SlideShare a Scribd company logo

Two-Steps to Owning MFA

S
Sherrie Cowley & Dennis Taggart

DefCon 26 Crypto & Privacy Village Presentation

Technology
1 of 42
Download to read offline
Two-Steps to Owning MFA
Sherrie Cowley • Masters in Information Systems • Managed Software Engineering, Support, and Identity and Access Management • InfraGard Liaison for FBI Cyber Task Force
Dennis Taggart • M.A. in Political Science/International Relations Working on an M.S. currently • Enjoy hardware work… SMD is fun • Pen testing for last few years
Disclaimer • This presentation is for educational purposes only. • We are not endorsing anything and nothing/nobody endorses us. • Any images/artwork chosen for this presentation are utilized under fair-use and we make no claim to ownership of any of it. Any logos are trademarks of their owners and they reserve all rights • There is no substitute for sound/professional judgement • The views expressed are not the views of our employers, past or present • we do not endorse any illegal or unethical activity
MFA Basics Something You Know Something You Have Something You Are Sign in Username Password
Focusing on “Something You Have” •SMS •TOTP •Push Notification •FIDO U2F
Reddit and SMS “…we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.” https://www.reddit.com/r/announcements/comments/93qnm5/we_had_a_security_incident_heres_what_you_need_to/ Not a Reddit roast, but such timing In 2017, NIST SP 800-63B describes PSTN (SMS) as a restricted (read “risky”) form of MFA
SMS SMS Broker (Twilio, Nexmo, Sinch, etc.) Application Cell Providers/Cell Tower (PSTN) Phone User Pass Login Page SMS 123456 SMS 123456
Step 1. Exploit target’s cell carrier account or impersonates the user to port/forward/otherwise access SMS messages Step 2. Use account recovery to trigger MFA messages to gain access to additional sensitive information Bypassing SMS: Porting the Number Takescontrol ofservice SMS 123456
Bypassing SMS: Phishing Fake Login Page Step 1. User is presented with fraudulent page and logs in Step 2. Attacker logs into real site with harvested tokens Credentials +MFA token sent to attacker User Pass Login Page User Pass Login Page User Pass Login Page
Bypassing SMS: Phishing
Bypassing SMS: Compromise the Device
Bypassing SMS: Compromise the Other Device… or the Account…
Preventing SMS Bypass • Request “port-out” authorization from carrier • Application security (e.g. XSS or some such allows sessions…) • Train on Phishing and protect against Malware • Document a strategy for responding to unsolicited text messages
Handling unsolicited SMS MFA notifications •Verify request was not solicited (take a breath) •Identify if it’s a privileged user (admin, CEO, financial controller, etc.) •Change password •Identify all attacker activity •Continue to monitor user’s account
TOTP Time-Based One-Time Password • Popular Applications: Duo, Google Auth, Authy…etc. • Part of OATH standards (Not OAuth2) • HOTP is Counter-Based and TOTP is Time- Based • Typically 6 digit code changing every 30 seconds Enter your MFA Code MFA Page 123456 Some Authenticator App 123456
Authenticator App
How Does TOTP Work? 1. Compute HMAC-SHA-1 Shared Secret Key + Changing Message = HMAC-SHA-1 (LV3HAKDSNZUESXKMKBLF4M3DEU + 1534071600) = 62aa8b920547807b59689fda99294b58d7bde56f
2. Dynamic Truncation HMAC-SHA-1=62aa8b920547807b59689fda99294b58d7bde56f 62 aa 8b 92 05 47 80 7b 59 68 9f da 99 29 4b58d7bd e5 6f 4b58d7bd (Convert Hex to Decimal) = 1264113597 1264113597 mod 1,000,000 TOTP = 113597 How Does TOTP Work?
TOTP Stores a Shared Secret Key (Base 32) Remember! TOTP Key LV3HAKDSNZUESXKMKBLF4M3DEU TOTP Shared KeyTOTP Shared Key LV3HAKD SNZUESX KMKBLF4 M3DEU
Demo
Bypassing TOTP Step 1. Exploit user, application or device to extract shared key Step 2. Calculate TOTP to access target account
Preventing TOTP Bypass •Do not Neglect Application Security •Encrypt and Protect TOTP Shared Key •Continue to defend against phishing and malware
Push Notifications for MFA
