Simple things (security email)
I have been working for a long time in the direction of ensuring the security of corporate communications. The main direction - e-mail. Our company has such a policy that managers use their main mail and, of course, they have to advise them on security issues on popular servers. There are many questions to these servers, but some of them are of particular interest and it is not clear why the giant companies did not think about simple things.
1. Notification of an attempt to restore account access by sending an SMS notification to the user, an e-mail to the primary and backup addresses.
2. Forced password change, in the case of multiple attempts to access the account by selecting (brut) and notifying the user about it, using the methods of claim 1
3. Notification when using the methods of claim 1 about access from a new machine and when the user verification option is enabled - block access. This function is partially implemented, but there are no notifications on most services.
')
4. User identification by device ID (user_agent + ip + cookies), using localStorage, user control through the session.
6. Adding a function that allows you to control the user, even in the case of changing IP and cleaning cookies, localStorage and other measures will help. For example, the transfer of a hidden identifier in the page code or page address, etc.
7. Block multiple attempts to restore access through a secret question. This mainly refers to “P”, where they don’t think about it at all, but other services are also concerned.
8. Do you know how secure “G” responds when you restore access to your mailbox via a backup e-mail address? Shows 60-70% of the address of the backup mail on the recovery page and in the case of clicking on the link - just suggests changing the password. G - ingenious.
9. Tracking bots (brute, check). If the coder turned out to be literate and wrote good software, it can be tracked by the results of its actions and IP. There is not enough proxy for millions of “compromised” accounts, and therefore, they were repeated. To store in the database is not so difficult, and if you wish, you can find those who like to use bots from their IP without changing. Some coders do not even bother to change the User-Agent, and many simply ignore the requirements of the site and, thus, find the shortcomings of the system.
10. How to track the program? And is it necessary? Yes, but not always. There are many options and even there are those that will not predatoryly devour server resources. Brutera’s captchas are not scary, even Russian, and making complex systems is losing users. But you can set an elementary delay in re-entering the password / secret answer. One way or another, this will affect the result of the attacker's work, especially if the delay is random and its violation leads to an alarm mode, as it allows the bot to be detected.
11. Many coders do not bother to imitate a person’s actions, skip checkboxes, do not read the text, violate the order of parameters in the request, if you follow this, then again you can easily determine the machine and, therefore, make life difficult for coders - you can’t everything. Add a random question to the form and make dynamic fields - it will also make life more difficult for coders, if not for everyone, but it will save fools and allow you to focus on serious problems.
12. The more stages - the more difficult. We tried to organize a system in which a confirmation was required from the user, or more precisely, from his browser. For this, a request was sent every 10 seconds, if the user was on the login page, if there is no answer, the session is destroyed, so we killed the anti-captcha.
13. Work on the bugs. How do coders determine the result? According to the result, let's say, find the error pointer in the response or address. We solved this question in such a way that the answer with successful authorization did not differ from the result with an error, which required the coder to do an extra job of finding differences in the answers; It also turned out to be a lot of options. The system, which blocked the bot, showed itself very effectively, but at the same time continued to inform it that the data was indicated with an error, and then the small trick and the real user received a notification that it was time to stop remembering passwords and contact support.
14. Require contacting technical support before proceeding with the restoration of access, put the account under control and offer to answer the secret question, for which you need to confirm your desire via another mailing address.
15. The main problem is brut, lack of localStorage and clean cookies, new IP address, new account for brut, how to determine? If there is no IP check, the user has not logged in for a week, the phone is not connected and there is no backup address, what should I do? The first option is to prohibit such accounts, require the phone to be attached, an additional e-mail address, and ask the question: does the user need such e-mail? He will answer - yes, it means that he will go for all measures, it is in his own interest. Otherwise there will be “plums” accumulated over the years of the brut.
16. Ensure the security of IMAP and POP3, require you to set unique passwords other than account passwords, confirm devices and tightly control the connection using these protocols. Again, do you want a "remote"? Connect the phone, no? Connect mail and sit through the web interface. The measure is tough, but if it becomes a standard, there will be no other choice.
You can describe in detail the many options for security or give examples of vulnerabilities, which even large resources simply ignore. Why is it necessary, if you can blame the user in the absence of adequate security on the user, saying that he has viruses, trojans, crooked hands, etc., and in fact show disregard for their own users. It is a shame that today large companies are doing this, which turned a blind eye all these years to the obvious problems and complaints of users, and in the end they simply blamed everything on them. I would like to apologize for such a service to all users who have lost faith in the good attitude and security on the Web, because the owners of large services that lose their passwords and passwords do not respect themselves as “exception” and “user error”. To acknowledge that their service has allowed this to happen, they lack the spirit. This is a good signal for those who look at such things differently, who are ready to create their customer-oriented service. Taking into account all the latest scandalous stories, with bots viewing users' letters, plums and restrictions, a good and safe service received all the preferences for a quick start, and I am convinced that in the near future we will see their appearance or a second life of market outsiders.
