It’s Time to Move on from 2FA via SMS

Why have we been relying so heavily on SMS to provide us with extra security when SMS itself is not secure? Gmail, Facebook, Twitter, Apple, PayPal, even LastPass (my chosen password manager) among a majority of other services we use daily offer two-factor authentication (2FA) via SMS. The only service I use that does not provide an SMS option for its 2FA is ProtonMail. There is a very good reason a service built on security does not have this option. While LastPass does provide the option, it discourages it in favour of an authentication app. Let me preface this by saying SMS-based 2FA is better than no 2FA at all. We will get to that later.

SMS is an outdated service; we have much more secure messaging services such as iMessage, WhatsApp, etc. SMS messages are unencrypted and pass through multiple unsecured networks. This means that your mobile carrier, the government and hackers can read the contents of your messages. Another basic security flaw is due to the fact that while our phones and other devices are generally protected through biometrics or a password, our SIM cards are not (although some people do use passwords for theirs). Someone with access to your phone can use your SIM card by simply putting it in their own device. Then there are also SIM swap attacks. Attackers can socially engineer the victim to then use this information to convince an employee of their phone service provider to port their number to a SIM held by the attacker. Of course, in most security systems, the human factor is the weakest link. Employees can also simply be bribed to port the victim’s phone number.

But please do not forego 2FA altogether! A relatively easy to overcome hurdle is still an extra hurdle. Attackers generally tend to choose the easier, quicker option so those without 2FA become victims more often. Please also do not make the mistake of thinking that your accounts are not worth hacking or that hackers will not find anything of use in your accounts. Everyone should use 2FA, even if it is SMS based. With that said, if you’re ready to ditch SMS as your method of 2FA, here are some app options:

If you seek even more security or less hassle, you can go with a hardware-based solution (Universal 2nd Factor) which involves physically using a key. Yep, it’s a little ironic. Here are Yubico and Google’s Universal 2nd Factor (U2F) options:

Hack This Site – Tutorial 1: The Idiot Test

Hack This Site, unlike Hack The Box, is completely free. It allows you to test and improve your hacking skills as well as serving as a hub for those involved in security. It is not as active or up to date as HTB but the community have done a good job of keeping it alive and going after the founder’s departure.

I would advise you not to get discouraged by the name of this particular challenge. It goes without saying that being unable to do this challenge does not make you an idiot; everyone starts at a point where they would not be able to. Therefore you can ignore the pretext discouraging you from asking for help.

This challenge is the first one under their basic missions category and requires some knowledge of HTML. I will list the steps one by one despite this being a very short mission.

  1. Right click on the page and select Inspect (Ctrl + Shift + I).
  2. Look through the code. After the part with the long text, you will see a commented section. Comments in HTML are written between <!– and –>. The comment here tells us the password.
  3. The password is a mixture of lowercase letters and numbers. Put this password in and you are done!

Hack The Box – Tutorial 1: Invite Code

Hack The Box is an online platform that allows penetration testing and serves as a hub for people involved in cyber security. With new machines and challenges released on a weekly basis, it is preferable to Hack This Site (Which is still worth your time! In fact, I will be making tutorials for both in parallel).

For the time being I plan on keeping the tutorials concise in order to avoid taking the fun out of the challenges. However, I may change my style with time if I decide that a different approach may be better.

  1. We start off by inspecting the website. Right click on the page and click inspect (Ctrl + Shift + I).
  2. Check the elements. We’re after one of the scripts. It’s the one with the source “/js/inviteapi.min.js”.
  3. Go to hackthebox.eu/js/inviteapi.min.js
  4. Anything catch your eye? Hopefully it’s “makeInviteCode”! That is what we need.
  5. Go back to the invite page and from there to Console (next to Elements).
  6. We want to see what this function contains. Type makeInviteCode() and hit Enter.
  7. Expand the data. You should get a line of encrypted data and the encryption method. Mine was ROT13, a simple shift cipher. Yours may be different.
  8. Decrypt the data. ROT13 is when you encrypt the data by rotating each letter by 13 in the alphabet. So ‘V’, the first letter of our data, becomes ‘I’. If you don’t already know how to do this, I recommend doing it by hand. Otherwise you can use a website to do it for you. In either case, if you are craving some coding practice on the side you could always make your own decrypion program for this. We are asked to make a POST request to hackthebox.eu/api/invite/generate.
  9. Now we need a terminal! Make your request by typing: curl -XPOST https://www.hackthebox.eu/api/invite/generate
  10. You should see the code, and that it is encoded. Once you decode it, you will have your invite code.
  11. The encoding is in Base64. Here is a decoder you can use for this.
  12. Your code should be five groups of five uppercase letters separated by hyphens. Pop it in on the invite page.

Welcome to the community!

Nunkish: How I decrypted the con-lang of Violet Evergarden

When I started my Security Engineering course at university, something sparked in me. The excitement was not unlike that which I felt at discovering programming for the first time as a child; there is something incredibly satisfying about the puzzle-like nature of these subjects. You fit the pieces together and something just clicks, or you get the full picture. That’s it.

The first project I tackled with my newfound hobby, apart from my weekly lab sessions of course, was to decrypt the con-lang of the show I was watching at the time. Violet Evergarden. I do not remember being so thoroughly excited, at least to this extent, about anything else during my time at university.

I happened to find out that the language was affectionately called “Nunkish” by some fans due to the lack of an official name for it. This was based on the fact that nunki was the first word they had translated: thank you. The only other words they had been able to work out the meaning of were ummu and uppu: father and mother.

My instinct was that this could be a Caesar cipher or a substitution cipher. It proved to be the latter as you will soon find out. These ciphers are incredibly susceptible to frequency analysis, which is why they should not be used for sensitive information. We failed despite this fact.

I then compared “nunki” to “thank you” in almost every language, including romanised versions of ones written in alternate alphabets, finding there were only two possible candidates. One happened to be Tamil, which has its own script; this is why we had not succeeded with the frequency analysis. After checking “ummu” and “uppu” in these languages, it appeared that Tamil written in the Latin script was used in the making of Nunkish. Each letter of the Latin alphabet was given a corresponding symbol to create a unique alphabet for show, which was then applied to the cipher.

Upon sharing my findings with two fans of the show on the r/VioletEvergarden Discord server, we translated more words shown on screen until we could build a program to do the translation between the two languages. Between my curiosity brimming and the program being finished, there were a maximum of one and a half hours. But I will cherish the memory of the childlike wonder I felt for the first time in a very long time.

And that is the story of how I learned some Tamil due to simple brute-force.

Design a site like this with WordPress.com
Get started