SlideShare a Scribd company logo

CI-ISSA '23 - Bad Multi-Factor

Download as PPTX, PDF
C
Curtis Brazzell

The document provides an overview of multi-factor authentication (MFA) implementation best practices and common mistakes. It discusses both the benefits of MFA in providing an extra layer of security beyond passwords, as well as potential downsides such as false security if not implemented properly. Examples are given of poor implementations, including not enforcing MFA, allowing insecure methods like SMS, and design flaws. Ideal implementations encourage the use of hardware security keys and push notifications with centralized administration and user training. Bypasses of MFA like man-in-the-middle attacks are also mentioned. The document concludes with a demonstration of using AI to assist with social engineering and phishing attacks.

Technology
1 of 32
Curtis Brazzell | CISSP Managing Security Consultant @ GuidePoint Security (My thoughts do not reflect.. blah blah.. Thanks Brad, for the pizza!!  )
About Me  Local to This Community! (Brownsburg, IN)  Passionate about security since the 90’s  Former DBA/Sys Admin (4-6 years)  Security Consulting for 12+ years  SOC/IR Lead  DFIR Lead (Malware Analysis)  AppSec/Pentesting/Physical/Wireless/Architecture/Social Engineering  Currently an MSC for GuidePoint Security on the AppSec (Tactical) Team  Researcher/Blogger/”Author”  Presenting at BSides Fort Wayne on New Phishing Techniques!
Agenda  The Good, the Bad, and the Ugly Side of MFA  Examples of Poor Implementation (so many examples)  Nap  Even More Examples  Ideal Implementations (and their weaknesses)  Summary  Phishing Chat GPT PoC Demo
The “Good” Side of MFA Extra layer of protection (something you “have” or “are”) Helps supplement password security (weak/reused/bre ached credentials) One of the strongest preventative measures against account takeover
The “Bad” Side of MFA  Insecure mediums (SMS, still better than none)  Mobile authentication on mobile platforms (Mixing “know” and “have”)  Lost/stolen hardware and recovery  User opt-in (“We support it”)
The “Ugly” Side of MFA  Bad user experience (Balancing user convenience with security)  False sense of security  Not a silver bullet  User awareness training (locations/IPs, real-time prompts, alternative methods)  Twitter charging extra for MFA  Poor implementations
Examples of Poor Implementation (BMF)  Implemented, But Not Enforced  Sometimes there are friendly reminders  Can jump into an account with only a password  Supporting and enforcing are not the same  Leaves security to the user (opt-in)  User preference of convenience over security  Don’t leave enrollment a choice for critical apps  If you do this, train your users and make MFA simple  Importance of protecting users (data exposure, increased attack surface, etc)
Examples of Poor Implementation (cont.)  Less-Secure Methods Accepted  Recovery codes unsecured on filesystems  PINs/Tokens users’ type
Examples of Poor Implementation (cont.)  More PhishAPI (Real-time Phishing Framework)  MFA Requirements  Gamified
Examples of Poor Implementation (cont.)  Less-Secure Methods Accepted  Even if SUPPORTED and not the default, it’s still a problem! (path of least resistance)  Use hardware tokens or push as the default? Forms can be set to only prompt for tokens!
Examples of Poor Implementation (cont.)  Less-Secure Methods Accepted  SMS Interception (“SMS ain’t no county I ever heard of!)  Seriously though, why’s this a problem?  No end-to-end encryption  SIM Swapping / Cloning / SE attacks
Examples of Poor Implementation (cont.)  Open Enrollment  Enforced, but at the user’s leisure or next login  Beat user to self-enrollment on attacker-owned device  Simply logged in as user and approved as they would  Sessions can be too long, won’t apply until next auth cycle if already logged in when applied.  Huge security gap (20% of captured creds were not enrolled yet. Customer was blindsided.)
Examples of Poor Implementation (cont.)  Infinite or Overly Long Enrollment Period  Increased risk when combined with Open Enrollment  Can’t assume users will access or within reasonable timeline (PTO, lack of need in roles, VPN, etc)
