Posted on 2020-02-25 by Alexei Doudkine in Personal Security
Well, it finally happened! Last Sunday my phone died. Proper died, no response, no battery indicator, nothing. It’s a brick. 🙁 Naturally, being a slave to our little black rectangles that we carry in our pockets, I promptly went to purchase a new one and start setting it up. This is where most articles start preaching about the importance of backups, but you already know about that so I won’t go down that road. I will mention that backups did saved me days of my life and leave it at that.
Rather, it made me think of all the little systems that I use in my every day life that I almost never consciously think about and the trust relationships they have with one another. For example, logging into my Twitter account from a new device prompted Twitter to require I validate the new device through my email (Gmail). In this case, Twitter has a trust relationship with my Gmail account and assumes that I, and only I, have access to that email account. I quickly realised that I don’t have access to Gmail anymore. This is where things got interesting.
I, along with most people in the infosec industry have a unique security (read paranoia) profile. Using a password manager (LastPass) and having multi-factor authentication on most things is a must for me. Token based MFA rather than SMS protects against certain attacks and of course my phone is encrypted. What I realised is that, as your security increases, so does the complexity of recovering from a catastrophic failure of a critical system. It is not as simple as just logging in with a new device.
The logical deadlock
As I’m installing all my apps again, my thought process goes likes this:
- I need to login to LastPass to get access to my other passwords.
- I need my MFA token to login to LastPass.
- I need access to Authy (MFA app) to recover my tokens…
- (… and thank God I backed these up!)
- I need access to my Google account to access Authy (since it uses Google for authentication)
- I need my MFA token to login to Google.
- I need access to Authy to recover my tokens.
- Uh-oh…
Here we have a logical deadlock because the trust hierarchy has a loop in it. Lucky for me, I didn’t skip the part in Google’s MFA process where it asked me to print a copy of 10 scratch codes. For those who may not know, scratch codes are a one-time use token that can be used in place of the regular MFA token. Each scratch code can be used only once, so it should be “scratched” off the paper once used. In my example, the scratch codes plus my Google password are the root on my trust hierarchy.
If you are reading this and thinking “but I didn’t print off my scratch codes”, go do it now! It will not only save you time, but a lot of stress too. Another common deadlock may occur when you store your email account password in your password manager. You may need to verify a new login to your password manager through email, but your email account password is in your password manager. Uh-oh!
Attacking trust hierarchies
As a hacker I can’t help but think how damaging an attack on trust hierarchies can be. For example, imagine someone compromised your main email account. The consequences go far beyond just “reading sensitive emails”. It could mean accessing other systems that trust the email account (via password reset), and then abusing those systems’ trust relationships, and so on. Suddenly, you’ve completely pwned a person’s life by controlling their banking, socials, government portals, etc.
The closer the attacker is to the root of the trust hierarchy, the more damage they could do. When deciding how to protect yourself, it is important to consider this. For example, when securing something close to the root, such as your password manager, you should go all out; enable MFA, require logins from new devices to be approved. However, if the system is far away, such as a hobby forum, it’s probably safe to just use a strong password. Of course, the final decision is up to you and the importance you place on each system.
Dry runs
It is important to go through these thought experiments often and I encourage you to do so. It is also important to actually practice recovery to identify issues you may not have thought of. Next time you get a new phone, pretend you don’t have access to your old one. Turn off the old one and don’t touch it. Can you still get in to your accounts?
Do the same thing from an attacker’s point of view. Pretend you only have access to your email account. Now try to access other systems using only information you find along the way.
Taking the time to consider your own trust hierarchy can not only prevent a long and stressful recovery process, but also protect you from attackers who seek to abuse that process.
About the author
Alexei Doudkine is Co-Founder and Offensive Director at Volkis. Hacker, tinkerer, car modder and dog person, Alexei has been in the infosec game for over 10 years focusing on the “attack” side of security. You can catch him on Twitter and LinkedIn.
Cover photo by Alexander Andrews on Unsplash.
If you need help with your security,
get in touch with Volkis.
Follow us on Twitter and
LinkedIn