Device Token How do Push Notification work? Application Google/Apple Services Mobile Phone Device Token + Query Device Token + Response User Pass Login Page Device Token (Device Token stored /accessible by app) tm tm
Bypassing Push Notification Device Token Step 1. Change the Registered Device ID to an attacker-controlled value Step 2. Access the application as the targeted user SQLi, Param eter Tam pering, Indirect Object Referencing Device Token User Pass Login Page User Pass Login Page Device Token
Demo
Defending against Push Bypass •Application security! •Train against phishing/social engineering and protect against malware •Create a strategy for responding to unsolicited push notifications
Manipulating End Users •Phishing •Session Hijacking •Social Engineering •Hope for Accidental Approval •Hope the user gets sick of the gratuitous requests and simply disables MFA
FIDO U2F Security Keys 1. Enters Password 2. Touches Button Universal Second Factor User Pass Login Page
Token Binding (Channel ID)
FIDO U2F Security Keys •Uses a Signed Public/Private Key •Uses Origin Bound Keys and Token Binding to protect against Phishing, Man-in-the- Middle Attacks, and Session Hijacking •Doesn’t allow writing to Security Key •Uses a Counter to protect against Cloning •Requires human interaction
FIDO U2F Security Keys U2F Device App Identity Provider Challenge, Origin, TLS Channel id Challenge, Origin, TLS Channel id User Pass Login Page
Origin Binding Fake Login Page Real Login Page Phishing Fake Login Page User Pass Login Page User Pass Login Page
Token Binding (Channel ID) Real Login Page Session Tokens Man-in-the-Middle Session Hijacking Real Login Page TLS Tunnel Sign In Login Page User Pass
Bypassing Fido U2F •Physical attack •Try MITM and Session Hijacking (missing token binding) •Manipulate Application Database •Replace entire registration message stored with your own •Social Engineering Support Team •Try a Backup MFA Options •Find an Open Port or another vulnerability
Bypassing Fido U2F Step 1. Get U2F device or social engineer to downgrade type of MFA Step 2. Access target’s account Reminded us of classic comic Security:xkcd.com/538
Defending against FIDO U2F Bypass •Protect Authentication Database •Train Against Social Engineering •Patch and Monitor Known Vulnerabilities •Protect against Malware
Is MFA the Silver Bullet? No! But it does raise the bar for attacks.
Thank you!! Questions? @SherrieCowley @Dennisdt3
Thanks & References Family, friends, coworkers, etc. who took time to listen to us and let us be gone as we worked on this Artists and professionals who shared their skills with the world Women in Security https://cryptologicfoundation.org/learn/stimulate/women-in-cryptology.html Smishing Poster https://memegenerator.net/instance/82042286/forever-alone-didnt-you-mean-smishing https://www.usatoday.com/story/tech/columnist/saltzman/2017/07/03/delete-suspicious-text-messages-on-your-smartphone/439647001/ http://fortune.com/2017/07/07/smishing-scam/ https://www.experian.com/blogs/ask-experian/what-is-smishing/ XKCD Comic https://xkcd.com/538 OpenClipArt Fingerprint by jhnri4 https://openclipart.org/detail/74581/fingerprint Cloud by SavanaPrice https://openclipart.org/detail/193455/cloud Phone by lifeincolour https://openclipart.org/detail/228650/phone LCD Monitor by molumen https://openclipart.org/detail/6977/lcd-monitor Cell tower by shared4you https://openclipart.org/detail/179921/radio-tower-wireless Sim Card by Anonyous https://openclipart.org/detail/13187/sim-card User (various remixes) by elconomeno@email.com https://openclipart.org/detail/287798/user & https://openclipart.org/detail/288356/spy-behind-computer Server by sagar_ns https://openclipart.org/detail/5159/server-cabinet-cpu Users by danilo https://openclipart.org/detail/215499/users Reddit https://www.reddit.com/r/announcements/comments/93qnm5/we_had_a_security_incident_heres_what_you_need_to/ Images of Google are owned by Google, Inc. Images of iOS are owned by Apple.

