AvianQuests b:if cond='data:blog.url == "https://www.avianquests.com/2017/03/the-simplest-ways-to-make-best-of.html"'>

AvianQuests

Photography.Travel.Technology Unbound!

MFA versus MITM

Sunday, August 28, 2022

MITM defeated

 

A spider's web is a real sticky situation and serves as a perfect trap for the unaware prey. 


In the real world and online, it is the same.  We don't want to end as the "free lunch" by threat actors.

Each person/organization is an open game for the "predators" (persons/entities) with malevolent intent/actions who utilize cunning and deceit to lure their prey to the bait and capture them. 


BACKGROUND

I set up my future-proof desktop PC last year to adhere to up to date hardware/software standards. 
 
This was to eliminate and/or prevent internet persons/entities from obtaining access to any of my accounts on-premise or Cloud-based whilst using my desktop PC.


Thus, I got Yubico last year in action. Everything went fine for some months until the month of June 2022 something was really off.

When I decided to get to use my licensed Microsoft Word processing and Microsoft Excel spreadsheet applications installed on my desktop PC.

I am fully aware that the attack surface for "bad actors" expanded upon installing the above-mentioned applications.

To expand further the attack surface, I also used a well-known web-based communications application.

Now, the proof of the pudding is the eating, right? 



Then out of nowhere one afternoon, a MITM (Man-In-the-Middle) attack took place. 

Suddenly, I noticed I cannot use the word-processing and spreadsheet applications on my desktop PC.

It suddenly became "unlicensed".

What?

Furthermore, my licensed software was asking that I change my web Auth and not giving me access to my security key-Auth.

By the way, these applications (word/spreadsheet) are legitimate out-of-the-box licensed software applications, which were tied to my email account.


SOLUTION/MITIGATION:

As this "MITM" event was unfolding in real-time, I quickly responded to all tick box answers being automatically flagged by my free account of Voodoo Shield.  

I logged in my Microsoft Account using an alternate route/link.

Checked for changes.

Restore my mobile phone number.

Initiate additional restoration of email ... 
 
Saved the account.

(Threat actors cannot really save account information changes in real-time since they do not have access to the security key Auth/biometrics.)

I then updated all my browsers to the latest versions. 

When I made my initial assessments, and this was real quick whilst this abnormality was happening in real-time, I shut off the web-based communications application/software, which are all tied to my email/online account.


At first, I thought it was the web browser (which was outdated) that was the alleged gateway for the application/account compromise.


Then I checked the status of my email account by invoking a *separate link which I discovered during implementing a solution by scanning and found one.

Guess what, the bad guys/actors have changed my phone number and entered two unknown phone numbers.

So, I acted like a ninja and summoned my powers on hand.

So, I immediately deleted the unwanted phone numbers. 

Placed an alternate email recovery reference.

Get that verified and validated with another paid/licensed email provider account.

My email account I use for my Microsoft account was restored to its original secure state. 

Also, Voodoo Shield popped up with a warning of attempts trying to run a Powershell script in my PC,

So, I blocked this with VoodShield switch. If you are the switch master, then tick OFF and that nails it for good.

Sealed. Powershell request for good.

Next, I did fast ninja moves and downloaded the latest installer of my web browser.


And also I resurrected and activated the built-in browser of my Operating System (OS), which I only now will use for emergency purposes.


I uninstalled the old web browser and installed the latest one. This one required a PC reboot which I did.

By the way, before rebooting, make sure to have open online accounts logged off and all cookies, cache, deleted.

I then disconnected my PC/LAN cable from my router.

Check and assess (simple forensics) the situation before going back online.

Plugged back my physical security MFA key. 

Plugged back my PC/LAN cable and boot up my desktop PC.

So, the result of my post-attack event assessment was that the entry/portal was through the communications software which was a web-based log-on, and I used my physical key Auth to authenticate.

Unknowingly, the group chat was connected to an unsecured server (e.g., file server) which the MITM threat actor/s can snoop on incoming/outgoing traffic through the communications application/software. 


So, I re-installed and configured the latest version of this communications software and upon physically touching my MFA key, I
ran the PC desktop version, and I was able to log in to my communications app for desktop without any problems.


