Jump to content
Not connected, Your IP: 34.204.186.91
itguy2017

Near-Death of my electronic life taught me some things...

Recommended Posts

Recently I had a very close call to permanently losing access to everything. Long story short, my phone lost power and when I charged it back and turned it on it requires a password to decrypt the phone for use. Not normally a problem except in my case I haven't actually powered down the phone in just over 6 months and forgot the password! It's then I realized that the Sophos Authenticator I use for Two-Factor is on the phone and the 'majority' of what I do requires Two-Factor. Little did I realize what I was about to undertake is known as a "Mud Puddle" penetration testing... To literally see if you can recover your stuff if you had to, which then means someone else could recover it!

 

So my efforts at recovery started with my cell carrier (T-Mobile). I contacted T-Mobile and explained I needed emergency access to my phone with a bypass of the device encryption. They quickly came up with a bypass, saying if I registered a Samsung Account and tied it to the phone Samsung can break into the phone for me very quickly.. Well .... Knowing that backdoor already I never registered for a Samsung account and had all of the Samsung backdoors disabled. T-Mobile had no method to break it but did explain to me how to bypass Gmail security including Gmail TFA - but they assumed Gmail was my primary account.. IT WASN'T.. Still, I listened in on how they suggests I break into my Gmail account assuming I had one..

 

GMAIL:

Method 1 - pull the sim from the phone, put the sim into a different phone of the same model. Login to the phone you've already unlocked and request a password unlock via SMS verification for Gmail which then sends the SMS to the TEMPORARY phone you just put the sim in! The unlock pin will be sent to the hijacked phone with your old sim - you're in. That's it! Then 24 hours later when the phone-sim transfer system unlocks move the sim back to your original phone... Nice to know Gmail is easy to bypass!

 

Method 2 - SMS intercept. They can intercept my SMS as all SMS is logged on your T-Mobile account. So the SMS pin would be visible to them on the account.. That is assuming I use normal carrier SMS. I do not.. I have programmed custom APN's using IPv4 Only, and have SignalSMS on my phone. They can't see those.. But nice to know traditional SMS is not a valid TFA if you value your security. A recent article on the internet showed how spooks bypassed Google TFA in about 2 minutes by intercepting SMS. See this article;

https://www.revealnews.org/article/how-to-stay-safe-online-a-cybersecurity-guide-for-political-activists/

 

TUTANOTA:

Many are familiar with Tutanota as a fairly extreme privacy email. I contacted Tutanota and explained my situation.. They came up with a 'scheme' to access my email going forward but NOT to access the account and emails stored in the account - that was impossible for them. The 'bypass' they explained to me was - they would DELETE my existing email account. I would then create a new account and add the PREVIOUS account as an 'Alias' to the new account. Then all incoming emails to the OLD account would come in as an alias to the primary account as an alias and then I could request resets and other things which would be sent to the alias..  I appreciate their honesty working with me and explaining this method, but it scares the hell out of me because it would literally mean they COULD intercept any email if they had to or were compelled to by simply deleting the account and aliasing it. 

 

Protonmail:

I worked with ProtonMail for 4 days and couldn't get into my account. Protonmail simply told me that my account was lost, there was no way for them to compromise it. The reason is there is a setting in Protonmail 'Allow password recovery'.. If this is turned off NOBODY can recover your password.. You lose it, it's gone.. Even Protonmail has no method to turn this setting back on. HOWEVER, Protonmail can and will disable Two Factor Authentication upon request but it requires proof of identity and a recovery email address you setup... Concerned? Not really as it was pretty obvious they couldn't get into the account. I even offered a considerable amount of cash for them to 'engineer' a one-time-method to get me in.

 

Stickypassword: 

I really like Stickypassword and it proved to me why I like it.. I worked with Sticky for a couple of days to devise a method to access my password database.. No backdoor method was found. But what is interesting is - I HAD MY MASTER PASSWORD! All I was missing was the Two-Factor-Device! Sticky has no way to turn off TFA if you turn it on EXCEPT to send a pin to your recovery email - however I had no access to my recovery email because its password was in the database!.. But here is what is more interesting.. Even with the master password they could not break my database due to 'self protection' methods in place.. The database detects it's been tampered with and even if the Master Password is entered it requires a One-Time-Pin from the primary email address or the database remains locked/encrypted.. Very good to see how impossible it was for them to bust in for me.