Recommended

Breaking Fraud & Bot detection solutions
Breaking Fraud & Bot detection solutionsBreaking Fraud & Bot detection solutions
Breaking Fraud & Bot detection solutionsMayank Dhiman
 
Two factor authentication 2018
Two factor authentication 2018Two factor authentication 2018
Two factor authentication 2018Will Adams
 
Combat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion TechniquesCombat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion TechniquesIBM Security
 
Seminar-Two Factor Authentication
Seminar-Two Factor AuthenticationSeminar-Two Factor Authentication
Seminar-Two Factor AuthenticationDilip Kr. Jangir
 
Avoiding Two-factor Authentication? You're Not Alone
Avoiding Two-factor Authentication? You're Not AloneAvoiding Two-factor Authentication? You're Not Alone
Avoiding Two-factor Authentication? You're Not AlonePortalGuard
 
Two Factor Authentication
Two Factor AuthenticationTwo Factor Authentication
Two Factor AuthenticationNikhil Shaw
 
Why Two-Factor Authentication?
Why Two-Factor Authentication?Why Two-Factor Authentication?
Why Two-Factor Authentication?Fortytwo
 
Cyber Insurance Types of Attacks
Cyber Insurance Types of AttacksCyber Insurance Types of Attacks
Cyber Insurance Types of AttacksStatewide Insurance Brokers
 

Recommended

Breaking Fraud & Bot detection solutions
Breaking Fraud & Bot detection solutionsBreaking Fraud & Bot detection solutions
Breaking Fraud & Bot detection solutionsMayank Dhiman
 
Two factor authentication 2018
Two factor authentication 2018Two factor authentication 2018
Two factor authentication 2018Will Adams
 
Combat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion TechniquesCombat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion TechniquesIBM Security
 
Seminar-Two Factor Authentication
Seminar-Two Factor AuthenticationSeminar-Two Factor Authentication
Seminar-Two Factor AuthenticationDilip Kr. Jangir
 
Avoiding Two-factor Authentication? You're Not Alone
Avoiding Two-factor Authentication? You're Not AloneAvoiding Two-factor Authentication? You're Not Alone
Avoiding Two-factor Authentication? You're Not AlonePortalGuard
 
Two Factor Authentication
Two Factor AuthenticationTwo Factor Authentication
Two Factor AuthenticationNikhil Shaw
 
Why Two-Factor Authentication?
Why Two-Factor Authentication?Why Two-Factor Authentication?
Why Two-Factor Authentication?Fortytwo
 
Cyber Insurance Types of Attacks
Cyber Insurance Types of AttacksCyber Insurance Types of Attacks
Cyber Insurance Types of AttacksStatewide Insurance Brokers
 
Man in the Browser attacks on online banking transactions
Man in the Browser attacks on online banking transactionsMan in the Browser attacks on online banking transactions
Man in the Browser attacks on online banking transactionsDaveEdwards12
 
Two factor authentication
Two factor authenticationTwo factor authentication
Two factor authenticationHai Nguyen
 
Two-factor Authentication
Two-factor AuthenticationTwo-factor Authentication
Two-factor AuthenticationPortalGuard dba PistolStar, Inc.
 
CSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browserCSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browserguestb1956e
 
3 reasons your business can't ignore Two-Factor Authentication
3 reasons your business can't ignore Two-Factor Authentication3 reasons your business can't ignore Two-Factor Authentication
3 reasons your business can't ignore Two-Factor AuthenticationFortytwo
 
Security and Penetration Testing Overview
Security and Penetration Testing OverviewSecurity and Penetration Testing Overview
Security and Penetration Testing OverviewQA InfoTech
 
Cyber Security For E-commerce (Infrastructure) development
Cyber Security For E-commerce (Infrastructure) developmentCyber Security For E-commerce (Infrastructure) development
Cyber Security For E-commerce (Infrastructure) developmentMohammad Ashfaqur Rahman
 
Two factor authentication presentation mcit
Two factor authentication presentation mcitTwo factor authentication presentation mcit
Two factor authentication presentation mcitmmubashirkhan
 
FrontOne our new and different solutions
FrontOne our new and different solutionsFrontOne our new and different solutions
FrontOne our new and different solutionsfrontone
 
Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Ali Raw
 
Online banking trojans
Online banking trojansOnline banking trojans
Online banking trojansAndre N. Klingsheim
 
What is FIDO
What is FIDOWhat is FIDO
What is FIDOPeter Kolarov
 
TWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDE
TWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDETWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDE
TWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDECTM360
 
Adding Two Factor Authentication to your App with Authy
Adding Two Factor Authentication to your App with AuthyAdding Two Factor Authentication to your App with Authy
Adding Two Factor Authentication to your App with AuthyNick Malcolm
 
Two Factor Authentication Made Easy ICWE 2015
Two Factor Authentication Made Easy ICWE 2015Two Factor Authentication Made Easy ICWE 2015
Two Factor Authentication Made Easy ICWE 2015Alex Q. Chen
 
Multifactor Authentication
Multifactor AuthenticationMultifactor Authentication
Multifactor AuthenticationRonnie Isherwood
 
network security
network securitynetwork security
network securitynandita0798
 
CISSP Week 14
CISSP Week 14CISSP Week 14
CISSP Week 14jemtallon
 
Logincat MFA and SSO
Logincat MFA and SSOLogincat MFA and SSO
Logincat MFA and SSORohit Kapoor
 
2 factor authentication 3 [compatibility mode]
2 factor authentication 3 [compatibility mode]2 factor authentication 3 [compatibility mode]
2 factor authentication 3 [compatibility mode]Hai Nguyen
 
Personal Threat Models
Personal Threat ModelsPersonal Threat Models
Personal Threat ModelsGeoffrey Vaughan
 
Identity and Security in the Cloud
Identity and Security in the CloudIdentity and Security in the Cloud
Identity and Security in the CloudRichard Diver
 

More Related Content

What's hot

Man in the Browser attacks on online banking transactions
Man in the Browser attacks on online banking transactionsMan in the Browser attacks on online banking transactions
Man in the Browser attacks on online banking transactionsDaveEdwards12
 
Two factor authentication
Two factor authenticationTwo factor authentication
Two factor authenticationHai Nguyen
 
CSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browserCSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browserguestb1956e
 
3 reasons your business can't ignore Two-Factor Authentication
3 reasons your business can't ignore Two-Factor Authentication3 reasons your business can't ignore Two-Factor Authentication
3 reasons your business can't ignore Two-Factor AuthenticationFortytwo
 
Security and Penetration Testing Overview
Security and Penetration Testing OverviewSecurity and Penetration Testing Overview
Security and Penetration Testing OverviewQA InfoTech
 
Cyber Security For E-commerce (Infrastructure) development
Cyber Security For E-commerce (Infrastructure) developmentCyber Security For E-commerce (Infrastructure) development
Cyber Security For E-commerce (Infrastructure) developmentMohammad Ashfaqur Rahman
 
Two factor authentication presentation mcit
Two factor authentication presentation mcitTwo factor authentication presentation mcit
Two factor authentication presentation mcitmmubashirkhan
 
FrontOne our new and different solutions
FrontOne our new and different solutionsFrontOne our new and different solutions
FrontOne our new and different solutionsfrontone
 
Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Ali Raw
 
TWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDE
TWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDETWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDE
TWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDECTM360
 
Adding Two Factor Authentication to your App with Authy
Adding Two Factor Authentication to your App with AuthyAdding Two Factor Authentication to your App with Authy
Adding Two Factor Authentication to your App with AuthyNick Malcolm
 
Two Factor Authentication Made Easy ICWE 2015
Two Factor Authentication Made Easy ICWE 2015Two Factor Authentication Made Easy ICWE 2015
Two Factor Authentication Made Easy ICWE 2015Alex Q. Chen
 
