|
|
|
|
|
|
by e12e
4195 days ago
|
|
|
> "In OS X, if you attempt to adjust DNS servers via networksetup -setdnsservers, it asks for a password.
(...)
However, if you can go into the Network settings and manually click some buttons that the system prevents you from clicking with the keyboard, you can adjust settings without a password." Interesting hack, somewhat relieved to see that a) it's for OS X, and b) it just leverages a poor design/trade-off between security and convenience on that platform. I suppose this kind of stuff is a good reason to disable sudo-session caching (or whatever it's called) and demand an OTP for elevating privileges [on Linux]. Looks like windows supports OTP, but only with a dedicated server handling the authentication -- does anyone know if there's an easy way to demand OTP for UAC elevation to local admin on a stand-alone windows 8.1 workstation? [edit: for Linux/freeBSD the libpam-oath package/toolkit can be used to enable TOTP (Time Based One-time Passwords) that are compatible with Google Authenticator -- there are a lot of tutorials on how to use it with openssh (and with the new ability to demand a set of authentication methods, how to demand eg: both ssh-key and a TOTP). With a little familiarity with pam, it's easy to set up for demanding OTP for sudo. AFAIK OS X also supports pam -- but if the gui allows the system to be backdoored, there's not much point...] |
|
|
Still, you should be locking the screen if you leave your device unattended. The only things OTP guards against in a physical access scenario are hardware keyloggers and shoulder-surfing, neither of which were part of this attack.
[1] 😉 Just kidding, mostly.