If someone has compromised your electronic systems, they can probably solve whatever electronic recovery means you've implemented, and they can probably do so on a large scale, re-compromising all the new accounts.
Adding an in-person step makes things harder for the attackers in two ways:
1: It relies on existing ID cards, which presumably the attackers can't telekinetically change while they sit in people's pockets or something.
2: It's hard to attack at scale. Conceivably someone could make a fake ID and pose as a staff member or something, but the same person wouldn't get away with that more than a few times before someone in the office noticed that they looked familiar. And it's slow -- humans work at a finite speed, so brute-forcing 38,000 visits to an office isn't as practical as spawning a bunch of threads to attack login sessions or something.
I think despite the inconvenience, this is a sane way to respond to a compromise, if your users are local and can visit an office to pull it off.
At a major automaker who I won't name, they have an interesting way of handling password resets: They generate a new random password for you, and send half of it by SMS to the mobile phone in your employee record. Then they email the other half to your manager. Managers have instructions that when an employee calls to retrieve this (or if the manager has a moment to call the employee first), they should spend a moment in conversation first, really make sure they recognize the employee's voice and stuff, and if there's any doubt, ask them to meet at the personnel building badging office, where the administrative folk can check IDs and stuff. It works pretty well -- it would be _very_ hard to attack this system, especially at scale.
Nearly every feature in that list, save for maybe security strands, is commoditized and mass-produced in the USA's fake ID market. It would be kind of silly to exploit here, though.
I guess Germany's liberal drinking laws make for a much smaller fake ID market. You could still pull it off, especially since most people aren't really trained for spotting fake IDs. But a German fake ID is not exactly something you buy for $10 each at the drug dealer on the corner.
Especially considering it has cryptographically secured biometrics (iirc facial features and a subset of fingerprints) that can be accessed with credentials printed on the back. If they were to make use of that, any forgery would be be beyond the regular fake id market.
The German Personalausweis is basically a stateless ID-1 passport.
> The German Personalausweis is basically a stateless ID-1 passport.
And as property it belongs to the state, not the citizen. You are required and expected to have it on you at all times. You are also required to report it missing.
When I moved to the US, I was baffled that IDs are basically just driving licenses and you only have them if you... well have a driving license.
I guess it's about where you draw the line in the end. I understand that many US Americans feel threatened by the federal government as it is perceived autocratic to be forced to carry a government issued identification card at all times.
For me, it just guarantees that it is harder for someone else to walk around and impersonate me with some shitty fake ID.
> And as property it belongs to the state, not the citizen.
That's a myth. It is the property of the citizen.
You may be thinking of the passport, though.
> You are required and expected to have it on you at all times.
Again a myth.
You don't even have to own an ID card (if you have a passport).
In any case there is no law or regulation forcing you to carry it. There is no fine for not carrying it.
It's still a good idea to carry it, because a police stop (which I encountered thrice in my life) is much quicker when you can show your ID card, instead of being taken to the police station for identity verification.
> You are also required to report it missing.
I'm not certain about this point, but I doubt that. Still, it's obviously a good idea, in order to nip identity theft and the hassle that comes with it in the bud.
Yeah, you need to have it, but you don't need to carry it, nor show it to anyone (including the police - they're supposed to use other method of identification if you refuse).
From reading the PDF, bringing your university id with you is sufficient. You do not need an official passport/etc.
A student id has a lot less security measures, they're basically just rfid cards with your data printed on. Assuming the attacker has access to the computer used for issuing these cards, it would probably be pretty easy to obtain the data neccessary to create such a fake id.
We're rapidly going back to that, even in the US. In my state, I am shown a printed paper copy of my vote through a window, and actually watch it go into the submitted ballots box. I'm sure a digital record is used as well, but it's nice to know that the printed copy is there in case of a close race or dispute.
In Germany, everyone is allowed to watch when votes are counted in their local election office. Is there a similar way to follow the counting in the US?
Here is Washington state you are allowed (in fact encouraged) to visit the counting center during tabulation. This is addition to designated observers from each party that is allowed to monitor tabulations.
Voters don't even have to leave home to monitor the elections, cameras are connected to the internet to show the counting process to any voter.
I can only speak for New York State (which used a paper ballot that is then fed into a scanner by the voter for tabulation), but the paper ballots are generally sampled and checked against the "electronic" votes. They'll manually count enough paper votes until they have a match to the machine counted votes (within some acceptable confidence interval, obviously).
"As an added precaution, the university computing center decided to issue new passwords for all 38,000 JLU email accounts. However, the university was unable to do this online because of a quirk of German law, whereby the German National Research and Education Network (DFN) requires, in this case, JLU students and staff to obtain their new passwords in person from the university's IT staff, using as ID card to prove their identity."