Examples of Poor Implementation (cont.)  Infinite Re-Enrollment (Link Doesn’t Expire After First Use)  Enroll again as attacker  Stale enrollment links in email can be exposed in logs or discovered by attackers  Not really an issue with most current MFA solutions
Nap  Anyone awake?  Survey room. If no one is awake grab pizza and quietly slip out. Otherwise, continue.
Examples of Poor Implementation Use  Users Accepting Attacker’s Push Requests  Timing is everything! (don’t assume)  Always review IP/Location information! (not all MFA solutions provide this)  Annoyance factor / alert fatigue  Confusion (lack of training, IT must need something, background process, location with travel or VPN, etc)  Shockingly effective 🙈
Examples of Poor Implementation (cont.)  MFA is Disabled After Email Change or Password Reset  If enrollment is optional or not continuously enforced, it can lead to a gap of protection  Shouldn’t be performed automatically but as a centralized admin control (help desk ticket, etc)
Examples of Poor Implementation (cont.)  Logic Flaws (Homebrew Bad Design)  Ignoring or canceling MFA prompt still creates session (recent example)  “Forgot PIN” functionality reset with just a username and password (recent example)  PINs in mobile apps might be bypassed by hiding a view (recent example) – Hooking in Objection  Biometrics don’t tie to a specific user of the device (recent example)  Reset instructions go to email instead of phone number
Examples of Poor Implementation (cont.)  Insufficient Anti-Automation  Low entropy (last 4 SSN, phone, DoB, etc)  No rate-limiting server-side  No lockout policy  Brute Forcing until valid value is determined
Examples of Poor Implementation (cont.)  Security Questions  Security questions by themselves are NOT MFA (just something else you “know”)  Should NOT be Boolean values, years, or other short values (I’ve seen DoB & Last 4 SSN combos)  Should NOT be easily enumerated with wordlists (teacher’s first name, etc)  Should NOT be easily researched (OSINT, Google phone # example!)  Okay if used as an additional piece of user verification (usual login activity, etc)
Examples of Poor Implementation (cont.)  Security Questions (Google example) Wrong way Google to do it (Something you know) A better way of handling it (Something you have)
Examples of Poor Implementation (cont.)  MFA Code Reusability  Say the code has high entropy and the server is rate-limiting with account lockouts…  Is the code invalidated after use?  Can I get a token as an attacker and apply it to a victim account?
Ideal Implementations  Still not a silver bullet!  My recommendation for best hardening practices?  Forced enrollment for all (when possible)  Short, one-click enrollment period (no first-time login)  Use U2F hardware proximity devices only (BLE, USB, NFC, etc - no tokens/pins/or hardware with tokens)  If implemented properly, some biometric auth is great!  If you can’t use U2F, use mobile push notifications  Central administration  Trusted SSO/MFA Providers (Okta, MS, Duo, OAuth, Auth0, etc)  Employee Training (prompts, backup methods, etc)  Mobile Device Management (for mobile MFA)  Alert on and monitor unsuccessful attempts  Bypass techniques STILL exist:  Machine-in-the-Middle (MitM) Session Hijacking (stealing tokens post-authentication)  Transparent/Reverse Proxies (Attacker’s fake login makes requests on behalf of users to facilitate login)  Assets not protected by MFA (internal, etc) – Don’t give up on password security!
Ideal Implementations (Bypass Examples)  Modliska  https://vimeo.com/308709275
Ideal Implementations (Bypass Examples)  Evilnginx  https://mrturvey.co.uk/aiovg_videos/how-to- phish-for-passwords-and-bypass-2fa/
Summary  MFA is a GOOD thing overall (don’t discourage SMS to the point devs or execs only use creds)  If done properly, it will greatly reduce successful account takeover attacks (SE, credential stuffing, brute forcing, cracking, etc)  If done perfectly, users are still exposed to some risk. Training is essential!  Sophisticated Phishing (and Vhishing) attacks are increasingly sophisticated (Deepfakes, AI, etc)
Phishing with Chat GPT (Demo)  Let’s get buzzwordy!
Phishing with Chat GPT (Demo)
Phishing with Chat GPT (Demo)
Phishing with Chat GPT (Demo)
Phishing with Chat GPT (Demo)
Thank you!  Questions?

Recommended

Physical Security Assessments
Physical Security AssessmentsPhysical Security Assessments
Physical Security AssessmentsTom Eston
 
Using Vuln Chaining and Other Factors for a Better Risk Perspective
Using Vuln Chaining and Other Factors for a Better Risk PerspectiveUsing Vuln Chaining and Other Factors for a Better Risk Perspective
Using Vuln Chaining and Other Factors for a Better Risk PerspectiveCurtis Brazzell
 
How to improve endpoint security on a SMB budget
How to improve endpoint security on a SMB budgetHow to improve endpoint security on a SMB budget
How to improve endpoint security on a SMB budgetLumension
 
C0210014017
C0210014017C0210014017
C0210014017researchinventy
 
1.Security Overview And Patching
1.Security Overview And Patching1.Security Overview And Patching
1.Security Overview And Patchingphanleson
 
Making User Authentication More Usable
Making User Authentication More UsableMaking User Authentication More Usable
Making User Authentication More UsableJim Fenton
 
Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Jorge Orchilles
 
1208 wp-two-factor-and-swivel-whitepaper
1208 wp-two-factor-and-swivel-whitepaper1208 wp-two-factor-and-swivel-whitepaper
1208 wp-two-factor-and-swivel-whitepaperHai Nguyen
 

Recommended

Physical Security Assessments
Physical Security AssessmentsPhysical Security Assessments
Physical Security AssessmentsTom Eston
 
Using Vuln Chaining and Other Factors for a Better Risk Perspective
Using Vuln Chaining and Other Factors for a Better Risk PerspectiveUsing Vuln Chaining and Other Factors for a Better Risk Perspective
Using Vuln Chaining and Other Factors for a Better Risk PerspectiveCurtis Brazzell
 
How to improve endpoint security on a SMB budget
How to improve endpoint security on a SMB budgetHow to improve endpoint security on a SMB budget
How to improve endpoint security on a SMB budgetLumension
 
C0210014017
C0210014017C0210014017
C0210014017researchinventy
 
1.Security Overview And Patching
1.Security Overview And Patching1.Security Overview And Patching
1.Security Overview And Patchingphanleson
 
Making User Authentication More Usable
Making User Authentication More UsableMaking User Authentication More Usable
Making User Authentication More UsableJim Fenton
 
Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Jorge Orchilles
 
1208 wp-two-factor-and-swivel-whitepaper
1208 wp-two-factor-and-swivel-whitepaper1208 wp-two-factor-and-swivel-whitepaper
1208 wp-two-factor-and-swivel-whitepaperHai Nguyen
 
Shadow IT and the Shadowing of IT
Shadow IT and the Shadowing of ITShadow IT and the Shadowing of IT
Shadow IT and the Shadowing of ITSamuel Greenfeld
 
Health Information Privacy and Security
Health Information Privacy and SecurityHealth Information Privacy and Security
Health Information Privacy and SecurityNawanan Theera-Ampornpunt
 
New text document
New text documentNew text document
New text documentsleucwnq
 
New text document
New text documentNew text document
New text documentsleucwnq
 
Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Controlidingolay
 
Securing And Protecting Information
Securing And Protecting InformationSecuring And Protecting Information
Securing And Protecting InformationLaura Martin
 
Android App Hacking - Erez Metula, AppSec
Android App Hacking - Erez Metula, AppSecAndroid App Hacking - Erez Metula, AppSec
Android App Hacking - Erez Metula, AppSecDroidConTLV
 
Three Step Multifactor Authentication Systems for Modern Security
Three Step Multifactor Authentication Systems for Modern SecurityThree Step Multifactor Authentication Systems for Modern Security
Three Step Multifactor Authentication Systems for Modern Securityijtsrd
 
Cybersecurity (November 12, 2021)
Cybersecurity (November 12, 2021)Cybersecurity (November 12, 2021)
Cybersecurity (November 12, 2021)Nawanan Theera-Ampornpunt
 
Security in the enterprise - Why You Need It
Security in the enterprise - Why You Need ItSecurity in the enterprise - Why You Need It
Security in the enterprise - Why You Need ItSlick Cyber Systems
 
APT & What we can do TODAY
APT & What we can do TODAYAPT & What we can do TODAY
APT & What we can do TODAYJames Ryan, CSyP, EA, PMP
 
Health Information Privacy and Security
Health Information Privacy and SecurityHealth Information Privacy and Security
Health Information Privacy and SecurityNawanan Theera-Ampornpunt
 
Information Leakage - A knowledge Based Approach
Information Leakage - A knowledge Based ApproachInformation Leakage - A knowledge Based Approach
Information Leakage - A knowledge Based ApproachGlobal Business Events - the Heart of your Network.
 
