aws-vault
november 2017 by jm
'A vault for securely storing and accessing AWS credentials in development environments'.
Scott Piper says: 'You should not use the AWS CLI with MFA without aws-vault, and probably should not use the CLI at all without aws-vault, because of it's benefit of storing your keys outside of ~/.aws/credentials (since every once in a while a developer will decide to upload all their dot-files in their home directory to github so they can use the same .vimrc and .bashrc aliases everywhere, and will end up uploading their AWS creds).'
aws
vault
security
cli
development
coding
dotfiles
credentials
mfa
Scott Piper says: 'You should not use the AWS CLI with MFA without aws-vault, and probably should not use the CLI at all without aws-vault, because of it's benefit of storing your keys outside of ~/.aws/credentials (since every once in a while a developer will decide to upload all their dot-files in their home directory to github so they can use the same .vimrc and .bashrc aliases everywhere, and will end up uploading their AWS creds).'
november 2017 by jm
AWSume
april 2016 by jm
'AWS Assume Made Awesome' -- 'Here are Trek10, we work with many clients, and thus work with multiple AWS accounts on a regular (daily) basis. We needed a way to make managing all our different accounts easier. We create a standard Trek10 administrator role in our clients’ accounts that we can assume. For security we require that the role assumer have multifactor authentication enabled.'
mfa
aws
awsume
credentials
accounts
ops
april 2016 by jm
London Calling: Two-Factor Authentication Phishing From Iran
august 2015 by jm
some rather rudimentary anti-2FA attempts, presumably from Iranian security services
authentication
phishing
security
iran
activism
2fa
mfa
august 2015 by jm
Anatomy of a Hack
march 2015 by jm
Authy doesn't come off well here:
'Authy should have been harder to break. It's an app, like Authenticator, and it never left Davis' phone. But Eve simply reset the app on her phone using a mail.com address and a new confirmation code, again sent by a voice call. A few minutes after 3AM, the Authy account moved under Eve's control.'
authy
security
hacking
mfa
authentication
google
apps
exploits
'Authy should have been harder to break. It's an app, like Authenticator, and it never left Davis' phone. But Eve simply reset the app on her phone using a mail.com address and a new confirmation code, again sent by a voice call. A few minutes after 3AM, the Authy account moved under Eve's control.'
march 2015 by jm
Nik Cubrilovic - Notes on the Celebrity Data Theft
september 2014 by jm
tl;dr: a lot of people are spending a lot of time stealing nudie pics from celebrities. See also http://www.zdziarski.com/blog/?p=3783 for more details on the probable approaches used. Grim.
apple
privacy
security
celebrities
pics
hacking
iphone
ipad
ios
exploits
brute-force
passwords
2fa
mfa
find-my-iphone
icloud
backups
september 2014 by jm
Two Factor Auth List
2fa
mfa
authentication
security
web-services
web
september 2014 by jm
List of websites and whether or not they support 2FA.
Also see the list of 2FA providers and the platforms they support.
september 2014 by jm
Code Spaces data and backups deleted by hackers
june 2014 by jm
Rather scary story of an extortionist wiping out a company's AWS-based infrastructure. Turns out S3 supports MFA-required deletion as a feature, though, which would help against that.
ops
security
extortion
aws
ec2
s3
code-spaces
delete
mfa
two-factor-authentication
authentication
infrastructure
june 2014 by jm
When two-factor authentication is not enough
april 2014 by jm
Fastmail.FM nearly had their domain stolen through an attack exploiting missing 2FA authentication in Gandi.
gandi
2fa
fastmail
authentication
security
mfa
two-factor-authentication
mail
An important lesson learned is that just because a provider has a checkbox labelled “2 factor authentication” in their feature list, the two factors may not be protecting everything – and they may not even realise that fact themselves. Security risks always come on the unexpected paths – the “off label” uses that you didn’t think about, and the subtle interaction of multiple features which are useful and correct in isolation.
april 2014 by jm
related tags
2fa ⊕ accounts ⊕ activism ⊕ apple ⊕ apps ⊕ authentication ⊕ authy ⊕ aws ⊕ awsume ⊕ backups ⊕ brute-force ⊕ celebrities ⊕ cli ⊕ code-spaces ⊕ coding ⊕ credentials ⊕ delete ⊕ development ⊕ dotfiles ⊕ ec2 ⊕ exploits ⊕ extortion ⊕ fastmail ⊕ find-my-iphone ⊕ gandi ⊕ google ⊕ hacking ⊕ icloud ⊕ infrastructure ⊕ ios ⊕ ipad ⊕ iphone ⊕ iran ⊕ mail ⊕ mfa ⊖ ops ⊕ passwords ⊕ phishing ⊕ pics ⊕ privacy ⊕ s3 ⊕ security ⊕ two-factor-authentication ⊕ vault ⊕ web ⊕ web-services ⊕Copy this bookmark: