Ondrej Holzman ʻOiai ʻo nā hiʻohiʻona hou i hoʻokomo ʻia ma OS X Yosemite a me iOS 8 e lawe mai i nā hiʻohiʻona he nui i nā mea hoʻohana e maʻalahi i ka hoʻohana ʻana i nā polokalamu he nui, hiki iā lākou ke hoʻoweliweli i ka palekana. No ka laʻana, ʻo ka hoʻouna ʻana i nā memo kikokikona mai kahi iPhone i kahi Mac maʻalahi loa e kāpae i ka hōʻoia ʻelua ʻanuʻu ke kau inoa i nā lawelawe like ʻole.
ʻO ka hoʻonohonoho o nā hana hoʻomau, kahi e hoʻopili ai ʻo Apple i nā kamepiula me nā polokalamu kelepona i nā ʻōnaehana hana hou loa, ʻoi aku ka maikaʻi o nā ʻoihana a me nā ʻenehana a lākou e hoʻohana ai e hoʻopili i nā iPhones a me nā iPads i nā Mac. Loaʻa ka hoʻomau i ka hiki ke kelepona mai Mac, hoʻouna i nā faila ma o AirDrop a i ʻole hana wikiwiki i kahi piko, akā i kēia manawa e kālele mākou i ka hoʻouna ʻana i nā SMS maʻamau i nā kamepiula.
Hiki i kēia hana ʻike ʻole, akā maikaʻi loa, i ka hihia ʻino loa, e lilo i lua palekana e hiki ai i ka mea hoʻouka ke kiʻi i ka ʻikepili no ka pae hōʻoia ʻelua i ka wā e komo ai i nā lawelawe i koho ʻia. Ke kamaʻilio nei mākou ma ʻaneʻi e pili ana i ka mea i kapa ʻia ʻelua-phase login, ʻo ia hoʻi i nā panakō, ke hoʻolauna ʻia nei e nā lawelawe pūnaewele he nui a ʻoi aku ka palekana ma mua o ka loaʻa ʻana o kāu moʻokāki i pale ʻia e kahi ʻōlelo huna a hoʻokahi.
Hiki ke hana ʻia ka hōʻoia ʻelua ma nā ʻano like ʻole, akā ke kamaʻilio mākou e pili ana i ka panakō pūnaewele a me nā lawelawe pūnaewele ʻē aʻe, ʻike pinepine mākou i ka hoʻouna ʻana i kahi code hōʻoia i kāu helu kelepona, a laila pono ʻoe e komo ma hope o ke komo ʻana i kāu ʻōlelo huna. No laila, inā loaʻa i kekahi i kāu ʻōlelo huna (a i ʻole kamepiula me ka ʻōlelo huna a i ʻole ka palapala hōʻoia), pono lākou i kāu kelepona paʻalima, no ka laʻana, e komo i ka waihona waihona pūnaewele, kahi e hiki mai ai kahi SMS me ka ʻōlelo huna no ka lua o ka hōʻoia. .
Akā ʻo ka manawa i hoʻouna ʻia kāu mau leka uila mai kāu iPhone i kāu Mac a lawe ka mea hoʻouka i kāu Mac, ʻaʻole pono lākou i kāu iPhone. No ka hoʻouna ʻana i nā memo SMS maʻamau, ʻaʻohe pilina pololei ma waena o iPhone a me Mac - ʻaʻole pono lākou ma ka pūnaewele Wi-Fi hoʻokahi, ʻaʻole pono e hoʻāla ʻia ʻo Wi-Fi, e like me Bluetooth, a ʻo ka mea e pono ai ʻo ka hoʻopili ʻana i nā mea ʻelua i ka pūnaewele. ʻO ka lawelawe SMS Relay, ʻoiai ua kapa inoa ʻia ka hoʻouna ʻana i nā leka, e kamaʻilio ma o ka protocol iMessage.