Logs vs Insiders
Logs vs InsidersLogs vs Insiders
Logs vs InsidersAnton Chuvakin
 
Audit logs for Security and Compliance
Audit logs for Security and ComplianceAudit logs for Security and Compliance
Audit logs for Security and ComplianceAnton Chuvakin
 
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)Avansa Mid- en Zuidwest
 
Elementary-Information-Security-Practices
Elementary-Information-Security-PracticesElementary-Information-Security-Practices
Elementary-Information-Security-PracticesOctogence
 
Ch18
Ch18Ch18
Ch18Joe Christensen
 
DTS Solution - Penetration Testing Services v1.0
DTS Solution - Penetration Testing Services v1.0DTS Solution - Penetration Testing Services v1.0
DTS Solution - Penetration Testing Services v1.0Shah Sheikh
 
Running head CHALLENGES OF CYBER SECURITY9.docx
Running head CHALLENGES OF CYBER SECURITY9.docxRunning head CHALLENGES OF CYBER SECURITY9.docx
Running head CHALLENGES OF CYBER SECURITY9.docxsusanschei
 
Beyond Passwords: The Future of Cybersecurity
Beyond Passwords: The Future of CybersecurityBeyond Passwords: The Future of Cybersecurity
Beyond Passwords: The Future of CybersecurityCurtis Brazzell
 
2020 KringleCon HolidayHack Report - Brazzell
2020 KringleCon HolidayHack Report - Brazzell2020 KringleCon HolidayHack Report - Brazzell
2020 KringleCon HolidayHack Report - BrazzellCurtis Brazzell
 

More Related Content

Similar to CI-ISSA '23 - Bad Multi-Factor

Shadow IT and the Shadowing of IT
Shadow IT and the Shadowing of ITShadow IT and the Shadowing of IT
Shadow IT and the Shadowing of ITSamuel Greenfeld
 
New text document
New text documentNew text document
New text documentsleucwnq
 
New text document
New text documentNew text document
New text documentsleucwnq
 
Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Controlidingolay
 
Securing And Protecting Information
Securing And Protecting InformationSecuring And Protecting Information
Securing And Protecting InformationLaura Martin
 
Android App Hacking - Erez Metula, AppSec
Android App Hacking - Erez Metula, AppSecAndroid App Hacking - Erez Metula, AppSec
Android App Hacking - Erez Metula, AppSecDroidConTLV
 
Three Step Multifactor Authentication Systems for Modern Security
Three Step Multifactor Authentication Systems for Modern SecurityThree Step Multifactor Authentication Systems for Modern Security
Three Step Multifactor Authentication Systems for Modern Securityijtsrd
 
Security in the enterprise - Why You Need It
Security in the enterprise - Why You Need ItSecurity in the enterprise - Why You Need It
Security in the enterprise - Why You Need ItSlick Cyber Systems
 
Audit logs for Security and Compliance
Audit logs for Security and ComplianceAudit logs for Security and Compliance
Audit logs for Security and ComplianceAnton Chuvakin
 
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)Avansa Mid- en Zuidwest
 
Elementary-Information-Security-Practices
Elementary-Information-Security-PracticesElementary-Information-Security-Practices
Elementary-Information-Security-PracticesOctogence
 
DTS Solution - Penetration Testing Services v1.0
DTS Solution - Penetration Testing Services v1.0DTS Solution - Penetration Testing Services v1.0
DTS Solution - Penetration Testing Services v1.0Shah Sheikh
 
Running head CHALLENGES OF CYBER SECURITY9.docx
Running head CHALLENGES OF CYBER SECURITY9.docxRunning head CHALLENGES OF CYBER SECURITY9.docx
Running head CHALLENGES OF CYBER SECURITY9.docxsusanschei
 

Similar to CI-ISSA '23 - Bad Multi-Factor (20)

Shadow IT and the Shadowing of IT
Shadow IT and the Shadowing of ITShadow IT and the Shadowing of IT
Shadow IT and the Shadowing of IT
 
Health Information Privacy and Security
Health Information Privacy and SecurityHealth Information Privacy and Security
Health Information Privacy and Security
 
