Forem: Alex Grinman

Why did we build ApproveAPI?

Alex Grinman — Wed, 06 Mar 2019 15:15:04 +0000

ApproveAPI lets you build real-time approvals and secondary verifications into any application or workflow with one simple API. You can provide a tap-to-approve experience for all your users on any device via email, SMS, and push notifications.

Learn more at approveapi.com.

Why did we build it?

If you've ever used Krypton for auth-ing an SSH session, signing a Git commit, or 2FA via WebAuthn/U2F or even if you've used Duo -- you know how satisfying it is to just hit the 'Approve' button on a prompt and then you're instantly logged in or authorized some action.This is a much sweeter experience than punching in those 6-digit codes which always looks different on every site.

Krypton solves developer sign-in needs.

We wanted to go beyond developers and beyond just logins. With ApproveAPI we bring the same push-to-approve UX to everyone for any type of verification or approval workflow.

Rated E for Everyone

Everyone has a phone but not everyone is willing to download an app. A ubiquitous solution has to work everywhere. One goal of ApproveAPI is to work for everyone out-of-the-box.

ApproveAPI lets you create the same authorization UX for all your users on day one with our customizable approval prompts delivered via Email and SMS.

It's not just email and SMS though. From Krypton, we know how good an app-based experience can be, but why can't every app support this? With ApproveAPI you can add the same approval prompt UX within your own company's apps with our simple Push SDK that integrates with Apple's and Google's push notification services.

Beyond just logins

The tap-to-approve workflow is so useful, why limit it just to two-factor?

One of the goals of ApproveAPI is to make it easy for developers to request real-time user approvals and secondary verifications for any workflow -- from confirming suspected fraudulent transactions, authenticating users with two-factor verification, verifying identity for customer support, to internal compliance use cases with supervisor approvals and audit logging.

Let me know what you think below!

Learn more at https://approveapi.com.

Prevent phishing on the web with crypto

Alex Grinman — Wed, 22 Aug 2018 19:48:53 +0000

Originally published on the krypt.co blog

No I don't mean crypto-currency. What I'm really talking about is Universal 2nd Factor (U2F). U2F is a protocol for doing two-factor authentication that constructively prevents phishing on the web.

How does phishing work?

It's very simple -- an attacker gets you to click on a fake link like http://facebo0k.com or http://dropobox.com, and the page looks exactly like the real thing.

Next, the attacker's site asks for your username + password. And you enter it. Because it looks legitimate and you're just trying to browse the web like you do everyday. You might think you'll never click on a suspicious link, but what if it comes from a trusted source? Like a compromised facebook or email account of one of your friends?

When you click enter, you will send your username + password to your attacker and it's game over!

I already use two-factor -- I'm invincible!

I've talked to a bunch of folks about this, and the gut reaction is often "I use two-factor so I can't be phished!" This is actually very wrong, two-factor is just as easy to phish as a username and password -- especially since people are now even more used to entering 2FA codes all the time.

After asking for your username + password, the attacker will simply show you another dialogue to get your two-factor code. It's true that the attacker has minimal time to use the 2nd factor code as it expires quickly, but this can all be automated.

Even push-to-approve 2FA like Duo or Google Prompt can be phished

An attacker doesn't need you to enter a code to phish you. They just need to convince you to hit approve on a Duo or Google Prompt style push notification, and you will tap approve because you think you are logging into the real site and you've been trained to do this. Once you tap approve, you will sign the attacker in to your account on their session.

U2F Stops Phishing with Crypto

Universal 2nd Factor (U2F) uses public-key cryptography to prevent phishing, automatically. Many sites you use today already support it like: Facebook, Google, Dropbox, Salesforce, Stripe, GitHub, GitLab, and more.

There are many different forms of phishing and some are very hard to prevent. However -- credential phishing is something we absolutely can prevent using cryptography. The trick is that the "credential" becomes cryptographically bound to the website that you're actually on.

There are two steps to U2F:

Registration Generate a new key pair on an authenticator. Register the public key with a website, say facebook.com.
Authentication
- The website's server sends a random challenge token.
- The browser tells the authenticator the domain that the user is viewing
- Using the private key, the authenticator creates a digital signature of both the challenge and, most importantly, the domain of the website that you are actually on -- this comes directly, and securely from the browser itself.

The phishing protection is built in -- the credential that the authenticator spits out is only useful for the owner of the website. A signature for "facebook.com" cannot be used on "google.com". Likewise, a signature for "facebo0k.com" cannot be used on "facebook.com".