I think this might be a misquote. DNF is a registered association/charity which is providing network services for universities and research facilities (originally German, but spreading across Europe and beyond). They are the ISP of most German Universities, and more relevant to the topic they operate Eduroam, a wifi where any student or staff member can access their internet using their login credentials (username/password login via WPA 2 Enterprise). It's really handy because even if you are at another university you can still access the wifi, and any misuse (==people getting sued for torrenting) is easy to track.
As such it stands to reason that they set rules for how credentials used to authenticate to their wifi are handled. And basically always those are the credentials for your university account.
tl;dr: almost certainly not a law, but rules most Universities have to abide to if they want to keep their ISP and wifi.
So basically the equivalent of requiring ID for getting a phone SIM, thanks for the clarification.
Did not make much sense otherwise for just email or even for active user accounts (as in unix logins), because if you have tens of thousands of them your security model surely cannot rely on the assumption that none of them are bad actors.
"Just like a phone SIM" is also where it definitely enters the realm of legal requirements. Certainly debatable, but there can't be much precedent and then it's the usual struggle between a perhaps careless group appealing to common sense and a maximum correctness camp that wants to go by the book, in its most pessimistic interpretation. When under a malware attack like that, even the slightest trace of neglect on the technical side can punish you hard. It's no surprise that the required mindset of extreme prudence carries over to the legal side. I still don't believe that the ID check would be the only correct way to handle this (e.g. snail mail still goes a long way in terms of checking legal boxes), but they surely are not in the mood for taking risks right now.
This seems like a bit of a misconception in the article. The university website [1] states:
> For security reasons and in accordance with the legal requirements of the German National Research and Education Network (DFN), there is no alternative to this procedure.
I'd assume the DFN requires all users to be personally identifiable for liability reasons. Although requiring all users to show up in person is still a bit odd. I just received a letter with a one time password by regular old mail back when I entered university.
[1] https://www.uni-giessen.de - English version of the second article is available by scrolling down a bit.
Possible it has to do with cards that can be used for purchases, though usually schools in America have a photo on file. Something is being miscommunicated probably.
So they're just running some av software from a live system on all systems and call it a day.... Dec 8th has been a while and there's no information around which malware this actually was. If it's really a targeted attack with some previously unknown malware, I wouldn't really feel like that's sufficient.
Most companies have policies that require a full reinstall of infected systems or even just go ahead and replace the physical machine.
Most companies you know... For IT systems it is quite easy if you have money required. For OT-operational technology, I just got to know they keep infected machines running, they wall those off. Because you cannot just replace physical machine that is running some complicated chemical process just like that. Some factories also do not have money to replace some Win XP or they cannot replace Win XP because all the drivers for specific hardware are not working on new stuff. Life time of systems in OT is 20 years not like IT 5 years.
I would bet my money on a lack of funding. The IT at other universities in Germany are completely understaffed. They are probably working hard, but its only a few people?
I'm a student at that university, though I don't have any contacts to the IT department or other sources of inside information.
I went to collect my new password already. The process was pretty smooth with only a little confusion where the queue split up alphabetically (not quite enough room, although it took place in a large gym; I guess they rightly prioritized giving the people behind the desks enough room to work).
It's interesting to see which systems of the university are more or less robust to the network blackout. Email is down, which has the nice side effect that people who would otherwise only communicate in written form now make calls or physical visits (as they cannot look up phone numbers on the web) to each others' offices. The library catalogue is not working, though apparently they successfully switched to a paper-based system for lending books after a few days (haven't tried it yet). The electronic payment system of the canteens appears completely unaffected. (I read on a sign recently that it is considered "obsolete" and subject to renewal – good thing they hadn't done that yet, I guess). The web platform with reading material for seminars is down. In some cases seminar presentations have to be given without slideshow projection because the designated presentation laptop got a red sticker. I don't now how labs with data on the central servers are doing (I'm in the humanities).
I thought that this is always the case. At METU when you register to the university they give you password by hand (printed inside of a letter). In case your account is compromised they block your account and you have to go to the computer center so that they give you a new password. There is no "I forgot my password" button. It is like this for at least from early 2000s. Probably from 1990s.
Somehow with my german bank account I undergo through the same process. If I happen to fail the online banking password 3 times, I must go in person to the bank to unlock my account.
That's not entirely true. Adding too much discomfort to users reduces security by encouraging people to workaround or otherwise undermine the system. Many of the best security practices ideally make doing the secure thing easy.
When this is not possible you have to try to at least limit the discomfort caused and make it resistant to subversion by even trusted individuals.
Does anyone know whether password+key is a supported WebAuthn use case? I don't mean whether the standard supports it (it does), but whether it's planned. I would love to use my Yubikey + PIN to log in to sites passwordlessly, but it seems that so far the only thing that anyone uses WebAuthn for is as a second factor.
https://www.passwordless.dev/usernameless lets you try this flow out but I'd be surprised to see any significant adoption for the Web generally unless FIDO itself takes off first, because FIDO2 capable devices are more expensive. I can't justify telling people to pay extra when the core feature is not yet widely used.
Thanks, that's very useful! I've been trying for ages to get my Yubikey to ask me for my PIN that I've set on it when authenticating, to no avail. It doesn't seem reasonable to have a site authenticate me with no PIN, since someone could just steal my yubikey and log in as me everywhere. Would anyone happen to know how I can force asking for a PIN?
The flow you're asking for (PIN required to do ordinary FIDO not just for FIDO2 passwordless auth) seems like a weird choice and I doubt it's possible.
This hypothetical person has to get your password from somewhere. The mode most (essentially all non-test sites I've seen) used has FIDO only as second factor, so the bad guy needs your first factor (invariably a password) as well as the stolen Yubikey.
You're asking for a three factor system, with two factors you know, plus a final factor you have. The improvement in threat resistance is small and the added inconvenience is large.
Oh no, sorry. I'm asking for FIDO2 passwordless. Right now I can do that (e.g. at https://www.passwordless.dev/passwordless), but the Yubikey doesn't ask for a PIN, which is insecure, since anyone stealing it can auth as me. I simply want passwordless auth to ask for my PIN.
EDIT: It turns out Chrome does ask for the PIN (Firefox doesn't), but only when registering (not when logging in). This raises the question, why can the browser log me in without a PIN? Then the thief can simply use one of those browsers.
The site you're looking at offers a variety of different WebAuthn flows. I linked the one that behaves how you described, requiring a PIN (and yes it requires the PIN to log in) but now you've found and linked a different flow that doesn't require PINs and sure enough it doesn't require PINs.
I guess you could say the site is badly labelled. The true FIDO2 flow that I linked you to above is labelled usernameless rather than passwordless.
The flow they've called passwordless works with an ordinary FIDO key it doesn't need FIDO2. Because it simply doesn't have a password. Passwordless. Simple.
Trying it on Chrome, it works as you say. On Firefox it just failed to auth, I assumed it was because my Yubikey lacked onboard storage for storing the user details but it looks like it's because of the lack of PIN support. Thanks.
Ultimately, this is up to the website (relying party): It can require or prefer user authentication during enrolment or authentication; if the key supports it, the site can then skip password creation.
There doesn't seem to be anything in the spec preventing an authenticator from always asking for a PIN, but at least for the Yubikey, I'm not aware of a way to achieve that.
This is true, but I'm asking for the opposite: the flag that asks the key to always enable auth. Would you happen to know it? I haven't been able to find it in the demos I tried.
If the malware managed to compromise the authentication server, including the shared secret (ex: Google Authenticator) tied to each account that will not help much.
Thing is as far as I can Google they have not identified how the network got compromised in the first place?
So they are issuing bootable USB sticks for scanning computers and manually providing new email (I guess University account) passwords, but how would that prevent the same thing happening again in the same unpatched way next week?
I think it is just policy of the German Research Network (DFN) for accounts. These accounts are valid Europe-wide for WLAN access in educational institutions for example.
no, it has nothing to do with a “stupid” law, it seems to me the article is misleading. It has to do with being a trusted source of identity information and fscking up very thoroughly:
The university of Giessen is providing it’s members identity services for the DFN Network (German Research Network) with a high degree of reliance called _advanced_.
This degree requires that „for identification, users must present themselves in person with an official ID. The enrolment and recruitment procedures established by the universities are considered as equivalent.“
( see https://doku.tid.dfn.de/en:degrees_of_reliance )
It seems to me that this university’s services are a very interesting target.
Given the inevitable slow and steady loss of such credentials to adversaries, it seems like they need more than a single factor. Like, a backup password (on paper) that can be used to reset the account password, or similarly a TOTP seed (2D barcode). Otherwise rolling passwords becomes incredibly expensive.
I'm almost surprised they haven't gone the same route as Estonia, but there are lots of federated systems so it might just be inertia.
I love what Estonia is doing, but we need to keep in mind that
(a) Estonia is a very young country, so they could start from scratch
(b) Estonia has very few citizens. At a guided tour in Tallinn the guide said that many of us came from cities more populous than their country. :-)
(c) Estonia is more... adventurous in some regards. They have a National DNA Database, for example. Try selling that in the country of the Gestapo and the Stasi.
(d) But first and foremost, it is great that there is a smallish country experimenting with all kinds of new stuff. The rest of Europe will benefit a lot, just by watching them and picking some of the things they already implemented and tested.
