Shakedown Social

Kevin Karhan :verified:<a href="https://mastodon.social/@stman" class="u-url mention" rel="nofollow noopener" target="_blank">@stman</a> <a href="https://infosec.exchange/@Sempf" class="u-url mention" rel="nofollow noopener" target="_blank">@Sempf</a> <a href="https://chaos.social/@LaF0rge" class="u-url mention" rel="nofollow noopener" target="_blank">@LaF0rge</a> yes.Because physical SIMs, like any "cryptographic chipcard" (i.e. <a href="https://social.nitrokey.com/@nitrokey" class="u-url mention" rel="nofollow noopener" target="_blank">@nitrokey</a> ) did all that fancy public/private crypto on silicon and unless that was compromizeable (which AFAICT always necessistated physical access to the <a href="https://infosec.space/tags/SIM" class="mention hashtag" rel="nofollow noopener" target="_blank">#SIM</a>, espechally in pre-<a href="https://infosec.space/tags/OMAPI" class="mention hashtag" rel="nofollow noopener" target="_blank">#OMAPI</a> devices) the SIM wasn't 'cloneable' and the weakest link always had been the <a href="https://infosec.space/tags/MNO" class="mention hashtag" rel="nofollow noopener" target="_blank">#MNO</a> /.<a href="https://infosec.space/tags/MVNO" class="mention hashtag" rel="nofollow noopener" target="_blank">#MVNO</a> issueing (may it be through <a href="https://infosec.space/tags/SocialHacking" class="mention hashtag" rel="nofollow noopener" target="_blank">#SocialHacking</a> employees into <a href="https://infosec.space/tags/SimSwapping" class="mention hashtag" rel="nofollow noopener" target="_blank">#SimSwapping</a> or LEAs showng up with a warrant and demanding "<a href="https://infosec.space/tags/LawfulInterception" class="mention hashtag" rel="nofollow noopener" target="_blank">#LawfulInterception</a>"):<ul><li>These "attack vectors" were known and whilst unfixable they could at least be mitigated by i.e. NEVER using a <a href="https://infosec.space/tags/PhoneNumber" class="mention hashtag" rel="nofollow noopener" target="_blank">#PhoneNumber</a> for anything and/or using anonymously obtained <a href="https://infosec.space/tags/SIMs" class="mention hashtag" rel="nofollow noopener" target="_blank">#SIMs</a>. But more and more services like <a href="https://mastodon.world/@signalapp" class="u-url mention" rel="nofollow noopener" target="_blank">@signalapp</a> did <a href="https://infosec.space/tags/regression" class="mention hashtag" rel="nofollow noopener" target="_blank">#regression</a> demanding <a href="https://infosec.space/tags/PII" class="mention hashtag" rel="nofollow noopener" target="_blank">#PII</a> and more and more nations criminalized <a href="https://infosec.space/tags/AnonymousSimCards" class="mention hashtag" rel="nofollow noopener" target="_blank">#AnonymousSimCards</a> under utterly <a href="https://infosec.space/tags/cyberfacist" class="mention hashtag" rel="nofollow noopener" target="_blank">#cyberfacist</a> & <a href="https://infosec.space/tags/FalsePretenses" class="mention hashtag" rel="nofollow noopener" target="_blank">#FalsePretenses</a>!</li></ul>Add to that the regression in flexibility: Unlike a <a href="https://infosec.space/tags/SimCard" class="mention hashtag" rel="nofollow noopener" target="_blank">#SimCard</a> which was designed as a vendor-independent, <a href="https://infosec.space/tags/MultiVendor" class="mention hashtag" rel="nofollow noopener" target="_blank">#MultiVendor</a>, <a href="https://infosec.space/tags/MultiProvider" class="mention hashtag" rel="nofollow noopener" target="_blank">#MultiProvider</a>, device agnostic unit to facilitate the the <a href="https://infosec.space/tags/authentification" class="mention hashtag" rel="nofollow noopener" target="_blank">#authentification</a> and <a href="https://infosec.space/tags/encryption" class="mention hashtag" rel="nofollow noopener" target="_blank">#encryption</a> in <a href="https://infosec.space/tags/GSM" class="mention hashtag" rel="nofollow noopener" target="_blank">#GSM</a> (and successor standards), <a href="https://infosec.space/tags/eSIMs" class="mention hashtag" rel="nofollow noopener" target="_blank">#eSIMs</a> act to restrict <a href="https://infosec.space/tags/DeviceFreedom" class="mention hashtag" rel="nofollow noopener" target="_blank">#DeviceFreedom</a> and <a href="https://infosec.space/tags/ConsumerChoice" class="mention hashtag" rel="nofollow noopener" target="_blank">#ConsumerChoice</a>, which with shit like <a href="https://infosec.space/tags/KYC" class="mention hashtag" rel="nofollow noopener" target="_blank">#KYC</a> per <a href="https://infosec.space/tags/IMEI" class="mention hashtag" rel="nofollow noopener" target="_blank">#IMEI</a> (i.e. <a href="https://infosec.space/tags/Turkey" class="mention hashtag" rel="nofollow noopener" target="_blank">#Turkey</a> demands it after 90 days of roaming per year) und <a href="https://infosec.space/tags/lMEI" class="mention hashtag" rel="nofollow noopener" target="_blank">#lMEI</a>-based <a href="https://infosec.space/tags/Allowlisting" class="mention hashtag" rel="nofollow noopener" target="_blank">#Allowlisting</a> (see <a href="https://infosec.space/tags/Australia" class="mention hashtag" rel="nofollow noopener" target="_blank">#Australia</a>'s shitty <a href="https://infosec.space/tags/VoLTE" class="mention hashtag" rel="nofollow noopener" target="_blank">#VoLTE</a> + <a href="https://infosec.space/tags/2G" class="mention hashtag" rel="nofollow noopener" target="_blank">#2G</a> & <a href="https://infosec.space/tags/3G" class="mention hashtag" rel="nofollow noopener" target="_blank">#3G</a> shutdown!) are just acts to clamp down on <a href="https://infosec.space/tags/privacy" class="mention hashtag" rel="nofollow noopener" target="_blank">#privacy</a> and <a href="https://infosec.space/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#security</a>.