Learning lessons: Fully implement multi-factor authentication

In brief: Recently a report of the cyber-attack (October 2023) on the British Library was published and it shows that on some on-premise servers multi-factor authentication (MFA) was not fully implemented, and the absence of MFA contributed to the attackers’ ability to enter the system.

The 18 pages report contains 16 Learning lessons from the attack and lesson nr. 3 is Fully implement multi-factor authentication –

“Multi-factor authentication needs to be in place on all internet-facing endpoints, regardless of any technical difficulties in doing so. The Library had MFA in place for all end-user technologies, but not on certain supplier endpoints”.

Link to full report>

About Rohos Logon Key

Rohos Logon Key adds strong two-factor authentication for Windows Remote Desktop login and safeguards to prevent 2FA / MFA bypass attacks. Rohos Logon implements multi-factor authentication control, where you can combine different MFA methods: password, PIN code, Smartphone, or strong authentication devices like U2F key, YubiKey, Google Authenticator One-Time password codes, SafeNet iKey tokens, or RFID cards. With Rohos you can protect standalone computers, Active Directory workstations, Terminal Servers, Azure and AWS workstations, or Apply MFA on top of other remote assistance solutions like TeamViewer, and AnyDesk.
Rohos is the only MFA solution that allows the prevention of MFA bypass, reporting to SIEM and creating smartphone push notifications in case of any MFA discrepancies.

Download and try the latest Rohos Logon Key for 15-day (full version) >>

Get your copy of the Rohos Logon Key>

View the list of supported 2FA methods > 

Latest Two-factor authentication vulnerabilities review

According to information regards the latest security incidents with LastPass, Cisco, Uber and Okta, adversaries exploited two-factor authentication procedures to disable or bypass access control. Such techniques as MFA Bombing, Fishing, MFA fatigue, and 2FA Men-in-the-Middle (MiTM) attack were used to mislead end-user, steal plain text passwords and perform MiTM on two-factor authentication. User-friendly feature “Allow authentication request” was miss-used as a tool. In all cases, adversaries were able to bypass two-factor authentication by either disabling it on target accounts, stealing MFA secrets, or adding a new MFA profile.

Social Engineering (SE)

In the case with Uber, the attacker first somehow discovered the employee’s WhatsApp number, started a Messaging chat, and send an URL to the victim with the fake Uber site login page. After that intruder applied SE to convince the legitimate user to enter login credentials on a spoofed Uber login page.

MFA bombing by push notifications

After successfully stealing user login and password, the attacker initiated an MFA bombing/MiTM attack by login to a legitimate Uber login page multiple times, generating a storm of push notifications “Accept login request” to employee’s smartphone. At some moment the user confirmed the request thus allowing the attacker to access the system.


MFA provider re-enrolling

In case with Microsoft breach, hackers re-enrolled smartphone-based MFA (push tokens) on new device by accessing Okta MFA provider account (or partial MFA vendor infrastructure takeover), and then performing login into the target user’s MS accounts by using MFA duplicates.

How to improve your MFA / 2FA control ?

Here are a few pieces of advice on how to check your current MFA implementation for improvements:

  1. Train your employees on how to report / act when MFA access requests on the smartphone appeared at Inappropriate times. After training, perform field tests to generate inappropriate MFA requests to ensure proper reflections by the end user.
  2. Check if your employees know about a decent and friendly way (Social Re-Engineering?) to verify via phone if they really speak with somebody pretending to be a ‘support desk representative’ from your company.
  3. Monitor your system’s remote access for inappropriate/suspicious/abnormal activity, for example – out-of-work login time, MFA failure, or too long MFA approval time.
  4. Continue updating your MFA toolset by employing new MFA technologies like U2F FIDO, FIDO2, WebAuthn in parallel with the current MFA.
  5. Check if your MFA vendor/solution has new features to filter access by IP or MFA device. Check if the MFA solution logs MFA activities parameters.
  6. Use gamification within your IT team to simulate or imagine how MFA re-enrollment, misuse and bypass may happen in your organization.

What about Rohos Logon Key ?

Rohos Logon Key adds strong two-factor authentication control for Windows Remote Desktop access. Rohos allows to implement and adopt multi-factor authentication into the business processes with minimal side effects. In Rohos we always experiment with new features.

