Anyone got anything good or bad to say about them?
Do they work with linux as well as Windows?
I don't have a clue about them, but a youtube channel I watch has been hacked twice in a month despite 2FA and all that jazz. He mentioned it might be time for a security key, hense my question here.
Also, if 2FA hasn't stopped a hacking attempt, what use is it?!
Thanks for reading, and thanks for any answers being written at a 5 year old's level!
The main problem with 2FA on sites like youtube is that it is not really being used that well. It is setup for convenience and ease of use rather than strong securty.
The 2FA is used to establish a session, but that session is then made semi permanent by use of session cookies. So once the platform has passed the 2FA, it is then in effect left logged in for an extended periods of time. Most of the compromises seem to be based on stealing those session cookies, and then transplanting them to the attackers system. Low and behold, their browser is then automatically logged into the account with no need for further 2FA checks.
2FA ought to be required for every login, with a inactivity timeout that logs out of the account if not used for 30 mins etc.It is also not a good idea to use the machine that is used for interacting with the account, uploading etc, for non related tasks like admin and email. If you only have one machine, do all the admin stuff inside a virtual machine, that is never used to access the account. That way even if it is compromised, there are no sessions to hijack.
TL;DR is that they are better thank nothing. Think of them as locking your car which deters 90% of casual attacks.
I know SMS based 2FA is susceptible to hijacking (due to poor security on the telcos part). But (and this applies to a lot of cases) there is a certain amount of effort needed which tends to eliminate a lot of potential victims.
Windows 11 (and I think Windows 10 too) comes with Sandbox..... you will need to enable VT-D or virtualisatino in the BIOS and also enable it in the add/remove programs option in control panel.
Its easier to start up and use albeit a cut down version of full fat windows and has Edge browser. once you exit Sandbox, its literally thrown away and you start with a completely fresh new Sandbox, whereas a VM would be persistent across restarts and reboots, If you get infected in a VM, you'd have to roll back opr rebuild the VM, whereas with Sandbox, just close down and restart.
If you want to print or have a diff browser then thats a bit of a faff as you'd have to install every time you use Sandbox as its non-persistent.
SH
Or set the browser to clear cookies each time it is closed?
Yup Win 10 has it as well.
Indeed - it can be quite handy for testing software installs and all kinds of things where you don't persistent storage of anything.
First thing to consider is that the sandbox *is* a VM - sat atop Hyper-V. It is just configured so that it boots from a known checkpoint each time. You can achieve the same functionality with any VM platform using checkpoints. You in effect just stick a stake in the ground, give it a name, and then you can always revert to that point in time - including reverting to the VM's file system as it was at the time of the checkpoint. (although if you connect to a real network drive etc and make changes to that, then those will not revert)
For your general email platform, you may want some persistence, since you probably don't want to re-install and configure your email system every morning, and wait for it to synch however many gig of email.
You can always create your own sandbox, where the starting point includes all your baseline software and setup.
Do you make sure you close all browser windows every time you access email? Do you make sure that your machine does a secure erase of the cookie storage every time as well?
You have to clean out DOM storage as well (search for +++ and branded items) . And webappsstore.sqlite is also abused on a browser (some web sites pound on that, so that must be part of advertising). That's for Firefox. Chrome may well have details like this, but Chrome is very careful to spray shit all over the place (for the obvious reasons).
I don't use this, but I consider the scripts in here to be a good source of information regarding cleaning. I read these, rather than execute them.
When webappsstore.sqlite is above 10MB in size, that causes a pretty obvious performance problem with Firefox (higher latency, move slider nothing happens). That's why it gets a hair cut here, every one to two days.
Paul
I looked into them a few weeks ago but couldn't work out whether there would be any benefit for me in having one in my situation, using a PC mostly and a phone sometimes. So I bought one of these,
Just make sure that you have a backup for when your fingerprint is not recognised.
I find that when doing some forms of DIY such as plastering, handling sandpaper etc. neither of my devices that have fingerprint readers will recognise my finger(s). Also when my hands have been immersed in water for some time or perhaps handling bleach I get the same problem.
Not the latter, certainly. Can these "compromises based on stealing session cookies and then transplanting them to the attackers system" retrieve cookies deleted by the browser? Seems a bit of a stretch, though I have no idea exactly how browsers delete cookies.
You can "undelete" deleted files, so generally yes.
Yes, I've come across that with the phone. With the PC it defaults to wanting a password, and the fingerprint reader has to chosen. I haven't worked out how to make the reader the default, if it is possible.
HomeOwnersHub website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.