<ul><li>And with <a href="https://infosec.space/tags/EID" class="mention hashtag" rel="nofollow noopener" target="_blank">#EID</a> being unique per <a href="https://infosec.space/tags/eSIM" class="mention hashtag" rel="nofollow noopener" target="_blank">#eSIM</a> (like the <a href="https://infosec.space/tags/IMEI" class="mention hashtag" rel="nofollow noopener" target="_blank">#IMEI</a> on top!) there's nothing stopping <a href="https://infosec.space/tags/cyberfacist" class="mention hashtag" rel="nofollow noopener" target="_blank">#cyberfacist</a> regimes like "P.R." <a href="https://infosec.space/tags/China" class="mention hashtag" rel="nofollow noopener" target="_blank">#China</a>, <a href="https://infosec.space/tags/Russia" class="mention hashtag" rel="nofollow noopener" target="_blank">#Russia</a>, <a href="https://infosec.space/tags/Iran" class="mention hashtag" rel="nofollow noopener" target="_blank">#Iran</a>, ... from banning "<a href="https://infosec.space/tags/eSIMcards" class="mention hashtag" rel="nofollow noopener" target="_blank">#eSIMcards</a>" (<a href="https://infosec.space/tags/eSIM" class="mention hashtag" rel="nofollow noopener" target="_blank">#eSIM</a> in SIM card form factor) or entire device prefixes (i.e. all phones that are supported by <a href="https://grapheneos.social/@GrapheneOS" class="u-url mention" rel="nofollow noopener" target="_blank">@GrapheneOS</a> ), as M(V)NOs see the EID used to deploy/activate a profile (obviously they don't want people to activate eSIMs more than once, unless explicitly allowed otherwise.</li></ul>"[…] [Technologies] must always be evaluated for their ability to oppress. […] <ul><li>Dan Olson</li></ul>And now you know why I consider a <a href="https://infosec.space/tags/smartphone" class="mention hashtag" rel="nofollow noopener" target="_blank">#smartphone</a> with eSIM instead of two SIM slots not as a real <a href="https://infosec.space/tags/DualSIM" class="mention hashtag" rel="nofollow noopener" target="_blank">#DualSIM</a> device because it restricts my ability to freely move devices.<ul><li>And whilst German Courts reaffirmed §77 TKG (Telco Law)'s mandate to letting people choose their devices freely, (by declarong <a href="https://infosec.space/tags/fees" class="mention hashtag" rel="nofollow noopener" target="_blank">#fees</a> for reissue of eSIMs illegal) that is only enforceable towards M(V)NOs who are in <a href="https://infosec.space/tags/Germany" class="mention hashtag" rel="nofollow noopener" target="_blank">#Germany</a>, so 'good luck' trying to enforce that against some overseas roaming provider.</li></ul>Thus <a href="https://infosec.space/tags/Impersonation" class="mention hashtag" rel="nofollow noopener" target="_blank">#Impersonation</a> attacks in GSM-based networks are easier than ever before which in the age of more skilled than ever <a href="https://infosec.space/tags/Cybercriminals" class="mention hashtag" rel="nofollow noopener" target="_blank">#Cybercriminals</a> and <a href="https://infosec.space/tags/Cyberterrorists" class="mention hashtag" rel="nofollow noopener" target="_blank">#Cyberterrorists</a> (i.e. <a href="https://infosec.space/tags/NSA" class="mention hashtag" rel="nofollow noopener" target="_blank">#NSA</a> & <a href="https://infosec.space/tags/Roskomnadnozr" class="mention hashtag" rel="nofollow noopener" target="_blank">#Roskomnadnozr</a>) puts espechally the average <a href="https://infosec.space/tags/TechIlliterate" class="mention hashtag" rel="nofollow noopener" target="_blank">#TechIlliterate</a> User at risk.<ul><li>I mean, anyone else remember the <a href="https://infosec.space/tags/Kiddies" class="mention hashtag" rel="nofollow noopener" target="_blank">#Kiddies</a> that fucked around with <a href="https://infosec.space/tags/CIA" class="mention hashtag" rel="nofollow noopener" target="_blank">#CIA</a> director <a href="https://infosec.space/tags/Brennan" class="mention hashtag" rel="nofollow noopener" target="_blank">#Brennan</a>? Those were just using their "weapons-grade <a href="https://infosec.space/tags/boredom" class="mention hashtag" rel="nofollow noopener" target="_blank">#boredom</a>", not being effective, for-profit cyber criminals!</li></ul>And then think about those who don't have privilegued access to protection by their government, but rather "privilegued access" to prosecution by the state because their very existance is criminalized... The only advantage eSIMs broight in contrast is 'logistical' convenience because it's mostly a <a href="https://infosec.space/tags/QRcode" class="mention hashtag" rel="nofollow noopener" target="_blank">#QRcode</a> and that's just a way to avoid typos on a cryptic <a href="https://infosec.space/tags/LocalProfileAgent" class="mention hashtag" rel="nofollow noopener" target="_blank">#LocalProfileAgent</a> link.