Multifactor Authentication
Multifactor AuthenticationMultifactor Authentication
Multifactor AuthenticationRonnie Isherwood
 
network security
network securitynetwork security
network securitynandita0798
 
CISSP Week 14
CISSP Week 14CISSP Week 14
CISSP Week 14jemtallon
 
Logincat MFA and SSO
Logincat MFA and SSOLogincat MFA and SSO
Logincat MFA and SSORohit Kapoor
 
2 factor authentication 3 [compatibility mode]
2 factor authentication 3 [compatibility mode]2 factor authentication 3 [compatibility mode]
2 factor authentication 3 [compatibility mode]Hai Nguyen
 

What's hot (20)

Man in the Browser attacks on online banking transactions
Man in the Browser attacks on online banking transactionsMan in the Browser attacks on online banking transactions
Man in the Browser attacks on online banking transactions
 
Two factor authentication
Two factor authenticationTwo factor authentication
Two factor authentication
 
Two-factor Authentication
Two-factor AuthenticationTwo-factor Authentication
Two-factor Authentication
 
CSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browserCSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browser
 
3 reasons your business can't ignore Two-Factor Authentication
3 reasons your business can't ignore Two-Factor Authentication3 reasons your business can't ignore Two-Factor Authentication
3 reasons your business can't ignore Two-Factor Authentication
 
Security and Penetration Testing Overview
Security and Penetration Testing OverviewSecurity and Penetration Testing Overview
Security and Penetration Testing Overview
 
Cyber Security For E-commerce (Infrastructure) development
Cyber Security For E-commerce (Infrastructure) developmentCyber Security For E-commerce (Infrastructure) development
Cyber Security For E-commerce (Infrastructure) development
 
Two factor authentication presentation mcit
Two factor authentication presentation mcitTwo factor authentication presentation mcit
Two factor authentication presentation mcit
 
FrontOne our new and different solutions
FrontOne our new and different solutionsFrontOne our new and different solutions
FrontOne our new and different solutions
 
Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)
 
Online banking trojans
Online banking trojansOnline banking trojans
Online banking trojans
 
What is FIDO
What is FIDOWhat is FIDO
What is FIDO
 
TWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDE
TWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDETWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDE
TWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDE
 
Adding Two Factor Authentication to your App with Authy
Adding Two Factor Authentication to your App with AuthyAdding Two Factor Authentication to your App with Authy
Adding Two Factor Authentication to your App with Authy
 
Two Factor Authentication Made Easy ICWE 2015
Two Factor Authentication Made Easy ICWE 2015Two Factor Authentication Made Easy ICWE 2015
Two Factor Authentication Made Easy ICWE 2015
 
Multifactor Authentication
Multifactor AuthenticationMultifactor Authentication
Multifactor Authentication
 
network security
network securitynetwork security
network security
 
CISSP Week 14
CISSP Week 14CISSP Week 14
CISSP Week 14
 
Logincat MFA and SSO
Logincat MFA and SSOLogincat MFA and SSO
Logincat MFA and SSO
 
2 factor authentication 3 [compatibility mode]
2 factor authentication 3 [compatibility mode]2 factor authentication 3 [compatibility mode]
2 factor authentication 3 [compatibility mode]
 

Similar to Two-Steps to Owning MFA

Identity and Security in the Cloud
Identity and Security in the CloudIdentity and Security in the Cloud
Identity and Security in the CloudRichard Diver
 
Securing and Safeguarding Your Library Setup
Securing and Safeguarding Your Library SetupSecuring and Safeguarding Your Library Setup
Securing and Safeguarding Your Library SetupBrian Pichman
 
Marcos de Pedro Neoris authenware_cybersecurity step1
Marcos de Pedro Neoris authenware_cybersecurity step1Marcos de Pedro Neoris authenware_cybersecurity step1
Marcos de Pedro Neoris authenware_cybersecurity step1Marcos De Pedro
 
itsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdfitsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdfMansoorAhmed57263
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptOoXair
 