I ka hoʻomaʻamaʻa, ʻo ke ʻano o ka hana ʻana ʻoiai ʻoiai hiki mai ka leka iā ʻoe ma ke ʻano he SMS maʻamau, ua hana ʻo Apple iā ia ma ke ʻano he iMessage a hoʻoili iā ia ma luna o ka Pūnaewele i ka Mac (ʻo ia ke ʻano o ka hana ʻana me iMessage ma mua o ka hiki ʻana mai o SMS Relay) , kahi e hōʻike ai iā ia ma ke ʻano he SMS, i hōʻike ʻia e kahi ʻōmaʻomaʻo ʻōmaʻomaʻo. Hiki i iPhone a me Mac ke noho ma kekahi kūlanakauhale ʻē aʻe, pono nā mea ʻelua i kahi pilina pūnaewele.
Hiki iā ʻoe ke loaʻa i ka hōʻoia ʻaʻole hana ʻo SMS Relay ma luna o Wi-Fi a i ʻole Bluetooth ma ke ʻano penei: hoʻāla i ke ʻano mokulele ma kāu iPhone a kākau a hoʻouna i kahi SMS ma kahi Mac pili i ka Pūnaewele. A laila e hoʻokaʻawale i ka Mac mai ka Pūnaewele a, ʻokoʻa, hoʻopili i ka iPhone iā ia (ua lawa ka pūnaewele kelepona). Hoʻouna ʻia ka SMS ʻoiai ʻaʻole i kamaʻilio pololei nā mea ʻelua me kekahi - ua hōʻoia ʻia nā mea āpau e ka protocol iMessage.
No laila, i ka wā e hoʻohana ai i ka hoʻouna ʻana i ka memo, pono e hoʻomanaʻo i ka palekana o ka hōʻoia ʻelua kumu. Inā ʻaihue kāu kamepiula, ʻo ka hoʻopau koke ʻana i ka leka uila ke ala wikiwiki a maʻalahi hoʻi e pale aku ai i ka hacking o kāu mau moʻokāki.
ʻOi aku ka maʻalahi o ke komo ʻana i ka panakō pūnaewele inā ʻaʻole pono ʻoe e kākau hou i ke code hōʻoia mai ka hōʻike kelepona, akā kope wale iā ia mai Messages ma ka Mac, akā ʻoi aku ka nui o ka palekana i kēia hihia, ʻaʻole i nele ma muli o SMS Relay . ʻO kahi hoʻonā i kēia pilikia, no ka laʻana, hiki ke kāpae i nā helu kikoʻī mai ka hoʻouna ʻana ma Mac, no ka mea, hele mai nā code SMS mai nā helu like.
E like me ka mea i ʻōlelo ʻia ma ka paukū hope - ʻoi aku ka maʻalahi o ka hiki ke kope i ke code.
Eia kekahi - inā ʻaihue kekahi i kaʻu MacBook, ʻo ka mea mua aʻu e hana ai, ʻo ia ke kāohi a hoʻopau i nā "forward" a me ka hoʻomau ʻana ma ka iPhone - ʻo ia ke kumu i loaʻa ai kēia koho i nā Settings / Messages. :)
A inā hoʻopaʻa kekahi iā ʻoe, e hoʻōki anei ʻoe?
A no ke aha e loaʻa ai ka ʻae ʻelua ʻanuʻu inā hiki iā ʻoe ke pale koke i ka mea ʻaihue, ʻeā?
ʻO ka hōʻoia ʻelua ʻanuʻu kahi lawelawe ʻaoʻao ʻekolu, no laila ʻaʻole hiki iaʻu ke hoʻohana a nānā ʻole paha iā ia, ma ka liʻiliʻi loa i ka hihia o nā panakō. A pāpā a holoi paha au i kaʻu Mac ma o Find my Mac. ʻOi aku ka maikaʻi o ka hoʻouna ʻana i ka SMS inā ʻaʻole wau e ʻike i ka diabolo ma hope o nā mea āpau.
ʻAʻohe manaʻo e pili ana i ka ʻaihue, hoʻopau ka hoʻopiʻi disk piha i kēlā. Akā he aha kāu e hana ai me kahi kamepiula hacked? ʻAʻole paha, ʻaʻole ʻoe e ʻike no ia mea.
