JS, package it up into a .crx and upload to the Google Chrome Web Store

Docs:

http://developer.chrome.com/extensions/index

Getting someone to use the new extension is as simple as a link to the app on the web-store. If the browser can display it, you can mess with it. Some popular ones you may have heard of include AdBlock and SocialFixer. Yes, updates to the enterprise app will break your thing, but it's easy to push updates out.

As for lazy users, I've noticed that once they see how they can be even more lazy with your extension, that will quickly overcome the too-lazy-to-install factor.

Dave

On Fri, Mar 7, 2014 at 3:08 PM, Farmer, Jacob <> wrote:

Dave,

That sounds like an interesting idea – do you mind expanding on it a bit?

Jacob

From: [mailto:] On Behalf Of David Langenberg
Sent: Friday, March 07, 2014 5:06 PM
To:
Subject: Re: [Assurance] can two-factor be hacked ?

Even if you start chasing addresses & blacklisting proxies they'll just escalate to my favorite way of handling enterprise apps which have dumb UI issues & committees who refuse to implement common-sense suggestions: the browser extension.

Dave

On Fri, Mar 7, 2014 at 2:31 PM, Cantor, Scott <> wrote:

On 3/7/14, 4:27 PM, "Steven Carmody" <> wrote:
>
>The _javascript_ runs completely within the server platform. That's
>something that's new....

Or old, as the case may be. Proxies are really only defeatable in the
usual ways. If they're screen scraping, then you can have an arms race
implementing anti-scraping tricks, but that goes away as soon as you
support something like, say, ECP or Moonshot, that's implementing a
non-browser UI for authentication.

So that leaves chasing addresses, and blacklisting proxies when you find
them.

>As you say, *should*. However, if its identical to the application's
>login page, then the user would have to look at the url bar... does
>anyone know of anything that could be embedded in the real page, but not
>duplicated in the fake page ?

Nothing I can imagine.

-- Scott

--
David Langenberg

Identity & Access Management

The University of Chicago

--
David Langenberg

Identity & Access Management

The University of Chicago

RE: [Assurance] can two-factor be hacked ?, (continued)
- Re: [Assurance] can two-factor be hacked ?, Joe St Sauver, 03/07/2014
  - Re: [Assurance] can two-factor be hacked ?, Steven Carmody, 03/07/2014
    - Re: [Assurance] can two-factor be hacked ?, Cantor, Scott, 03/07/2014
      - Re: [Assurance] can two-factor be hacked ?, David Langenberg, 03/07/2014
        
        Re: [Assurance] can two-factor be hacked ?, Cantor, Scott, 03/07/2014
        
        RE: [Assurance] can two-factor be hacked ?, Farmer, Jacob, 03/07/2014
        
        Re: [Assurance] can two-factor be hacked ?, David Langenberg, 03/07/2014
        
        RE: [Assurance] can two-factor be hacked ?, Farmer, Jacob, 03/07/2014
        Re: [Assurance] can two-factor be hacked ?, David Langenberg, 03/07/2014
        
        Re: [Assurance] can two-factor be hacked ?, Cantor, Scott, 03/07/2014
        Re: [Assurance] can two-factor be hacked ?, David Walker, 03/07/2014
- Re: [Assurance] can two-factor be hacked ?, Joe St Sauver, 03/07/2014
- Re: [Assurance] can two-factor be hacked ?, Joe St Sauver, 03/11/2014

List archive

Re: [Assurance] can two-factor be hacked ?