Meeting the Cybersecurity Challenge
Meeting the Cybersecurity ChallengeMeeting the Cybersecurity Challenge
Meeting the Cybersecurity ChallengeNet at Work
 
Cyber Security and Data Privacy in Information Systems.pptx
Cyber Security and Data Privacy in Information Systems.pptxCyber Security and Data Privacy in Information Systems.pptx
Cyber Security and Data Privacy in Information Systems.pptxRoshni814224
 
FIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO Alliance
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationPriyanka Aash
 
Security Best Practices for Regular Users
Security Best Practices for Regular UsersSecurity Best Practices for Regular Users
Security Best Practices for Regular UsersSecurity Innovation
 
Security best practices for regular users
Security best practices for regular usersSecurity best practices for regular users
Security best practices for regular usersGeoffrey Vaughan
 
You Can't Spell Enterprise Security without MFA
You Can't Spell Enterprise Security without MFA You Can't Spell Enterprise Security without MFA
You Can't Spell Enterprise Security without MFA Ping Identity
 
Cyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsCyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsKrishna Srikanth Manda
 
Personal Internet Security Practice
Personal Internet Security PracticePersonal Internet Security Practice
Personal Internet Security PracticeBrian Pichman
 
Passwords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goPasswords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goMichael Furman
 
Two factor authentication.pptx
Two factor authentication.pptxTwo factor authentication.pptx
Two factor authentication.pptxArpithaShoby
 

Similar to Two-Steps to Owning MFA (20)

Personal Threat Models
Personal Threat ModelsPersonal Threat Models
Personal Threat Models
 
Identity and Security in the Cloud
Identity and Security in the CloudIdentity and Security in the Cloud
Identity and Security in the Cloud
 
Securing and Safeguarding Your Library Setup
Securing and Safeguarding Your Library SetupSecuring and Safeguarding Your Library Setup
Securing and Safeguarding Your Library Setup
 
Marcos de Pedro Neoris authenware_cybersecurity step1
Marcos de Pedro Neoris authenware_cybersecurity step1Marcos de Pedro Neoris authenware_cybersecurity step1
Marcos de Pedro Neoris authenware_cybersecurity step1
 
OWASP_Training.pptx
OWASP_Training.pptxOWASP_Training.pptx
OWASP_Training.pptx
 
itsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdfitsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdf
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.ppt
 
Meeting the Cybersecurity Challenge
Meeting the Cybersecurity ChallengeMeeting the Cybersecurity Challenge
Meeting the Cybersecurity Challenge
 
Cyber Security and Data Privacy in Information Systems.pptx
Cyber Security and Data Privacy in Information Systems.pptxCyber Security and Data Privacy in Information Systems.pptx
Cyber Security and Data Privacy in Information Systems.pptx
 
FIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and Insights
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security Innovation
 
How to hack or what is ethical hacking
How to hack or what is ethical hackingHow to hack or what is ethical hacking
How to hack or what is ethical hacking
 
Security Best Practices for Regular Users
Security Best Practices for Regular UsersSecurity Best Practices for Regular Users
Security Best Practices for Regular Users
 
Security best practices for regular users
Security best practices for regular usersSecurity best practices for regular users
Security best practices for regular users
 
Computer security
Computer securityComputer security
Computer security
 
You Can't Spell Enterprise Security without MFA
You Can't Spell Enterprise Security without MFA You Can't Spell Enterprise Security without MFA
You Can't Spell Enterprise Security without MFA
 
Cyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsCyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionals
 
Personal Internet Security Practice
Personal Internet Security PracticePersonal Internet Security Practice
Personal Internet Security Practice
 
Passwords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goPasswords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to go
 
Two factor authentication.pptx
Two factor authentication.pptxTwo factor authentication.pptx
Two factor authentication.pptx
 

Recently uploaded

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 

Recently uploaded (20)