ʻAe, ʻoiaʻiʻo, lanakila nā pōmaikaʻi, ʻaʻohe mea e ʻike i ka diabolo a kūʻai mau ka mea hoʻohana i ka palekana no ka puaʻa hula.
Ma ke ala, loaʻa iā ʻoe ka manaʻo e koi ana nā panakō iā ʻoe e hoʻouna i ka SMS no ka leʻaleʻa?
inā hopohopo kekahi, mai hoʻohana. Ua hauʻoli loa au iā ia
A ʻo ka poʻe ʻaʻole hopohopo e hui pū me 2FA ʻaʻole lākou e hoʻohana, no ka mea ʻaʻole maopopo lākou i kā lākou hana.
A pehea wau e wehe ai i kahi helu kikoʻī ma ka Macbook a waiho iā ia ma ka iPhone? Mahalo no ka pane
ʻO AFAIK ka koho maikaʻi loa "e hoʻopau i ka hoʻouna ʻana i nā memo kikokikona ma lalo o nā memo ma nā ʻōkuhi (mai kāu iPhone)."
Inā ʻaʻole au i kuhihewa, ʻaʻole hiki ke hoʻopaʻa inoa i ka mea e hoʻouna ʻia, ʻaʻole hiki ke papa inoa i ka mea ʻaʻole.
ʻAe, ʻaʻole maʻalahi ka ʻaihue kelepona ma mua o ka Mac? ʻAe, hiki iā ʻoe ke loaʻa kahi ʻōlelo huna no ka mobile, akā no MAC pū kekahi. ʻAʻole wau he loea, akā ʻaʻole hiki ke maʻalahi ke kiʻi i ka Mac inā ʻaʻole wau i ʻike i ka ʻōlelo huna (ʻaʻole wau i manaʻo e heluhelu i ka ʻikepili, akā e komo i ka hoʻomaka ʻana o ka relay SMS).
Eia kekahi, mai poina e kamaʻilio mākou e pili ana i ka palekana pālua, kahi o ka pae mua ka mea nui - ke komo ʻana i ka ʻōlelo huna e hoʻohanohano a inā ʻaʻole ʻoe i kākau ʻia ma ka MAC a i ʻole kekahi palapala kikokikona i loko, a laila aia. ʻaʻole komo i ka panakō (a ʻaʻole ʻoe e hoʻohana i ka 1111 ma ke ʻano he ʻōlelo huna :-))
No laila, ʻo ka ʻaihue ʻana i kahi mac e hoʻopōʻino nui ʻia ʻoe ma muli o ke kumukūʻai maoli o ka mac.
ʻAʻole hoʻoponopono ʻo 2FA i ka ʻaihue Mac a i ʻole IP. ʻO ka hopena, ʻo ka mea hoʻouka e loaʻa i ka mana o ka Mac a me kekahi mea ʻē aʻe. Ua lawa ka Mac iā ia i kēia manawa. Hoʻopau ʻo Coz i nā pono āpau o 2FA.
(ʻO ka ʻōlelo aʻo e pale aku i ka ʻano ʻano "attacker on Mac only controls the browser", ʻaʻole paha ia he kūlana hoʻomalu piha ʻia.)
ʻO ia wale nō inā e noʻonoʻo ʻoe he palekana loa ʻo Mac (haha), a laila ʻaʻole pono ʻoe e hana me 2FA. A inā ʻaʻole, a laila ua hoʻōki ʻo 2FA i ka lawe ʻana iā ʻoe i ka palekana hoʻonui, e like me drivev.