 

Long story short.. I finally got back into the device by stretching my brain and remembering the old decryption password.. To avoid a future catastrophe I now print my entire password database every month or two on a secured printer and then store the folder in my concrete poured hidden floor safe. That way worst case, I have paper copies in a secured location. It was humbling to see how strong my security and privacy really is all things considered, the only weak link is the Gmail Account tied to my Android Phone, which is generally disabled on the phone anyway and is a dummy account. I was a little disappointed Tutanota had a method they could in theory use to 'intercept' emails but I suppose any company could perform the same back-end trick to accomplish a similar thing. Maybe they they shouldn't allow alias accounts to be pinned to primary accounts? Or perhaps limit alias accounts to accounts that have never been established accounts with their service?

Share this post


Link to post

Hello!

 

Thank you for a very well-written post ! It was interesting to read. I'm not surprised regarding SMS and all that at all. Although I think it's certainly interesting to consider the possibility of turning off 2FA, as it doesn't seem like this parameter is questioned a lot, when one inspects various services. Likewise, it's interesting and shocking you use... Concrete? Hahahahaha really? Hahaha. I think the NSA must've long-since branded you a "terrorist" for being so security minded don't you think . As for Gmail, that's not surprising - it's Gmail ! Although the sim trick was cool . Thank you for sharing.


Moderators do not speak on behalf of AirVPN. Only the Official Staff account does. Please also do not run Tor Exit Servers behind AirVPN, thank you.
Did you make a guide or how-to for something? Then contact me to get it listed in my new user guide's Guides Section, so that the community can find it more easily.

Share this post


Link to post

SMS is not a valid TFA if you value your security

 

That's a very old axiom. Not sure why did you realize it only after you temporary lost SMS as a factor.

Gmail has great security compared to other services. From location and user-agent matching for new

sign-ins, up and not limited to an email notification per each new signed in device. Brute force prevention

by captchas unsolvable even by humans, intense physical security of the service. No matching competitors.

This is not their fault that you used SMS as a 2FA factor, you could use Authy or FreeOTP, or even their

own Google Authenticator which implements a real and cryptographicly hashed TOTP instead of SMS:

https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm

 

 

I was a little disappointed Tutanota had a method they could in theory use to 'intercept' emails

 

This is not in theory.

Regarding any mail service in general, if they can control the MX records, all those aliases are useless.

Anyone who can modify the DNS records and point the domains MX records to it's own server, is able to

read all your unencrypted emails, with a possibility to bounce them later to the original server so it can go

unnoticed for a very long time. That's axiom number 2. This is also why you have to use PGP, no matter

what all those hipster services claim, when privacy of conversations matters.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

A well-written, interesting and to some extent gripping post. Thank you for the read.


» I am not an AirVPN team member. All opinions are my own and are not to be considered official. Only the AirVPN Staff account should be viewed as such.

» The forums is a place where you can ask questions to the community. You are not entitled to guaranteed answer times. Answer quality may vary, too. If you need professional support, please create tickets.

» If you're new, take some time to read LZ1's New User Guide to AirVPN. On questions, use the search function first. On errors, search for the error message instead.

» If you choose to create a new thread, keep in mind that we don't know your setup. Give info about it. Never forget the OpenVPN logs or, for Eddie, the support file (Logs > lifebelt icon).

» The community kindly asks you to not set up Tor exit relays when connected to AirVPN. Their IP addresses are subject to restrictions and these are relayed to all users of the affected servers.

 

» Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, chances are you will be unique amond the mass again.

Share this post


Link to post

 

 

Thank you for a very well-written post ! It was interesting to read. I'm not surprised regarding SMS and all that at all. Although I think it's certainly interesting to consider the possibility of turning off 2FA, as it doesn't seem like this parameter is questioned a lot, when one inspects various services. Likewise, it's interesting and shocking you use... Concrete? Hahahahaha really? Hahaha. I think the NSA must've long-since branded you a "terrorist" for being so security minded don't you think . As for Gmail, that's not surprising - it's Gmail ! Although the sim trick was cool . Thank you for sharing.

 

 

Concrete by virtue of having our basement professionally finished/restructured for my home theater room and home lan gaming area. They were already busting up walls and concrete so having a floor safe put in made sense. Nothing fireproof like a concrete basement floor! Also it's well hidden so I feel totally safe storing my password dumps in it. Unless I showed you it's location you'd never find it. I'm fortunate to be well off enough to do some pretty nice Layer 1 security in/around my home. (Cameras, ballistic windows, Bi-Locks on the doors, reinforced door jams, etc) I probably have one of the more secured homes in the country for someone that isn't a celebrity or something that has armed guards roaming.. But that's what I do for a living so it's all good. (L1-L7 security Engineer)

 

Anyway I am a bit worried about TFA being tied to a phone after all of this.. If the phone is mud puddled, you lose that avenue of access, which sort of worries me. I do like Fastmail, they allow you to setup a strong 25 character 'recovery password' while disabling all other recovery methods. Print that and store it in a safe for emergencies. Seems legit to me, no way to recover without that...