This time I invoked an option to log in with GitHub and use its MFA Auth to seal the ultimate security deal.

Thanks to GitHub requiring log-in/membership and enforcing it to be physical key-based MFA Auth and established a Fort Knox protection against MITM. 


POST-ATTACK MONITORING

Again, back to post-attack event monitoring, and herewith are the results:

- Bitdefender warnings ceased/absence of malevolent warnings.

- Seamless log on to the communications software (desktop version) with GitHub Auth MFA;

- I was able to use my word processing and spreadsheet application software without reinstallation and/or license key activation.

Test!

Whilst I was already using the latest web browsers, Bitdefender still popped-up warnings.

Thus, I came to the conclusion and realized that the MITM spoofing of my MFA auth was originating from the Skype for Web and the account which I logged on earlier.

I exited from Skype for the web application.

I downloaded the Skype for desktop and installed the same.

Now, since the MITM relies on web access via Skype for intercept on log on.

got Skype for Desktop to authenticate, this time with a third-party MFA Auth (GitHub) which I authorized before with my physical security key as one of their account membership musts.


Into the Web


FURTHER FORENSICS

I discovered also that my Wi-fi router modem info might have been intercepted when I sent the phot via unencrypted email (which was my bad).

I eventually ended up having my telco/internet service provider replace my old/outdated Wifi-router to a latest and up-to-date model for FREE. Yehey! (Two thumbs up for that.)   

CONCLUSION


In a nutshell, the months of June and July 2022 mark the days when zero exploits were at their height. I'm no exception. 

I went back to the drawing board and went deep dive into what was really going on.

I also purchased a new licensed Windows 11 Pro.

Installed, configured the same, and put the security policies in place and updated eve

Of course, MFA and key auth are a must!

So, far so good.

Hey, but wait, I added a pair of hardware devices too.  However, that will remain a secret for now.

It's not a guarantee, but at least the surface attack field has now been greatly reduced and well-mitigated.

Major takeaways for this "battlefield" journey are as follows:

  • Learn the attack methods via an installed "honeypot" desktop PC


At the end of the day, lose some battles but ultimately, win the war.

Zero trust is a must especially, in logging in (for example, Skype group chats either private/public).  

For this use case, key-based MFA auth combined with legitimate third-party MFA-auth is the key to enhanced MFA security.


Be sure to have your Skype get authenticated by a reputable and reliable highly secured MFA Auth implementing website like GitHub. 

This is the first time in my many years of desktop computing that I encountered MITM spoofing via MFA auth credentials.

Powershell intercept application VoodShield ... cuts off the fulfillment of 


Purchase, and use legitimate and licensed software/applications.


Update your PC/laptop BIOS, et cetera. and observe safe computer habits/practices.


Do install, configure and implement the latest Systems Monitor (SYSMON) from Systems Internals. 

MS SysInternals

System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.

What's New (August 16, 2022)

Sysmon v14.0

This major update to Sysmon, an advanced host monitoring tool, adds a new event type, FileBlockExecutable that prevents processes from creating executable files in specified locations. It also includes several performance improvements and bug fixes.


Yubico is MFA KING


Until next blog.

Cheers!


A peaceful mind generates 
elevated and uplifting thoughts 
for one's benefit 
and 
also 
your 
immediate environment/world.




If you like this blog, 

Support My Blog, Buy Me Coffee


  Till next blog post. 

Keep safe, and keep blogging.

Do check me out/follow me on the social media channels below:
 
Instagram: avianquest
 
Twitter: avianquest
 
Facebook:  avianquest


The Secret of a Glorious O Gaming Mouse in 2022

Wednesday, April 13, 2022


 
Warmest welcome 
to my 
humble blog.
 
Oops, we are not up to any of Victoria's Secret stuff here.


(Hint: Read up to the last part of the blog for the secret reveal of the Glorious O mouse.)


Here's the story.

During the last remaining six days of March 2022, my main desktop mouse, a  Reddragon M601-3 CENTROPHORUS 3200 DPI gaming mouse that I use for my daily grind literally conked out or got ahead of its next life, or in short "died".  


I tried reinstalling the software of this mouse which got successfully installed however, it operated with quirky behavior even when I conjured the immortal resurrection jutsus. 