Kevin Karhan :verified:<a href="https://digipres.club/@foone" class="u-url mention" rel="nofollow noopener" target="_blank">@foone</a> the whole unfixably fucked security is something <a href="https://mastodon.social/@stman" class="u-url mention" rel="nofollow noopener" target="_blank">@stman</a> and I discussed in lenghts.<ul><li>We came to the conclusion that using PS/2 ports and having a fully-transparent keyboard in a vlear, sealed case with reference images is the only option.</li></ul><a href="https://infosec.space/tags/USB" class="mention hashtag" rel="nofollow noopener" target="_blank">#USB</a> is unfixably broken as it inherently does neither <a href="https://infosec.space/tags/authentification" class="mention hashtag" rel="nofollow noopener" target="_blank">#authentification</a> (<a href="https://infosec.space/tags/BIOS" class="mention hashtag" rel="nofollow noopener" target="_blank">#BIOS</a> & <a href="https://infosec.space/tags/UEFI" class="mention hashtag" rel="nofollow noopener" target="_blank">#UEFI</a> filter only by <a href="https://infosec.space/tags/HID" class="mention hashtag" rel="nofollow noopener" target="_blank">#HID</a> class drivers if they can do so at all!) nor proper integrity checking nor any <a href="https://infosec.space/tags/Security" class="mention hashtag" rel="nofollow noopener" target="_blank">#Security</a> whatsoever.<ul><li>Most enterprises and organizations that I know who do care about this literally hardwire systems, but them in lockedcabinets, use <a href="https://infosec.space/tags/PS2" class="mention hashtag" rel="nofollow noopener" target="_blank">#PS2</a> HIDs, disable <a href="https://infosec.space/tags/USB" class="mention hashtag" rel="nofollow noopener" target="_blank">#USB</a> controllers and set ports and headers in resin...</li></ul>I mean, as soon as you got a <a href="https://infosec.space/tags/PwnPi" class="mention hashtag" rel="nofollow noopener" target="_blank">#PwnPi</a> or <a href="https://infosec.space/tags/PoisonTap" class="mention hashtag" rel="nofollow noopener" target="_blank">#PoisonTap</a> at your hand, it's gameover... <a href="https://www.youtube.com/watch?v=Aatp5gCskvk" rel="nofollow noopener" translate="no" target="_blank">https://www.youtube.com/watch?v=Aatp5gCskvk</a>