1. Notification of an attempt to restore account access by sending an SMS notification to the user, an e-mail to the primary and backup addresses.
2. Forced password change, in the case of multiple attempts to access the account by selecting (brut) and notifying the user about it, using the methods of claim 1
3. Notification when using the methods of claim 1 about access from a new machine and when the user verification option is enabled - block access. This function is partially implemented, but there are no notifications on most services.
')
4. User identification by device ID (user_agent + ip + cookies), using localStorage, user control through the session.
6. Adding a function that allows you to control the user, even in the case of changing IP and cleaning cookies, localStorage and other measures will help. For example, the transfer of a hidden identifier in the page code or page address, etc.
7. Block multiple attempts to restore access through a secret question. This mainly refers to “P”, where they don’t think about it at all, but other services are also concerned.
8. Do you know how secure “G” responds when you restore access to your mailbox via a backup e-mail address? Shows 60-70% of the address of the backup mail on the recovery page and in the case of clicking on the link - just suggests changing the password. G - ingenious.
9. Tracking bots (brute, check). If the coder turned out to be literate and wrote good software, it can be tracked by the results of its actions and IP. There is not enough proxy for millions of “compromised” accounts, and therefore, they were repeated. To store in the database is not so difficult, and if you wish, you can find those who like to use bots from their IP without changing. Some coders do not even bother to change the User-Agent, and many simply ignore the requirements of the site and, thus, find the shortcomings of the system.
10. How to track the program? And is it necessary? Yes, but not always. There are many options and even there are those that will not predatoryly devour server resources. Brutera’s captchas are not scary, even Russian, and making complex systems is losing users. But you can set an elementary delay in re-entering the password / secret answer. One way or another, this will affect the result of the attacker's work, especially if the delay is random and its violation leads to an alarm mode, as it allows the bot to be detected.
11. Many coders do not bother to imitate a person’s actions, skip checkboxes, do not read the text, violate the order of parameters in the request, if you follow this, then again you can easily determine the machine and, therefore, make life difficult for coders - you can’t everything. Add a random question to the form and make dynamic fields - it will also make life more difficult for coders, if not for everyone, but it will save fools and allow you to focus on serious problems.
12. The more stages - the more difficult. We tried to organize a system in which a confirmation was required from the user, or more precisely, from his browser. For this, a request was sent every 10 seconds, if the user was on the login page, if there is no answer, the session is destroyed, so we killed the anti-captcha.
13. Work on the bugs. How do coders determine the result? According to the result, let's say, find the error pointer in the response or address. We solved this question in such a way that the answer with successful authorization did not differ from the result with an error, which required the coder to do an extra job of finding differences in the answers; It also turned out to be a lot of options. The system, which blocked the bot, showed itself very effectively, but at the same time continued to inform it that the data was indicated with an error, and then the small trick and the real user received a notification that it was time to stop remembering passwords and contact support.
14. Require contacting technical support before proceeding with the restoration of access, put the account under control and offer to answer the secret question, for which you need to confirm your desire via another mailing address.
15. The main problem is brut, lack of localStorage and clean cookies, new IP address, new account for brut, how to determine? If there is no IP check, the user has not logged in for a week, the phone is not connected and there is no backup address, what should I do? The first option is to prohibit such accounts, require the phone to be attached, an additional e-mail address, and ask the question: does the user need such e-mail? He will answer - yes, it means that he will go for all measures, it is in his own interest. Otherwise there will be “plums” accumulated over the years of the brut.
16. Ensure the security of IMAP and POP3, require you to set unique passwords other than account passwords, confirm devices and tightly control the connection using these protocols. Again, do you want a "remote"? Connect the phone, no? Connect mail and sit through the web interface. The measure is tough, but if it becomes a standard, there will be no other choice.
You can describe in detail the many options for security or give examples of vulnerabilities, which even large resources simply ignore. Why is it necessary, if you can blame the user in the absence of adequate security on the user, saying that he has viruses, trojans, crooked hands, etc., and in fact show disregard for their own users. It is a shame that today large companies are doing this, which turned a blind eye all these years to the obvious problems and complaints of users, and in the end they simply blamed everything on them. I would like to apologize for such a service to all users who have lost faith in the good attitude and security on the Web, because the owners of large services that lose their passwords and passwords do not respect themselves as “exception” and “user error”. To acknowledge that their service has allowed this to happen, they lack the spirit. This is a good signal for those who look at such things differently, who are ready to create their customer-oriented service. Taking into account all the latest scandalous stories, with bots viewing users' letters, plums and restrictions, a good and safe service received all the preferences for a quick start, and I am convinced that in the near future we will see their appearance or a second life of market outsiders.
Source: https://habr.com/ru/post/236835/
All Articles