New text document
New text documentNew text document
New text document
 
New text document
New text documentNew text document
New text document
 
Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Control
 
Securing And Protecting Information
Securing And Protecting InformationSecuring And Protecting Information
Securing And Protecting Information
 
Android App Hacking - Erez Metula, AppSec
Android App Hacking - Erez Metula, AppSecAndroid App Hacking - Erez Metula, AppSec
Android App Hacking - Erez Metula, AppSec
 
Three Step Multifactor Authentication Systems for Modern Security
Three Step Multifactor Authentication Systems for Modern SecurityThree Step Multifactor Authentication Systems for Modern Security
Three Step Multifactor Authentication Systems for Modern Security
 
Cybersecurity (November 12, 2021)
Cybersecurity (November 12, 2021)Cybersecurity (November 12, 2021)
Cybersecurity (November 12, 2021)
 
Security in the enterprise - Why You Need It
Security in the enterprise - Why You Need ItSecurity in the enterprise - Why You Need It
Security in the enterprise - Why You Need It
 
APT & What we can do TODAY
APT & What we can do TODAYAPT & What we can do TODAY
APT & What we can do TODAY
 
Health Information Privacy and Security
Health Information Privacy and SecurityHealth Information Privacy and Security
Health Information Privacy and Security
 
Information Leakage - A knowledge Based Approach
Information Leakage - A knowledge Based ApproachInformation Leakage - A knowledge Based Approach
Information Leakage - A knowledge Based Approach
 
Logs vs Insiders
Logs vs InsidersLogs vs Insiders
Logs vs Insiders
 
Audit logs for Security and Compliance
Audit logs for Security and ComplianceAudit logs for Security and Compliance
Audit logs for Security and Compliance
 
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
 
Elementary-Information-Security-Practices
Elementary-Information-Security-PracticesElementary-Information-Security-Practices
Elementary-Information-Security-Practices
 
Ch18
Ch18Ch18
Ch18
 
DTS Solution - Penetration Testing Services v1.0
DTS Solution - Penetration Testing Services v1.0DTS Solution - Penetration Testing Services v1.0
DTS Solution - Penetration Testing Services v1.0
 
Running head CHALLENGES OF CYBER SECURITY9.docx
Running head CHALLENGES OF CYBER SECURITY9.docxRunning head CHALLENGES OF CYBER SECURITY9.docx
Running head CHALLENGES OF CYBER SECURITY9.docx
 

More from Curtis Brazzell

Beyond Passwords: The Future of Cybersecurity
Beyond Passwords: The Future of CybersecurityBeyond Passwords: The Future of Cybersecurity
Beyond Passwords: The Future of CybersecurityCurtis Brazzell
 
2020 KringleCon HolidayHack Report - Brazzell
2020 KringleCon HolidayHack Report - Brazzell2020 KringleCon HolidayHack Report - Brazzell
2020 KringleCon HolidayHack Report - BrazzellCurtis Brazzell
 
A Night of Phishing @ IUPUI Cyber Security Club
A Night of Phishing @ IUPUI Cyber Security ClubA Night of Phishing @ IUPUI Cyber Security Club
A Night of Phishing @ IUPUI Cyber Security ClubCurtis Brazzell
 
2019 SANS Holiday Hack Challenge Deliverable
2019 SANS Holiday Hack Challenge Deliverable2019 SANS Holiday Hack Challenge Deliverable
2019 SANS Holiday Hack Challenge DeliverableCurtis Brazzell
 
One, Two... Vulns are Coming for You
One, Two... Vulns are Coming for YouOne, Two... Vulns are Coming for You
One, Two... Vulns are Coming for YouCurtis Brazzell
 

More from Curtis Brazzell (6)

Beyond Passwords: The Future of Cybersecurity
Beyond Passwords: The Future of CybersecurityBeyond Passwords: The Future of Cybersecurity
Beyond Passwords: The Future of Cybersecurity
 
2020 KringleCon HolidayHack Report - Brazzell
2020 KringleCon HolidayHack Report - Brazzell2020 KringleCon HolidayHack Report - Brazzell
2020 KringleCon HolidayHack Report - Brazzell
 
Phishing 101
Phishing 101Phishing 101
Phishing 101
 
A Night of Phishing @ IUPUI Cyber Security Club
A Night of Phishing @ IUPUI Cyber Security ClubA Night of Phishing @ IUPUI Cyber Security Club
A Night of Phishing @ IUPUI Cyber Security Club
 