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 

Two-Steps to Owning MFA

  • 2. Sherrie Cowley • Masters in Information Systems • Managed Software Engineering, Support, and Identity and Access Management • InfraGard Liaison for FBI Cyber Task Force
  • 3. Dennis Taggart • M.A. in Political Science/International Relations Working on an M.S. currently • Enjoy hardware work… SMD is fun • Pen testing for last few years
  • 4. Disclaimer • This presentation is for educational purposes only. • We are not endorsing anything and nothing/nobody endorses us. • Any images/artwork chosen for this presentation are utilized under fair-use and we make no claim to ownership of any of it. Any logos are trademarks of their owners and they reserve all rights • There is no substitute for sound/professional judgement • The views expressed are not the views of our employers, past or present • we do not endorse any illegal or unethical activity
  • 5. MFA Basics Something You Know Something You Have Something You Are Sign in Username Password
  • 6. Focusing on “Something You Have” •SMS •TOTP •Push Notification •FIDO U2F
  • 7. Reddit and SMS “…we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.” https://www.reddit.com/r/announcements/comments/93qnm5/we_had_a_security_incident_heres_what_you_need_to/ Not a Reddit roast, but such timing In 2017, NIST SP 800-63B describes PSTN (SMS) as a restricted (read “risky”) form of MFA
  • 8. SMS SMS Broker (Twilio, Nexmo, Sinch, etc.) Application Cell Providers/Cell Tower (PSTN) Phone User Pass Login Page SMS 123456 SMS 123456
  • 9. Step 1. Exploit target’s cell carrier account or impersonates the user to port/forward/otherwise access SMS messages Step 2. Use account recovery to trigger MFA messages to gain access to additional sensitive information Bypassing SMS: Porting the Number Takescontrol ofservice SMS 123456
  • 10. Bypassing SMS: Phishing Fake Login Page Step 1. User is presented with fraudulent page and logs in Step 2. Attacker logs into real site with harvested tokens Credentials +MFA token sent to attacker User Pass Login Page User Pass Login Page User Pass Login Page
  • 12.
  • 14. Bypassing SMS: Compromise the Other Device… or the Account…
  • 15. Preventing SMS Bypass • Request “port-out” authorization from carrier • Application security (e.g. XSS or some such allows sessions…) • Train on Phishing and protect against Malware • Document a strategy for responding to unsolicited text messages
  • 16. Handling unsolicited SMS MFA notifications •Verify request was not solicited (take a breath) •Identify if it’s a privileged user (admin, CEO, financial controller, etc.) •Change password •Identify all attacker activity •Continue to monitor user’s account
  • 17. TOTP Time-Based One-Time Password • Popular Applications: Duo, Google Auth, Authy…etc. • Part of OATH standards (Not OAuth2) • HOTP is Counter-Based and TOTP is Time- Based • Typically 6 digit code changing every 30 seconds Enter your MFA Code MFA Page 123456 Some Authenticator App 123456
  • 19. How Does TOTP Work? 1. Compute HMAC-SHA-1 Shared Secret Key + Changing Message = HMAC-SHA-1 (LV3HAKDSNZUESXKMKBLF4M3DEU + 1534071600) = 62aa8b920547807b59689fda99294b58d7bde56f
  • 20. 2. Dynamic Truncation HMAC-SHA-1=62aa8b920547807b59689fda99294b58d7bde56f 62 aa 8b 92 05 47 80 7b 59 68 9f da 99 29 4b58d7bd e5 6f 4b58d7bd (Convert Hex to Decimal) = 1264113597 1264113597 mod 1,000,000 TOTP = 113597 How Does TOTP Work?
  • 21. TOTP Stores a Shared Secret Key (Base 32) Remember! TOTP Key LV3HAKDSNZUESXKMKBLF4M3DEU TOTP Shared KeyTOTP Shared Key LV3HAKD SNZUESX KMKBLF4 M3DEU
  • 22. Demo
  • 23. Bypassing TOTP Step 1. Exploit user, application or device to extract shared key Step 2. Calculate TOTP to access target account
  • 24. Preventing TOTP Bypass •Do not Neglect Application Security •Encrypt and Protect TOTP Shared Key •Continue to defend against phishing and malware
