The WiKID Blog | WiKID Systemshttp://www.wikidsystems.com/blog/2017-08-15T19:18:05+00:00The WiKID Blog, musings on two-factor authentication, information security and some other stuff.Evading Microsoft ATA > Another reason to use 2FA for Windows Admins2017-08-15T19:18:05+00:00roothttp://www.wikidsystems.com/blog/author/root/http://www.wikidsystems.com/blog/evading-microsoft-ata-another-reason-to-use-2fa-for-windows-admins/<p>Nikhil "SamratAshok" Mittal has a great <a href="http://www.labofapenetrationtester.com/2017/08/week-of-evading-microsoft-ata-day1.html" title="Week of Evading Detection by ATA">series of posts on how to avoid detection</a> by <a href="https://docs.microsoft.com/en-us/advanced-threat-analytics/what-is-ata" title="MS ATA">Microsoft's Advanced Threat Analytics (ATA)</a>. </p>
<p>We won't say that you shouldn't deploy ATA to monitor your network for suspicious behavior, especially if your licensing already is covered. However, it does seem like an example of technology designed to protect something that you'd be better off not having at all: static admin credentials. As we proved in our last post on<a href="http://www.wikidsystems.com/blog/defeating-pass-the-hash-attacks-with-two-factor-authentication/" title="Defeating pass-the-hash attacks with 2FA"> defeating pass-the-hash with two-factor authentication</a>, tools like mimikatz will fail when using WiKID's native AD protocol for Admins. ATA seems like a great tool, but Nikhil has shown that defense-in-depth is the key as always.</p>Users: before you use two-factor authentication, make sure the admins do!2016-08-31T21:08:07+00:00roothttp://www.wikidsystems.com/blog/author/root/http://www.wikidsystems.com/blog/users-before-you-use-two-factor-authentication-make-sure-the-admins-are/<p>Dropbox is the latest internet-based service to <a href="http://motherboard.vice.com/read/hackers-stole-over-60-million-dropbox-accounts">suffer a mega-breach</a>. </p>
<p>Once again all the users are urged to use two-factor authentication to protect their accounts. </p>
<p>But here's the problem: <strong><em>if the privileged users and administrators of these services aren't using two-factor authentication, then it doesn't matter.</em></strong></p>
<p>These mega-breaches of millions of passwords didn't happen because users were attacked -- the sites were breached. If the sites are breached again, it won't matter that users have two-factor authenticaiton. </p>
<p>Take the recent <a href="https://www.onelogin.com/blog/august-2016-incident">Onelogin breach</a>:</p>
<ul style="box-sizing: border-box; padding: 0px; margin: 1em 0px; outline: 0px; color: #76787f; list-style: none; font-family: 'Gotham SSm A', 'Gotham SSm B', Gotham, museo-sans, sans-serif; font-size: 16.8px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 300; letter-spacing: 0.21px; line-height: 28.56px; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: #ffffff;">
<li style="box-sizing: border-box; padding: 0px 0px 0px 36px; margin: 10px 0px 14px; outline: 0px; font-style: normal; font-variant: normal; font-weight: 300; font-stretch: normal; font-size: 0.9375em; line-height: 1.5em; font-family: 'Gotham SSm A', 'Gotham SSm B', Gotham, museo-sans, sans-serif; color: #1c1f2a; position: relative;">We subsequently discovered evidence that an unauthorized user gained access to this system by compromising a OneLogin employee’s password for that system.</li>
</ul>
<p>Onelogin, a service that provides two-factor authentication, doesn't protect critical user data with two-factor authentication. Nor do they even list implementing two-factor authentication for privileged users as a post-attack remediation action!</p>
<p>This is why we say that urging users to adopt two-factor authentication feels like blaming the victim. </p>
<p> </p>
<p> </p>