|
|
|
|
|
|
by zyx321
4195 days ago
|
|
|
This exploit requires the currently logged in user to be a member of the 'Admin' or 'Administrators' on OSX or Windows respectively. Windows also employs an innovative "defense by frustration" strategy, where the control panel is wildly different in every damn version[1]. Still, you should be locking the screen if you leave your device unattended. The only things OTP guards against in a physical access scenario are hardware keyloggers and shoulder-surfing, neither of which were part of this attack. [1] 😉 Just kidding, mostly. |
|
|
Well, yes. But in the case of bsd/Linux, if your user is in the sudo group/file -- requiring OTP on privilege escalation would help. While in many common configurations, when sudo is set to prompt for a password, it'll also cache that for a certain period.
If* you could make window UAC ask for an OTP (or password) rather than just accept a click on OK, it would also help in this scenario. Note that OTP for every UAC prompt would probably be quite annoying even in windows 8 -- but possibly more manageable than typing in a (secure) password.