I ought to have googled! Of course they have an electronic ID card project, they have just been testing it from 2006-2010 and slowly issuing it since 2010 with 'turn on' in 2017 with a goal of 2020.
What you write is true, but generally the support and use of electronic identification in Germany is very poor, partially a result of complex and (at times) overly restrictive legislation. Especially compared to the Nordic countries where people use some sort of eID for practically everything.
I have no stats on hand for this, but my work is in developing integrations towards major eID providers in Europe.
The university website mentions student ID cards with chip. Is that not sufficient to provide strong authentication towards a self-service portal for password reset?
We have no real information on the systems targeted or the vector(s), so it’s possible that JLU is currently carefully running a black start scenario.
It is possible that even if the ID cards or something else could be used as a factor, what we don’t know, systems or certificates vouching for the student ID cards are now considered not trusted. This now seems like a painful but responsible way to hand out new credentials.
While a lot more information would be interesting, I gather the sysadmins involved have to priotitize as they are right now. I hope that there will be an interesting post mortem, though.
> The university website mentions student ID cards with chip. Is that not sufficient to provide strong authentication towards a self-service portal for password reset?
In theory it should be sufficient. In practice there is very little awareness of the capabilities of these smartcards and that they could, in theory, be used as a 2FA token. These cards are mostly used for physical access control, library pass and cafeteria payment.
There's left a lot to be desired in most (german) university networks. Yes, there is usually some sort of Radius and 801.1X infrastructure in place, but it's only used for WiFi login and eduroam, not for machines plugged into wall sockets. Yes, there usually is some sort of Active Directory and/or Kerberos infrastructure in place (yes, I am aware that AD is essentially LDAP + Kerberos), but it's often used only for the student computer pools, but not office workstations.
There seems to be zero awareness, that if you have AD and/or Kerberos authentication working in place (one can only dream of it being coupled to the student / staff smartcards), you can use it GSSAPI for web single sign-on which would instantly neuter any attempts of phishing.
Also you will still often find the preconception of there being such a thing as a "secure network" and an "insecure, hostile" internet. The notion of lateral movement and treating every network segment as insecure, no matter where or how it's managed in your org, is more or less nonexisting.
> There's left a lot to be desired in most (german) university networks. Yes, there is usually some sort of Radius and 801.1X infrastructure in place, but it's only used for WiFi login and eduroam, not for machines plugged into wall sockets.
When I was a student and later staff member at the Technical University of Kaiserslautern, Eduroam authentication infrastructure (801.1X) was also used to authenticate at ethernet ports in the walls of public rooms.
Does this let you neuter phishing? I'm not certain of all the moving parts but it's not obvious to me that it defeats proxy attacks of a sort now available out of the box to bad guys and effective against things like TOTP.
It's a university email, not Pentagon backend accounts.
It is a stupid law because they're being way too thorough and abrasive when they shouldn't.
How much do you wanna bet the German parliament is not protected in the same way... actually don't answer that... here's an article published today about a stupid vulnerability in the Bundestag's internal chat app: https://zero.bs/osintrecon-vs-pentestschwachstellenscan.html
Depending on the permissions on the accounts they can be pretty powerful. Not just access to eduroam (which all of them have and which is extremely convenient) and full course records including results (also from teacher side!) but also access to many resources such as supercomputer clusters, scientific literature behind paywalls, software licenses (also for expensive things) and many more.
Note that institutions such as ESA, CERN or the local space agencies are also involved in the network. There absolutely are very interesting targets, even if you are a state actor.
If someone has compromised your electronic systems, they can probably solve whatever electronic recovery means you've implemented, and they can probably do so on a large scale, re-compromising all the new accounts.
Adding an in-person step makes things harder for the attackers in two ways:
1: It relies on existing ID cards, which presumably the attackers can't telekinetically change while they sit in people's pockets or something.
2: It's hard to attack at scale. Conceivably someone could make a fake ID and pose as a staff member or something, but the same person wouldn't get away with that more than a few times before someone in the office noticed that they looked familiar. And it's slow -- humans work at a finite speed, so brute-forcing 38,000 visits to an office isn't as practical as spawning a bunch of threads to attack login sessions or something.
I think despite the inconvenience, this is a sane way to respond to a compromise, if your users are local and can visit an office to pull it off.
At a major automaker who I won't name, they have an interesting way of handling password resets: They generate a new random password for you, and send half of it by SMS to the mobile phone in your employee record. Then they email the other half to your manager. Managers have instructions that when an employee calls to retrieve this (or if the manager has a moment to call the employee first), they should spend a moment in conversation first, really make sure they recognize the employee's voice and stuff, and if there's any doubt, ask them to meet at the personnel building badging office, where the administrative folk can check IDs and stuff. It works pretty well -- it would be _very_ hard to attack this system, especially at scale.