2 person 2-factor authentication? – Information Security Stack Exchange

I’m trying to build a system as follows:

  • User 1 is a low permission user. They will be using their phone and at some point will need to do a secure action.
  • User 2 is an admin user and will be in the same room as user 1.
  • User 2 will generate a temporary code on their own device (could be a phone or desktop), and then verbally give the code to user 1.
  • User 1 will then enter the code given to them to complete the secure action.

Ideally, neither user 1 nor user 2 will reveal their account usernames to each other. The only thing that will be exchanged is the code.

The backend system I am using to build the basic user authentication is in ASP.NET Core MVC & Asp.net Identity, and this will include an API to validate and generate the codes.

Anyone have any ideas about how to implement the code generation and validation?
Potentially the codes will need to be long enough to identify which admin user requested the code (and thus approved the action), but hopefully not too long to become unwieldy (maybe 6-8 characters?)

(I posted this to stack overflow: https://stackoverflow.com/questions/64073338/2-person-2-factor-authentication
but was recommended to post on this site. )

security – Screen Lock Service as a Device Administrator

Background:

I was looking at the device administrators of my phone in the settings and saw a device administrator called “screen lock service”. It’s description is “Activating this administrator will allow the app Google play services to perform the following operations: set password rules”.

A previously unsettled question is found here.

I searched the net for the apk file of the application but could not find one. So as per suggestions, I ran

adb shell dumpsys package resolvers | sed -n /android.app.action.DEVICE_ADMIN_ENABLED/,/:/p

The output for the above code was:

  android.app.action.DEVICE_ADMIN_ENABLED:
    438a74 com.motorola.demo/.admin.DemoModeAdminReceiver
    2acd3de com.google.android.gms/.auth.managed.admin.DeviceAdminReceiver
    36b5d24 ch.deletescape.lawnchair.ci/ch.deletescape.lawnchair.gestures.handlers.SleepMethodDeviceAdmin$SleepDeviceAdmin
    42aae3e com.google.android.gms/.tapandpay.admin.TpDeviceAdminReceiver
    8efd08d com.google.android.gms/.kids.account.receiver.ProfileOwnerReceiver
    9b4f242 com.google.android.gms/.mdm.receivers.MdmDeviceAdminReceiver
    a9980b6 com.oasisfeng.greenify/.DeviceAdmin
    b5771b7 com.google.android.gm/com.android.email.SecurityPolicy$PolicyAdmin
  com.motorola.internal.intent.action.INETCONDITION_REPORT:

The data for the code is quite unsettling for the fact that none seem to correspond to screen lock service.

For reference, I am using Moto G5 Plus (not rooted, stock build with no customizations)

Also note that, I own another same device which is rooted and runs Pixel-Experience (Android 10 latest build) and unfortunately it does not have the Screen Lock Service.

An insight/breakdown for this application is helpful.

javascript – Node.js static file security: What happens if hackers can control my bucket?

If you lose controle over your javascript files. Anything can be done with them.

If you load the files inside your node application (Ea import them or eval them or such)

So A important question is why are you serving code from a different location outside of your controle?

Would it. It be better to serve data files from s3 and serve code from your own controlled host (Ea load in JSON files from s3)

linux – Which security measures would be helpful for running executables from a mathematically-safe range? Do I need to take any?

I’m going to be searching within byte range 90,000 – 99,999, explicitly for executables. Each found will be executed on the same system before the next jump. If execution is successful, the file will be retained for further inspection at a later time. Despite this range falling well within what is considered “mathematically safe”, which types of security precautions would still be beneficial to take during this type of data generation attack?

security – Google Play services running electronics Forced Shut

How can someone that broke into my gmail, keep activating My Google Account after I deactivated the account July 29th, same day it was reopened, not by I…..
It Activated my New Phone with all being Forced Shut, due to me thinking the Google was Shut Down .
Every Permission is on in the background, running my SD and rewriting SD card, returning phone calls, stops my messages, pic going through, puts a Halt to my phone, stating Only emergency calls, or out of service area ..
May anyone help me out, my whole tablet has been compromised also, all being ran through Safari through a Mac OS X, I go to Walgreens to download the Pics of My Mom and I that just passed away, only compatible to a Mac OS X or PC, I own none…enter image description here

security – Is the Lightning Network sufficiently secure and well tested for wumbo channels?

Lightning is great but one can’t say it is battle-tested. If script kids would be interested, they could take down those shiny new 5 BTC wumbo channels with negligible cost and no effort at all.

The underlying issue is that a channel cannot hold more than 483 HTLCs at a time, regardless of the channel capacity. Sending 483 micro-payments to yourself and holding on to the HTLCs is enough to incapacitate a channel for up to two weeks.

By utilizing the max route length to add loops, each payment can consume up to 9 HTLC slots on the target channel. If the script kid is lucky, they only need to send 54 payments to get it done. A single tiny channel takes double-digit amounts of Bitcoin out of business.

Below is me locking up approximately 5,800,000 satoshis with a refundable 18 satoshi payment looping five times through three mainnet channels owned by Bitfinex and OpenNode. For basically as long as I want. This happened today.

Joost locking up sats

Wanting to become the world’s payment system sounds good but we can’t have trivially exploitable vulnerabilities like this. Walk the talk.

Therefore I started a new project called Circuit Breaker: a firewall for Lightning nodes. The primary goal is to encourage thinking about this problem with the potential to grow into a full-fledged Lightning protection system.

joost debug output

This question was answered by Joost Jager on Twitter.

security – MongoDB access from remote machine

I am setting up a new server. I thought I will tighten security after the configuration is complete.I did modify the bind IP to listen only at the machine’s private IP and 127.0.0.1 . Authentication is not enabled yet. The port 27017 is open to public (to be closed). I see connection requests coming in from remote IPs and accepted. What would explain that? Mongo version is 4.4. Sample entry from log file
{"t":{"$date":"2020-09-21T21:36:07.392+05:30"},"s":"I", "c":"NETWORK", "id":22943, "ctx":"listener","msg":"Connection accepted","attr":{"remote":"193.118.53.202:56504","connectionId":79,"connectionCount":38}}

Outdated Version of jQuery In WordPress Failing Security Audit

I did a localhost test of a custom WP theme I’m building, and in Google Chrome’s Lighthouse audit it is failing the ‘best practices’ part of the audit because of an old version of jQuery that seems to be being shipped with WordPress (jQuery version 1.10.2)

Wasn’t the previously solved with something called jQuery Migrate?

I am a bit new to this side of things so any help would be wonderful.

I’m currently on the latest version of WordPress (5.5.1)

How do I solve this problem (i.e. updating jQuery or any other solution)?