Share this post


Link to post

These were all very interesting posts, thanks. Just a note to US residents especially. If your passwords are written down and stored, LE can seize them and access the data legally and its admissible in court. However if they are encrypted and stored electronically (usb key, hardrive, optical disk, etc), it's generally considered that by virtue of the 5th amendment you can not be legally forced to turn over your encryption passwords. You also might develop temporary or permanent loss of memory. This does require you to remember one master password which is very long, very strong and very random. However with some effort and repetition, it's not that hard to memorize such a password. But you'd better use it frequently enough to keep it refreshed in your mental circuits.

Share this post


Link to post

Re, Tutanota. Thanks for sharing, very interesting. When using any third party security service (including vpns), you're always having to trust that they do what they say they do. So to quote Zhang "you have to use PGP, no matter what all those hipster services claim, when privacy of conversations matters". The convenience of something like Tutanota is great but comes with an increased risk of lost privacy. It's probably fine if you're not doing something that would put you seriously on a TLO watchlist (but this might be wishful thinking and things could change with changing regimes).

Share this post


Link to post

I have been having a problem that only partly relates to anything said here. But I have no better place to put it and someone here may know an option that can help. I have exactly zero access to my Paypal account. None. I cannot unlock it since they absolutely require a cellular/mobile phone. I use an SIP telephone provider, and only use it from home on a dedicated device. Yet Paypal insists my number is not legitimate. I can receive and send SMS messages through this service too, but again Paypal insists I cannot since my phone number does not exist to them.

 

And there is more to it that that. I cannot even e-mail them since they insist I login to do that, and logging in requires a mobile phone that I do not own, and refuse to buy.

 

I do not like Paypal, and refuse to use them except as a last resort. But a friend asked me to buy something for a friend of hers, and I did. However the item has not arrived, and the only way to even see the tracking number is to login to Paypal. So I have no idea what to do at this point.

 

Anyone have any ideas? My account is still in good standing. But apparently I am not a Human to Paypal without a worthless cell phone that I do not want, and refuse to buy. Thanks in advance for any ideas. (Half the reason I brought this up is that it seems that more and more sites are taking this same stupid prospective that a mobile phone is the only way to do anything.)


Debugging is at least twice as hard as writing the program in the first place.

So if you write your code as clever as you can possibly make it, then by definition you are not smart enough to debug it.

Share this post


Link to post

"I hate Paypal too"....it would make a great t-shirt

 

Here's a phone number for Paypal...expect a phone tree, but you should get through to somebody: 402-935-2050

 

Here's a website that can help get a real live human (or a reasonable approximation there of): https://gethuman.com/

 

Good luck 

Share this post


Link to post

 

 

Thank you for a very well-written post ! It was interesting to read. I'm not surprised regarding SMS and all that at all. Although I think it's certainly interesting to consider the possibility of turning off 2FA, as it doesn't seem like this parameter is questioned a lot, when one inspects various services. Likewise, it's interesting and shocking you use... Concrete? Hahahahaha really? Hahaha. I think the NSA must've long-since branded you a "terrorist" for being so security minded don't you think . As for Gmail, that's not surprising - it's Gmail ! Although the sim trick was cool . Thank you for sharing.

 

Concrete by virtue of having our basement professionally finished/restructured for my home theater room and home lan gaming area. They were already busting up walls and concrete so having a floor safe put in made sense. Nothing fireproof like a concrete basement floor! Also it's well hidden so I feel totally safe storing my password dumps in it. Unless I showed you it's location you'd never find it. I'm fortunate to be well off enough to do some pretty nice Layer 1 security in/around my home. (Cameras, ballistic windows, Bi-Locks on the doors, reinforced door jams, etc) I probably have one of the more secured homes in the country for someone that isn't a celebrity or something that has armed guards roaming.. But that's what I do for a living so it's all good. (L1-L7 security Engineer)

 

Wow, that sounds like a pretty amazing security setup you've got. Might be more than I could afford, but it must be nice to have that level of safety.  What kind of threat model does that protect you against?

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...