A i hoʻokahi manawa hou, me ka maopopo loa - hele ʻoe i ka pūnaewele "nicnebezpecneho.cz", he mea pōʻino ma muli o kahi pōʻino o nā kūlana. Hiki ke maʻalahi kēia iā ʻoe - ʻaʻole pono ʻoe e hele koke i nā pūnaewele porn, lawa ia no ka mea ʻaʻole e hoʻopaʻa i ka blog āu e kipa nei a e hoʻokomo ʻia ka javascript unsanitized i loko o nā manaʻo. Aia kahi hoʻohana mamao no kāu polokalamu kele pūnaewele ma kēlā ʻaoʻao (hiki ke loaʻa iā ʻoe, ʻaʻohe mea maʻamau). A i ʻole e hoʻopaʻa ʻia i ka ʻenekinia kaiaulu...
...ma hope o kekahi mau hola, hele ʻoe e hoʻouna kālā mai ka panakō (e komo ʻoe i gmail, github...). I ka hana ʻana pēlā, hoʻokomo ʻoe i ka ʻikepili komo i loko o ka kamepiula i hoʻopaʻa ʻia (a ʻaʻole pono ʻoe e hana pēlā inā mālama ʻoe i kēia mau ʻōlelo huna) a kope a paʻi i ke code mai ka SMS i hoʻokahi manawa.
..a i ka pō, hoʻopaʻa ʻia kāu kamepiula i loko o ka panakō (gmail...) ma o ia iho, ua mālama ʻia ka ʻōlelo huna e kekahi mea me ka malware. ʻAʻole ʻoe e loaʻa i kahi SMS hōʻoia ma kāu kelepona paʻalima, akā... i loko o kēlā kamepiula i hoʻopili ʻia.
Ua hoʻoholo pololei ʻo 2FA i kēia mau hiʻohiʻona. A hiki i ka wā i haki ai ʻo Apple.
Ua manaʻo wau ʻo 2FA ke ʻano he pono iaʻu e hōʻoia iaʻu iho ma 2 mau mea, no ka laʻana:
- hua huna
- me ke kelepona e ʻae i ka SMS
ʻAe, ʻo ka hoʻouna ʻana i ka SMS iā Mac i kēlā kelepona e hoʻohui pū i ka Mac (a i ʻole Mac a me iPad aʻu i hoʻohui ai) ma ke ʻano he ʻokoʻa, akā ʻo 2FA nō naʻe. ʻAʻole paha?
Hoʻokahi hou - ma nā kūlana maʻamau, hoʻoponopono ʻo 2FA i nā kūlana e like me "ua hack koʻu Mac a ʻaʻole wau ʻike e pili ana iā ia". No ka mea hiki iā ʻoe ke manaʻo ua ʻike ʻo Mac i kāu ʻōlelo huna no ka lawelawe (ua mālama ʻia a hoʻolohe paha ʻoe iā ia i ka manawa aʻe e komo ai ʻoe i ka lawelawe). A i kēia manawa hiki iā ʻoe ke manaʻo e ʻike pū ʻo ia iā SMS (a i ʻole hiki iā ia ke noi iā ia i kēlā me kēia manawa a loaʻa iā ia).
ʻO ka hapa nui o nā lawelawe e hāʻawi ana i ka hōʻoia ʻelua kumu (Facebook, Dropbox, Google, Microsoft, ...) e ʻae i nā huaʻōlelo hoʻokahi manawa e hana ʻia me ka hoʻohana ʻana i kahi polokalamu (hoʻohana wau iā Google Authenticator). Hoʻopuka mau ka palapala noi i nā code palena manawa no nā lawelawe i hoʻopaʻa ʻia. Hiki ke kope koke ʻia ke code a hoʻohana ʻia e komo. ʻAʻole pono ʻoe e kali no ka hōʻea ʻana mai o ka SMS a, inā e hoʻouna ʻia lākou i ka Mac, e hoʻoponopono i ka pilikia i wehewehe ʻia ma ka ʻatikala.
Loaʻa nā memo SMS i nā mac i hoʻopaʻa ʻia i ke komo ʻana...
E ʻoluʻolu e nīnau i kēlā. Inā ua hoʻohuli wau i ka hōʻoia ʻelua-phase me ka hoʻokumu ʻana i kahi code manawa hoʻokahi me ka hoʻohana ʻana i ka noi, a laila ʻaʻole hoʻouna ka lawelawe i hāʻawi ʻia i kekahi SMS.