Kevin Karhan :verified:<a href="https://mastodon.social/@waldoj" class="u-url mention" rel="nofollow noopener" target="_blank">@waldoj</a> or even better: Abolish <a href="https://infosec.space/tags/SSN" class="mention hashtag" rel="nofollow noopener" target="_blank">#SSN</a>|s as a means of <a href="https://infosec.space/tags/authentification" class="mention hashtag" rel="nofollow noopener" target="_blank">#authentification</a> entirely! <a href="https://www.youtube.com/watch?v=Erp8IAUouus&pp=ygUMY2dwIGdyZXkgc3Nu" rel="nofollow noopener" translate="no" target="_blank">https://www.youtube.com/watch?v=Erp8IAUouus&pp=ygUMY2dwIGdyZXkgc3Nu</a>

F. Maury ⏚Je viens de publier un cours intitulé "Identité et méthodes d'authentification" sous licence CC-BY : <a href="https://broken-by-design.fr/posts/cours-id-authn/" rel="nofollow noopener" translate="no" target="_blank">https://broken-by-design.fr/posts/cours-id-authn/</a>Ce cours s'adresse aux personnes de niveau M2 et aux professionnel.les débutant.es, même si les plus expérimenté.es pourraient y trouver des informations intéressantes.Il comprend une introduction aux différents types de référentiels d'identités, avant de plonger dans l'authentification, sous des angles juridiques et techniques. Authentification multifacteur, forte, résistante au phishing, assurant de bonnes garanties de vie privée ! Authentification à l'état de l'art ! Vous pourrez en apprendre plus à ces sujets grâce à ce cours.Et ce n'est que la première partie ! Ce mois-ci, une seconde partie sera publiée, sur le sujet de l'autorisation, avec un TP de mise en place de <a href="https://infosec.exchange/tags/Keycloak" class="mention hashtag" rel="nofollow noopener" target="_blank">#Keycloak</a> pour une authentification fédérée avec OpenID Connect! À suivre !<a href="https://infosec.exchange/tags/oidc" class="mention hashtag" rel="nofollow noopener" target="_blank">#oidc</a> <a href="https://infosec.exchange/tags/webauthn" class="mention hashtag" rel="nofollow noopener" target="_blank">#webauthn</a> <a href="https://infosec.exchange/tags/identit%C3%A9" class="mention hashtag" rel="nofollow noopener" target="_blank">#identité</a> <a href="https://infosec.exchange/tags/authentification" class="mention hashtag" rel="nofollow noopener" target="_blank">#authentification</a> <a href="https://infosec.exchange/tags/saml" class="mention hashtag" rel="nofollow noopener" target="_blank">#saml</a> <a href="https://infosec.exchange/tags/tls" class="mention hashtag" rel="nofollow noopener" target="_blank">#tls</a> <a href="https://infosec.exchange/tags/motdepasse" class="mention hashtag" rel="nofollow noopener" target="_blank">#motdepasse</a> <a href="https://infosec.exchange/tags/password" class="mention hashtag" rel="nofollow noopener" target="_blank">#password</a> <a href="https://infosec.exchange/tags/snc" class="mention hashtag" rel="nofollow noopener" target="_blank">#snc</a> <a href="https://infosec.exchange/tags/eidas" class="mention hashtag" rel="nofollow noopener" target="_blank">#eidas</a> <a href="https://infosec.exchange/tags/dsp2" class="mention hashtag" rel="nofollow noopener" target="_blank">#dsp2</a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#infosec</a> <a href="https://infosec.exchange/tags/cours" class="mention hashtag" rel="nofollow noopener" target="_blank">#cours</a> <a href="https://infosec.exchange/tags/ccby4" class="mention hashtag" rel="nofollow noopener" target="_blank">#ccby4</a> <a href="https://infosec.exchange/tags/phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#phishing</a>

Recent searches

Search options

Administered by:

Server stats:

#authentification