2019 SANS Holiday Hack Challenge Deliverable
2019 SANS Holiday Hack Challenge Deliverable2019 SANS Holiday Hack Challenge Deliverable
2019 SANS Holiday Hack Challenge Deliverable
 
One, Two... Vulns are Coming for You
One, Two... Vulns are Coming for YouOne, Two... Vulns are Coming for You
One, Two... Vulns are Coming for You
 

Recently uploaded

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 

Recently uploaded (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 

CI-ISSA '23 - Bad Multi-Factor

  • 1. Curtis Brazzell | CISSP Managing Security Consultant @ GuidePoint Security (My thoughts do not reflect.. blah blah.. Thanks Brad, for the pizza!!  )
  • 2. About Me  Local to This Community! (Brownsburg, IN)  Passionate about security since the 90’s  Former DBA/Sys Admin (4-6 years)  Security Consulting for 12+ years  SOC/IR Lead  DFIR Lead (Malware Analysis)  AppSec/Pentesting/Physical/Wireless/Architecture/Social Engineering  Currently an MSC for GuidePoint Security on the AppSec (Tactical) Team  Researcher/Blogger/”Author”  Presenting at BSides Fort Wayne on New Phishing Techniques!
  • 3. Agenda  The Good, the Bad, and the Ugly Side of MFA  Examples of Poor Implementation (so many examples)  Nap  Even More Examples  Ideal Implementations (and their weaknesses)  Summary  Phishing Chat GPT PoC Demo
  • 4. The “Good” Side of MFA Extra layer of protection (something you “have” or “are”) Helps supplement password security (weak/reused/bre ached credentials) One of the strongest preventative measures against account takeover
  • 5. The “Bad” Side of MFA  Insecure mediums (SMS, still better than none)  Mobile authentication on mobile platforms (Mixing “know” and “have”)  Lost/stolen hardware and recovery  User opt-in (“We support it”)
  • 6. The “Ugly” Side of MFA  Bad user experience (Balancing user convenience with security)  False sense of security  Not a silver bullet  User awareness training (locations/IPs, real-time prompts, alternative methods)  Twitter charging extra for MFA  Poor implementations
  • 7. Examples of Poor Implementation (BMF)  Implemented, But Not Enforced  Sometimes there are friendly reminders  Can jump into an account with only a password  Supporting and enforcing are not the same  Leaves security to the user (opt-in)  User preference of convenience over security  Don’t leave enrollment a choice for critical apps  If you do this, train your users and make MFA simple  Importance of protecting users (data exposure, increased attack surface, etc)
  • 8. Examples of Poor Implementation (cont.)  Less-Secure Methods Accepted  Recovery codes unsecured on filesystems  PINs/Tokens users’ type
  • 9. Examples of Poor Implementation (cont.)  More PhishAPI (Real-time Phishing Framework)  MFA Requirements  Gamified
  • 10. Examples of Poor Implementation (cont.)  Less-Secure Methods Accepted  Even if SUPPORTED and not the default, it’s still a problem! (path of least resistance)  Use hardware tokens or push as the default? Forms can be set to only prompt for tokens!
  • 11. Examples of Poor Implementation (cont.)  Less-Secure Methods Accepted  SMS Interception (“SMS ain’t no county I ever heard of!)  Seriously though, why’s this a problem?  No end-to-end encryption  SIM Swapping / Cloning / SE attacks
  • 12. Examples of Poor Implementation (cont.)  Open Enrollment  Enforced, but at the user’s leisure or next login  Beat user to self-enrollment on attacker-owned device  Simply logged in as user and approved as they would  Sessions can be too long, won’t apply until next auth cycle if already logged in when applied.  Huge security gap (20% of captured creds were not enrolled yet. Customer was blindsided.)
  • 13. Examples of Poor Implementation (cont.)  Infinite or Overly Long Enrollment Period  Increased risk when combined with Open Enrollment  Can’t assume users will access or within reasonable timeline (PTO, lack of need in roles, VPN, etc)
  • 14. Examples of Poor Implementation (cont.)  Infinite Re-Enrollment (Link Doesn’t Expire After First Use)  Enroll again as attacker  Stale enrollment links in email can be exposed in logs or discovered by attackers  Not really an issue with most current MFA solutions