Even if the attacker tricked you into producing a signature for their fake website http://facebo0k.com -- this signature would be useless to them! The real facebook.com would never accept a signature that contains an invalid domain.

That's the point of U2F -- it makes the domain you've visited a part of the cryptographic credential you need to login.

How do I get started?

The first step is to get an authenticator. There are several options. We built Krypton to make it easy for anyone to get become un-phishable on the web. Krypton works on the device you already have -- your phone.

Install the Krypton Authenticator

Other options

If you don't want to use your phone, you can buy a standalone USB device. I recommend this wonderful guide for comparing different standalone U2F keys.

Spoof a commit on GitHub. From Anyone.

Alex Grinman — Thu, 02 Aug 2018 17:03:09 +0000

Did you know that anyone can commit as you on GitHub? If you don't believe me, just browse through this repository's forged commits or use our tool to forge a commit for yourself.

Try it for yourself: spoof.krypt.co

How does it work?

Open your ~/.gitconfig

[user]
    name  = Ben Bitdiddle
    email = bbitdiddle@mit.edu

Change name and email to any value you want.

If email matches the email of another GitHub user, that user's picture will show up next to the commit, and
when you click on it will take you to their real GitHub profile.

Next time you see a commit on GitHub from Ben -- don't trust that Ben actually authored it.

How can do prove that my commits are really mine?

Anyone can set the “author” of a Git commit to any value.
To prove that you authored a commit you must attach a digital signature to it.
The only way someone knows it was really your commit is to verify the commit's signature.

GitHub supports verifying & signing Git commits

Check out this signed commit: kryptco/kr@0cca333.

If a commit doesn’t have a green “Verified” badge, then it could have been authored by anyone!

GitHub verifies signed commits, and Krypton makes signing commits easy.
Get your green verified badge, https://krypt.co.

Let's see some well known forgeries...

"I love windows and subversion!" -- @torvalds on #1eb0d8

"You should really use gitlab.com, it's way better." -- @schacon on #730c7e

Anonymously Forged Commits

Browse all of the forged commits from the community here! https://github.com/git-forge/fraudulent/commits/master

Uncover Bad Network Traffic on your Phone

Alex Grinman — Fri, 08 Jun 2018 22:14:34 +0000

agrinman / sift-ios

Uncover network traffic in real-time for every app on your phone

Sift app

Sift shows you what every app on your phone is really doing. Uncover network traffic in real-time for every app on your phone. Create rules to block sites like ads and tracking pages.

Inspect network traffic
Monitor background activity
Block bad sites and tracking pages
iOS Developers: debug networking in your live apps

About

Sift can answer questions like: are apps tracking me even if I disable analytics? are apps malicious? are they connecting to strange urls? are they doing network activity in the background?

Inspect network traffic for any app on your phone. Using push notifications, Sift shows you real-time network requests made by other apps.

Monitor background activity. Sift can even show you what network requests apps are making in the background.

Create rules to block urls like tracking sites, ads, etc. Use Sift to block any site you don't like for every…

View on GitHub

Sift shows you what every app on your phone is really doing. Uncover network traffic in real-time for every app on your phone. Create rules to block sites like ads and tracking pages.

Inspect network traffic
Monitor background activity
Block bad sites and tracking pages
iOS Developers: debug networking in your live apps

About

Sift can answer questions like: are apps tracking me even if I disable analytics? are apps malicious? are they connecting to strange urls? are they doing network activity in the background?

Inspect network traffic for any app on your phone. Using push notifications, Sift shows you real-time network requests made by other apps.

Monitor background activity. Sift can even show you what network requests apps are making in the background.

Create rules to block urls like tracking sites, ads, etc. Use Sift to block any site you don't like for every app on your phone.

Debugging tool for developers Use Sift to debug network traffic for your production app: inspect background activity, see how your app handles connection failures to certain sites, etc.

Sift is completely private Sift never shares or sends your network traffic data anywhere. Data that Sift collects never leaves your phone.

FAQ

Why isn't Sift on the App Store?

It turns it out that network content filters are not permitted for regular app store apps (it only works in supervised device mode). So I decided to release the source code instead -- any donations are greatly appreciated :)

How do I use it/install it?

Make sure you have XCode installed. Clone the code, open the .xcodeproj, plug in your iPhone, and hit run. You might have to authorize XCode to deploy to your phone/ sign into iCloud in XCode.

Is there XCode 10 support?

Yep -- just switch to the xcode-10 branch.