Inā ʻaʻole i loli kekahi mea, makemake nā lawelawe he nui i ke kelepona a haʻalele iā SMS i ke koho paʻamau. No laila ua hoʻi kāu kamepiula hacked.
Me ka nui o nā panakō, ʻaʻohe koho, he SMS wale nō a ʻo ia nō.
ʻAʻole maopopo iaʻu kēia. Inā ʻaihue kekahi i kaʻu Mac, hoʻopau wau i ka SMS, holoi mamao aku i ka Mac a hoʻololi i ka ʻōlelo huna ma ka panakō. A i ʻole he aha ka hopu?
E hana anei ʻoe ma mua o ka heluhelu ʻana i kēia ʻatikala?
ʻOkoʻa loa.
Akā ʻo ka hōʻoia ʻelua-phase e pili ana i ka mea e pono ai ka mea hoʻouka i ʻelua mau hōʻoia: PASSWORD AND SMS. ʻO ia hoʻi, inā makaʻu wau e lawe kekahi i kaʻu Mac paʻa, ʻaʻole wau e mālama i ka ʻōlelo huna ma laila, a inā hack kekahi i kaʻu polokalamu kele pūnaewele, ʻaʻole lākou e komo i ka iMessage.
Ma hea ʻoe e loaʻa ai ka ʻoiaʻiʻo ʻaʻole ia e hemo mai kāu polokalamu kele pūnaewele? Wahi a nā hualoaʻa o kēia manawa o Pwn4Fun a me Pwn2Own, ʻike ʻia aia ma kahi o ʻelua mau lā zero no Safari:
"Ma Pwn4Fun, ua hāʻawi ʻo Google i kahi hana kupanaha loa e kūʻē iā Apple Safari i ka hoʻokuʻu ʻana i ka Calculator ma ke kumu ma Mac OS X"
"Na Liang Chen o Keen Team:
E kūʻē iā Apple Safari, he puʻu e kahe ana me kahi pahu pahu pahu, e hopena i ka hoʻokō code."
ʻO nā leka keʻokeʻo lahilahi ma kahi ʻōmaʻomaʻo - ʻaʻole hiki i kahi haumāna o ke kula kūikawā ke ʻōlelo maikaʻi aku ia...
ʻO kekahi o nā ala e hoʻōki ai i kēia, ʻo ia ke hoʻololi i ka hana code ma o ka dongle (e like me kēia: http://www.czc.cz/battlenet-authenticator/110449/produkt?gclid=Cj0KEQiAs6GjBRCy2My09an6uNIBEiQANfY4zKhlCIiwD9za5e_QYUAp_YEpqdA9frjVqnS9i8sgIgsaAh558P8HAQ ) ua palekana a hiki i ka palekana kiʻekiʻe, pono e hana ʻo KB i kekahi mea like - kahi palapala i hoʻouka ʻia i kahi USB disk, me ka ʻole o ke kanaka ʻaʻole hiki ke hoʻopili i ka waihona pūnaewele, a i kekahi manawa hoʻouna ʻia kahi huaʻōlelo hoʻokahi manawa i ke kelepona, etc. ... Nui nā mea e hiki ai, akā aia kēlā me kēia kanaka i kā lākou iho ponoʻī e hoʻoholo ai inā he mea nui ka palekana iā ia (inā he ʻōlelo huna a ʻaʻole paha? etc.)
He mea nui ko Unicredit. ʻO ke kī akamai ʻaʻole ia he SMS maʻamau, akā hoʻopuka wau i ka ʻōlelo huna hoʻokahi manawa i ka polokalamu kelepona.
Makemake au i ka ʻōlelo aʻoaʻo no ke aha hiki ʻole iaʻu ke hoʻouna i kahi wikiō pōkole mm, hiki ke hiki a hiki i kēia manawa? ʻAʻohe koho e hoʻokomo wale i kahi wikiō, ʻaʻole ia e pane, ʻaʻole ia e hoʻokomo i loko o ka memo
Děkuji