  • You may employ different MFA methods: password, PIN code, Smartphone or strong authentication devices like FIDO2 U2F key, YubiKey, Google Authenticator One-Time password codes, USB iKey tokens or RFID cards per different user groups depending on requirements or technical skills.
  • It is possible to apply MFA by IP filter.
  • It is possible to use MFA bypass control – lock desktop immediately when MFA was not used for login session.
  • Rohos log all type of MFA events: Login session time, MFA prompt time and successful MFA duration time for each user.
  • Rohos for Android/iOS app does not uses Push notifications ‘Approve access request’. With Rohos MFA app – Notifications bombing is not possible.
  • Rohos allows to add of more MFA redundancy by setting up FIDO2 physical key and Smartphone app for the specific user account. The MFA diversity can be used to distinguish between logins of legitimate user MFA or stolen/ re-enrolled MFA.

Using SecureData USB flash drive for Windows and Mac Login

Photo by SecureData, Inc.

We would like to recommend the use of a SecureData SecureUSB® Duo encrypted device in conjunction with Rohos Logon Key for Windows Logon two-factor authentication. This will give you an additional layer of security. SecureUSB Duo hardware-encrypted USB Flash Drive offers Host/OS Independent user-authentication and military grade security. User authentication can be done by using the physical keypad on the USB drive or via your smartphone using the free User app (iOS or Android). When using the keypad, you can either plug it into an open USB Port on any type of Windows computer and enter your 7-64-digit PIN (password) to unlock the drive, or press the key button, enter the PIN, and then plug it into any open USB port. When using the phone to authenticate, you will need to download the free app from the App store for iPhone, or from the Google Play Store for Android devices. To unlock the drive using the app, you will need to plug the drive into the host then open the app on the phone. Using a smartphone for user-authentication offers additional security layers that you can set up in the app. You can set 2FA to unlock the drive or use bio-metrics. We also suggest setting up PIN recovery in the event the PIN is ever forgotten. Rohos Logon Key is the only solution on the market that allows to set up of two-factor authentication redundancy by employing multiple 2FA methods on the organization level or user account level. Read more to find out how to configure and use SecureUSB for Windows logon.

Read more

Advise to setting up the admin account for OTP 2FA in conjunction with Rohos and remote access

We would like to share some advice regarding two-factor authentication and its use with an admin account when logging into Windows RDP. If it is not enabled currently we would strongly advise setting up the admin account for additional OTP authentication in conjunction with Remote Desktop access and Rohos Logon Key. Let’s review the pros and possible side effects.

Of course, it is highly recommended to use 2FA for the admin account, and it is definitely recommended rather than keeping it 1FA only. Just to remind you that default RDP login based on NLA credentials (user login and password in plain form store in .rdp connection file) from the client-side is quite vulnerable now since these credentials may be stolen and used by malware operators in an automated way – so the attack speed will be just 5-10 minutes.  So today, the absence of additional authentication factors (2FA/MFA) is considered negligent. Even more, due to recent development in exploits and malware for Windows operating system, desktop sessions created by regular user accounts also may be elevated to Admin Privileges in Domain or Active Directory (AD) with a high success rate depending on your defense type (Anti-virus type, EDR solutions, etc). So a variety of exploits for horizontal/lateral movement in AD are huge also.  But of course, Admin’s accounts are always a special target for cyber-criminals and traded as a high-price asset on the darknet. 
To summarise, definitely you need to start your cyber-security efforts in 2FA from some point, and admin accounts are the right starting point, highlighting you have a cyber-security strategy.  Especially with Rohos, since it is very easy to start with and has a fixed one-time price. 

Read more

P2P encryption ownership in secure online storage products (Mega.nz, OneDrive)

Briefly: Secure storage services such as Mega.nz, OneDrive Vault, offers P2P encrypted cloud storage, where the data are being encrypted/ decrypted in your web browser or computer. This provides the highest privacy level since data delivered to the cloud storage in encrypted form. Does it really mean, the information cannot be accessed by the Vendor? Here we show, how the vendor completely owns encryption protocol and data flows, even in your web browser. We also demonstrate why total ownership gives vendors the tools for user targeting that may be used to de-private your data. An example with Rohos Disk cloud folder encryption demonstrates the difference.

Read more

2FA Push tokens in Rohos Logon Key mobile

We are glad to announce new MFA Push Tokens support to “Smartphone” authentication method available in Rohos Logon Key v.4.2.  The Rohos Logon Mobile app will deliver two-factor push notifications to workstation or remote desktop server for fast and secure access. A single smartphone can keep multiple authentication records to access multiple computers.

Rohos 2FA Push token advantages:

  • Out-of-band Multi-factor authentication. 2FA Push token is delivered via Web Socket method that employs alternative Internet connection from mobile device.
  • Your account on Google, Amazon, Azure cloud can be used to host Messaging Broker or you can use a variety ready-to-go MQTT SaaS solutions like: MyQttHub.com, CloudMqtt.com
  • 2FA Push token includes strong Encryption AES256 and OATH technology thus it is resilient against man-in-the-middle and reply attacks event on non-SSL\TLS channels.
  • Rohos 2FA Push token implementation is open-source.

Read more

How to protect Azure, Amazon WorkSpaces Windows with two-factor authentication

New Rohos Logon Key 3.9 provides an effective and platform-independent means of Multi-factor Authentication for your Amazon WorkSpaces desktops. You can protect access to AWS Windows desktops with Google Authentication OTP codes or Yubikey OTP codes. This greatly increase security, brings compliance with HIPPA, PCI-DSS or works as a password replacement technology. The same approach works to protect Azure Terminal Servers and workstations.


Read more

How to block Skype and encrypt Skype profile folder

Today Skype offers cool features like chatting, file sharing, video calls, and even calls to landlines.  However, your instant message history, contacts list, phone numbers, etc, are stored in plain form. Anyone who is using your PC could read this information with a special tool. Also, children are exposed to on-line dangers such as bullying, viruses, and obscene material.

Here is the solution on how to lock your Skype application from kids and encrypt your Skype profile folder with your IM history and other private data. This solution is also applied for such applications as Google Chrome, Mozilla Firefox, and Opera.

So why do you need to lock Skype Application?

Your Skype profile contains a lot of confidential data like the contact list, IM-history, calls history, etc. This data is not encrypted by default. It means anyone who uses your PC can use this information easily.  If you have one computer to use for all 5 members of your family or live with a roommate then you’d probably like to have a higher level of privacy for your Skype chat logs, received files, and many others.

Here is the list of private data stored in skype profile in a plain form:

  • http://www.scribd.com/doc/9676016/Skype-Log-File-Analysis.
  • http://dmytry.com/texts/skype_chatlogs_friday_13.html

Your kids are one of those from whom you’d want to “hide” Skype.

Why you must lock Skype from kids?

With over 200 million Skype users worldwide, it remains a cheap, cost-effective alternative to expensive international calls.  Statistics show a considerable percentage of Skype users are 14 years of age and older.

Kids are mainly using Skype to:

  • Stay in touch with family and close friends
  • Catch up with friends outside their local calling zones
  • Connect with other students or classrooms across the country or globe through video conferencing
  • Connect to a virtual classroom or webinar for distant learning

The dangers of using Skype by Kids

Like any online community, some Skype users engage in inappropriate behaviors. Young people may be exposed to material that may be sexual, hateful, violent, or illegal. Viruses and malware: File sharing in peer-to-peer networks like Skype is a popular channel for the spread of malware (e.g., worms, viruses, Trojans).  Malicious software may be embedded in file attachments sent through email or chats to damage a computer or collect personal data like credit card information and passwords.

Your kid might not even be aware of these dangers. So it’s your responsibility to protect your kid. But doing something is far better than nothing, and you have to start somewhere.

Some may say – “Well, do not let your kid use Skype.” Easier said than done. Nowadays kids are very tech-keen thus it would be a piece of cake for your kid to download the application and create an account. But what if you close/block access to the application completely!?

Rohos Mini Drive, a free encryption utility now gives its users an opportunity to block Skype and encrypt its contents, so no one can open it and use it.

There are also those who want to keep their Skype data confidential so roommates or employers do not have access to it. Understandable when it comes to roommate but not legible when we talk about using Skype on the office computer and depriving your boss of the right to look through chat logs for security purposes. On the other hand, when the CEO of a company is holding a video conference or sending files it’s here that Skype’s history and chat logs are highly vulnerable. Thus, password protecting and encrypting Skype is especially useful in corporate and business communications.

