No worse than without the pictures, but it raises the bar for the
attacker.
Andy
On Thu, 16 Oct 2014, Waldbieser, Carl wrote:
>
> Even if that was the case, my evil site gets you to enter your password.
> It uses the password on the back channel to log into the real site and get
> the pictures.
> My evil site then serves up the pictures.
>
> Thanks,
> Carl
>
> ----- Original Message -----
> From: "Andrew Morgan" <[email protected]>
> To: [email protected]
> Sent: Thursday, October 16, 2014 2:22:59 PM
> Subject: Re: [cas-user] Has anybody done this?
>
> The pictures would be displayed after the user has entered their username
> and password (if I understand this correctly). The phishing web site
> would not have an opportunity to copy them unless it had already
> authenticated the user.
>
> Andy
>
> On Thu, 16 Oct 2014, Waldbieser, Carl wrote:
>
>>
>> Or if I set up my phishing web site to look like your login page and pull
>> your pictures off of your legitimate site.
>> That is not MITM per say, but I am still positioning myself between the 2
>> parties that want to communicate.
>>
>> Thanks,
>> Carl
>>
>> ----- Original Message -----
>> From: "Richard Frovarp" <[email protected]>
>> To: [email protected]
>> Sent: Thursday, October 16, 2014 2:00:07 PM
>> Subject: Re: [cas-user] Has anybody done this?
>>
>> You don't MITM the SSL necessarily. If you can catch them accessing the
>> page via plain text, you MITM that. I'm guessing most people use search
>> engines to find what they want, but one kind of expects that "gmail.com"
>> in the browser will go from the insecure page and redirect to the secure
>> page. You MITM that first request, stop the redirect to secure and you
>> have it.
>>
>> On 10/16/2014 12:48 PM, Andrew Morgan wrote:
>>> Is there any possible protection if a person can MITM an SSL webpage? I
>>> don't see how MFA would help either.
>>>
>>> Andy
>>>
>>> On Thu, 16 Oct 2014, Waldbieser, Carl wrote:
>>>
>>>>
>>>> The idea is if MITM is possible, this scheme falls down. The MITM can
>>>> just present the same pictures.
>>>>
>>>> If it is just someone who phished a password, it does make it harder,
>>>> depending on how many pictures there are and how many guesses the attacker
>>>> gets.
>>>>
>>>> Of course, the pictures could also be part of a phishing scheme.
>>>>
>>>> Thanks,
>>>> Carl Waldbieser
>>>> ITS System Programmer
>>>> Lafayette College
>>>>
>>>> ----- Original Message -----
>>>> From: "Andrew Morgan" <[email protected]>
>>>> To: [email protected]
>>>> Sent: Thursday, October 16, 2014 1:32:53 PM
>>>> Subject: Re: [cas-user] Has anybody done this?
>>>>
>>>> How would the attacker know which pictures with captions to present to the
>>>> user?
>>>>
>>>> This sounds similar to a scheme my credit union used at one time. I could
>>>> choose a picture, which they would display to me on the login page. If I
>>>> didn't see the picture I chose, then I would know it wasn't the credit
>>>> union's login page. It was a user-friendly way to verify the identity of
>>>> the web site.
>>>>
>>>> Anyways, it still isn't a substitute for MFA because there really isn't a
>>>> second factor involved.
>>>>
>>>> Andy
>>>>
>>>> On Thu, 16 Oct 2014, Nick Owen wrote:
>>>>
>>>>> As you may know, since this system uses no cryptography, it is
>>>>> susceptible to MiTM attacks. There's nothing to stop the attacker
>>>>> from showing the pictures and in turn replaying the choice for your
>>>>> server. It's a waste of time, a hassle for the users, more software
>>>>> to maintain and it creates a false sense of security.
>>>>>
>>>>>
>>>>> On Thu, Oct 16, 2014 at 12:21 PM, Bryan Wooten <[email protected]>
>>>>> wrote:
>>>>>> I heard a rumor today that our Security Office wants to change how CAS
>>>>>> works.
>>>>>>
>>>>>>
>>>>>>
>>>>>> The want the user’s to pre-select a picture, then add a caption to it.
>>>>>>
>>>>>>
>>>>>>
>>>>>> When the user enters their netid they will be presented with multiple
>>>>>> pictures and must select the correct one before being prompted for their
>>>>>> password.
>>>>>>
>>>>>>
>>>>>>
>>>>>> I know this can be done via web flow in the same way that MFA works, but
>>>>>> this just seems so wrong.
>>>>>>
>>>>>>
>>>>>>
>>>>>> I’d rather force everyone to use MFA.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Bryan Wooten
>>>>>>
>>>>>>
>>>>>>
>>>>>> UIT-Common Infrastructure Systems
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> You are currently subscribed to [email protected] as:
>>>>>> [email protected]
>>>>>> To unsubscribe, change settings or access archives, see
>>>>>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> --
>>>>> Nick Owen
>>>>> WiKID Systems, Inc.
>>>>> http://www.wikidsystems.com
>>>>> Commercial/Open Source Two-Factor Authentication
>>>>>
>>>>> --
>>>>> You are currently subscribed to [email protected] as:
>>>>> [email protected]
>>>>> To unsubscribe, change settings or access archives, see
>>>>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>>>>>
>>>>>
>>>> --
>>>> You are currently subscribed to [email protected] as:
>>>> [email protected]
>>>> To unsubscribe, change settings or access archives, see
>>>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>>>>
>>>> --
>>>> You are currently subscribed to [email protected] as:
>>>> [email protected]
>>>> To unsubscribe, change settings or access archives, see
>>>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>>>>
>>>>
>>
>>
>> --
>> You are currently subscribed to [email protected] as:
>> [email protected]
>> To unsubscribe, change settings or access archives, see
>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>>
>> --
>> You are currently subscribed to [email protected] as: [email protected]
>> To unsubscribe, change settings or access archives, see
>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>>
>>
> --
> You are currently subscribed to [email protected] as:
> [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
> --
> You are currently subscribed to [email protected] as: [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
>
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