It doesn't want to play master and puppet games anymore.

I even tried assigning the right to left ... again, a total failure.

So, I concluded that something was wrong and the reason it went kaput is in the mechanical part of the trigger mechanism/contacts/circuitry of the mouse.  




A good thing was that I have a backup ordinary class B ordinary mouse lying around, which I used as a stop gap measure so I can go about unimpeded daily desktop operations/activities.

I am not a gamer however, I use it as a baseline for quality hardware gaming specs that justify the daily wear and tear of a desktop mouse more effectively/efficiently.




I remembered that sometime last year I got myself my first Glorious product

 - a padded keyboard wrist rest full size (17.5 x 4 inches/ 44 x 10 cm.)
  
to probably arrest/prevent carpal tunnel syndrome.

In addition, I really enjoy using this first Glorious product/accessory to the present time.
 

So, I decided, why not check out Glorious's other
product offerings.

I went into a deep dive in due diligence/research and come up with a "proper" daily driver desktop mouse. 
 
It certainly makes a lot of sense that the Glorious brand is my next mouse daily driver of choice (the one which sports the elevated cord version though) which is just fine.

It's a big deal to me since the mouse specs, price, and performance up to this day deliver S-tier add-on value validations.

Price-wise, it is a bang for the buck.

Specs-wise, Star-trek yup!
 
Performance, it would not land in an S-tier class.

Upon arrival, I went through the motions.


World-class and solid box packaging.
 

Very straightforward:  logo, tag line, weight, model, product class.

 

The belly of the box: tech specs, S/N, et cetera.



That's an O minus mouse type actually that I purchased.
 
Located online in the

 
section.

I went through a well-explained and quick walk-through of the Glorious Quick Start Guide



Glorious S-tier Class Gaming Mouse O Wired





 
Click above on a video unboxing of the Glorious O minus wired matte mouse.
 
or click on below the image to video the unboxing video. 

 
 UNBOXING Glorious O minus wired matte white mouse
 
 
 
Behold Glorious O minus white matte wired mouse.

Spanking fresh/brand new!




My first up close and personal with a Glorious O matte wired mouse.

SET UP


 
It's really lightweight (58 grams!) as I picked up the mouse out of the box for the time.

Before using the mouse, on its underside are blue protective film strips at the four corners of its G-skates with markings "remove".

Be sure not to forget and remove these to get the G-skates revved up to slide max...
 




There's a free Glorious sticker too! Yey!




Above is a  creative photo I took of the Glorious O Minus white matte wired mouse.


Best gaming Mouse Tier List 2020
Credits: DAVE2D


Well, guess what, I stumbled on to this video of Dave2D?


THE SECRET WAS REVEALED!!!!

 
The video is dubbed 

in YouTube, 
which by the way 
featured one of the mouse line up, 
a  Glorious O (Wireless) mouse 
in Dec. 6, 2020,
and that is two years ago, 
which was rated 
by DAVE2D
as one of the 
first S-Tier 
class gaming mouse!


Now, fast forward today, 2022.

S-Tier INDEED!

For gamer-agnostic like me, the gaming specs of this mouse will get you through your daily grind activities.  For gamer/players out there who push this mouse to the limits, have a Glorious end game to all.

After a week of heavy use (8-12 hours daily), the Glorious O minus wired white matte delivered without click fails, scrolling.

Also, cool with room lights offs as the ARGB colors looked cool. I chose breath mode.

I am contemplating replacing it's skates with glass skates in the future.

I, therefore, personally conclude that it was a glorious moment for a GLORIOUS mouse as a top S-tier mouse experience.


By the way, 
 
I outsourced the

Glorious O Minus Wired Mouse  Matte White
Glorious O Minus Wired Matte White Mouse
 
via 
 
through



rotoblox philippines




Video is powered by licensed  
version 11.
 
 Filmed/photographed 
with a humble OnePlus NORD.



If you like this blog, 

Support My Blog, Buy Me Coffee


  Till next blog post. 

Keep safe, and keep blogging.

Do check me out/follow me on the social media channels below:
 
Instagram: avianquest
 
Twitter: avianquest
 
Facebook:  avianquest


A Kavaborg Enlightenment

Friday, April 1, 2022