The chat log, call log and almost all data that Skype puts on your hard disk are not encrypted. Rohos Mini Drive gives you one of the best solutions to password protect and encrypt Skype using its feature “Hide folder“.

How to encrypt the Skype profile folder

Requirements:

  • Installed Rohos Mini Drive (freeware) or Rohos Disk Encryption (shareware).
  • Created virtual encrypted disk.
  • At least 100 Mb free space on the virtual encrypted disk.
  • Skype application should be closed.

Step by step:

  1. Open Rohos Disk Encryption application.
  2. Connect encrypted Rohos disk.

Once Rohos disk is connected you should click on the Encrypt Application link

In Encrypt Application dialog select Skype and Rohos will automatically display your Skype profile path.

  1. Click Encrypt Application button.
    From now on Skype profile folder will be physically moved into an encrypted Rohos disk. Then it will be replaced with a shortcut. This will allow the Skype application to work as before.

Please each Windows User Account has its own Skype profile folder. If you wish to lock the Skype application from Kids you need to “Hide Skype Profile” under each user account in Windows dedicated for Kids login.

How to lock/unlock your Skype profile

Now you can start Skype and make sure everything works well:

  • Without Rohos encrypted disk being connected the Sign-in window pops up blank (when the disk is on, the same window appears with the Skype name that was used the last)
  • You can start Skype but without first typing in the correct password for encrypted Rohos drive it will not be accessible

With Rohos Mini Drive, your recently in-transit and all stored data are encrypted and password protected. So now you may have some nice little privacy at your computer and not worry about SECRECY.

To unlock access to Skype just connect your Rohos encrypted partition and work as usual.

Skype autorun issue

Most users set Skype to auto-start on Windows start. You need to change this setting in order to comply with a new security rule:

  • Disable Skype autostart and start Skype only after you connected the virtual encrypted disk.
  • Or set up a USB Key for Rohos Disk that will connect Rohos disk immediately as you connected the USB Key. If you connect the USB Key during your Windows login Rohos Disk will be ON as you log in. And Skype will autostart successfully.

In case Skype started when Rohos virtual disk is OFF, you need to :

  1. Close Skype by using the Skype menu near the system clock.
  2. Connect Rohos Disk by using a Rohos menu near the system clock or a roots’ disk shortcut on the desktop.
  3. Open Skype again.

Security benefits for your Skype:

  • Your chat logs and instant message history are encrypted.
  • Skype contacts list is encrypted
  • Files that you have received via Skype are encrypted also.
  • Nobody can access your Skype database files with any 3rd party tool.
  • Your Kid will not be able to start the Skype application under your user account.

Rohos Disk Encryption offers security solutions to:

  • Keep all of your private files (movies, music, credit card info) on Rohos encrypted drive;
  • protect with a password any Application folder within C:\Program Files\folder;
  • Keep Opera, Firefox, Chrome browser locked and encrypted when you are away from PC;
  • Have a single USB key (USB flash drive) to access your secure virtual drive, so you don’t need to remember your password of the Rohos disk.

Beware that private data is always meat for outside hunters, so try to keep it as inaccessible as possible. If you wish to improve your Skype profile security, Rohos Mini Drive comes in handy in this situation.

Download and install Rohos Mini Drive (freeware) or Rohos Disk Encryption (30-day trial shareware)

(Soon) Introducing file encryption in new Rohos Disk

We are working to add file encryption feature to Rohos Mini Drive and Rohos Disk Encryption products. This will allow to encrypt separate folders and files stored on a computer. It is designed specially for those who really concerned about data security of confidential information stored in Google Drive or Dropbox. Since both file data and file name are stored on a computer in encrypted form, the application like Google Drive will upload already encrypted content into cloud storage.

 

Read more

Two-factor authentication by OTP for TSPlus remote desktop access

We have tried out Terminal Services Plus (TSPlus) solution for Remote Desktop access for Windows 7/8/10 with Rohos Logon Key installed. Both TSPlus web based access and MS Remote Desktop Connection application uses target Windows authentication system. This is the point where Rohos Logon Key applies 2-factor authentication control. The following screenshot demonstrates 2FA requirement upon successful password based remote access with  TSPlus web :

Learn more about Rohos Logon Key benefits with TSPlus remote desktop solution.

Read more