  • 15. Nap  Anyone awake?  Survey room. If no one is awake grab pizza and quietly slip out. Otherwise, continue.
  • 16. Examples of Poor Implementation Use  Users Accepting Attacker’s Push Requests  Timing is everything! (don’t assume)  Always review IP/Location information! (not all MFA solutions provide this)  Annoyance factor / alert fatigue  Confusion (lack of training, IT must need something, background process, location with travel or VPN, etc)  Shockingly effective 🙈
  • 17. Examples of Poor Implementation (cont.)  MFA is Disabled After Email Change or Password Reset  If enrollment is optional or not continuously enforced, it can lead to a gap of protection  Shouldn’t be performed automatically but as a centralized admin control (help desk ticket, etc)
  • 18. Examples of Poor Implementation (cont.)  Logic Flaws (Homebrew Bad Design)  Ignoring or canceling MFA prompt still creates session (recent example)  “Forgot PIN” functionality reset with just a username and password (recent example)  PINs in mobile apps might be bypassed by hiding a view (recent example) – Hooking in Objection  Biometrics don’t tie to a specific user of the device (recent example)  Reset instructions go to email instead of phone number
  • 19. Examples of Poor Implementation (cont.)  Insufficient Anti-Automation  Low entropy (last 4 SSN, phone, DoB, etc)  No rate-limiting server-side  No lockout policy  Brute Forcing until valid value is determined
  • 20. Examples of Poor Implementation (cont.)  Security Questions  Security questions by themselves are NOT MFA (just something else you “know”)  Should NOT be Boolean values, years, or other short values (I’ve seen DoB & Last 4 SSN combos)  Should NOT be easily enumerated with wordlists (teacher’s first name, etc)  Should NOT be easily researched (OSINT, Google phone # example!)  Okay if used as an additional piece of user verification (usual login activity, etc)
  • 21. Examples of Poor Implementation (cont.)  Security Questions (Google example) Wrong way Google to do it (Something you know) A better way of handling it (Something you have)
  • 22. Examples of Poor Implementation (cont.)  MFA Code Reusability  Say the code has high entropy and the server is rate-limiting with account lockouts…  Is the code invalidated after use?  Can I get a token as an attacker and apply it to a victim account?
  • 23. Ideal Implementations  Still not a silver bullet!  My recommendation for best hardening practices?  Forced enrollment for all (when possible)  Short, one-click enrollment period (no first-time login)  Use U2F hardware proximity devices only (BLE, USB, NFC, etc - no tokens/pins/or hardware with tokens)  If implemented properly, some biometric auth is great!  If you can’t use U2F, use mobile push notifications  Central administration  Trusted SSO/MFA Providers (Okta, MS, Duo, OAuth, Auth0, etc)  Employee Training (prompts, backup methods, etc)  Mobile Device Management (for mobile MFA)  Alert on and monitor unsuccessful attempts  Bypass techniques STILL exist:  Machine-in-the-Middle (MitM) Session Hijacking (stealing tokens post-authentication)  Transparent/Reverse Proxies (Attacker’s fake login makes requests on behalf of users to facilitate login)  Assets not protected by MFA (internal, etc) – Don’t give up on password security!
  • 24. Ideal Implementations (Bypass Examples)  Modliska  https://vimeo.com/308709275
  • 25. Ideal Implementations (Bypass Examples)  Evilnginx  https://mrturvey.co.uk/aiovg_videos/how-to- phish-for-passwords-and-bypass-2fa/
  • 26. Summary  MFA is a GOOD thing overall (don’t discourage SMS to the point devs or execs only use creds)  If done properly, it will greatly reduce successful account takeover attacks (SE, credential stuffing, brute forcing, cracking, etc)  If done perfectly, users are still exposed to some risk. Training is essential!  Sophisticated Phishing (and Vhishing) attacks are increasingly sophisticated (Deepfakes, AI, etc)
  • 27. Phishing with Chat GPT (Demo)  Let’s get buzzwordy!
  • 28. Phishing with Chat GPT (Demo)
  • 29. Phishing with Chat GPT (Demo)
  • 30. Phishing with Chat GPT (Demo)
  • 31. Phishing with Chat GPT (Demo)