  • 26. Device Token How do Push Notification work? Application Google/Apple Services Mobile Phone Device Token + Query Device Token + Response User Pass Login Page Device Token (Device Token stored /accessible by app) tm tm
  • 27. Bypassing Push Notification Device Token Step 1. Change the Registered Device ID to an attacker-controlled value Step 2. Access the application as the targeted user SQLi, Param eter Tam pering, Indirect Object Referencing Device Token User Pass Login Page User Pass Login Page Device Token
  • 28. Demo
  • 29. Defending against Push Bypass •Application security! •Train against phishing/social engineering and protect against malware •Create a strategy for responding to unsolicited push notifications
  • 30. Manipulating End Users •Phishing •Session Hijacking •Social Engineering •Hope for Accidental Approval •Hope the user gets sick of the gratuitous requests and simply disables MFA
  • 31. FIDO U2F Security Keys 1. Enters Password 2. Touches Button Universal Second Factor User Pass Login Page
  • 33. FIDO U2F Security Keys •Uses a Signed Public/Private Key •Uses Origin Bound Keys and Token Binding to protect against Phishing, Man-in-the- Middle Attacks, and Session Hijacking •Doesn’t allow writing to Security Key •Uses a Counter to protect against Cloning •Requires human interaction
  • 34. FIDO U2F Security Keys U2F Device App Identity Provider Challenge, Origin, TLS Channel id Challenge, Origin, TLS Channel id User Pass Login Page
  • 35. Origin Binding Fake Login Page Real Login Page Phishing Fake Login Page User Pass Login Page User Pass Login Page
  • 36. Token Binding (Channel ID) Real Login Page Session Tokens Man-in-the-Middle Session Hijacking Real Login Page TLS Tunnel Sign In Login Page User Pass
  • 37. Bypassing Fido U2F •Physical attack •Try MITM and Session Hijacking (missing token binding) •Manipulate Application Database •Replace entire registration message stored with your own •Social Engineering Support Team •Try a Backup MFA Options •Find an Open Port or another vulnerability
  • 38. Bypassing Fido U2F Step 1. Get U2F device or social engineer to downgrade type of MFA Step 2. Access target’s account Reminded us of classic comic Security:xkcd.com/538
  • 39. Defending against FIDO U2F Bypass •Protect Authentication Database •Train Against Social Engineering •Patch and Monitor Known Vulnerabilities •Protect against Malware
  • 40. Is MFA the Silver Bullet? No! But it does raise the bar for attacks.
  • 42. Thanks & References Family, friends, coworkers, etc. who took time to listen to us and let us be gone as we worked on this Artists and professionals who shared their skills with the world Women in Security https://cryptologicfoundation.org/learn/stimulate/women-in-cryptology.html Smishing Poster https://memegenerator.net/instance/82042286/forever-alone-didnt-you-mean-smishing https://www.usatoday.com/story/tech/columnist/saltzman/2017/07/03/delete-suspicious-text-messages-on-your-smartphone/439647001/ http://fortune.com/2017/07/07/smishing-scam/ https://www.experian.com/blogs/ask-experian/what-is-smishing/ XKCD Comic https://xkcd.com/538 OpenClipArt Fingerprint by jhnri4 https://openclipart.org/detail/74581/fingerprint Cloud by SavanaPrice https://openclipart.org/detail/193455/cloud Phone by lifeincolour https://openclipart.org/detail/228650/phone LCD Monitor by molumen https://openclipart.org/detail/6977/lcd-monitor Cell tower by shared4you https://openclipart.org/detail/179921/radio-tower-wireless Sim Card by Anonyous https://openclipart.org/detail/13187/sim-card User (various remixes) by elconomeno@email.com https://openclipart.org/detail/287798/user & https://openclipart.org/detail/288356/spy-behind-computer Server by sagar_ns https://openclipart.org/detail/5159/server-cabinet-cpu Users by danilo https://openclipart.org/detail/215499/users Reddit https://www.reddit.com/r/announcements/comments/93qnm5/we_had_a_security_incident_heres_what_you_need_to/ Images of Google are owned by Google, Inc. Images of iOS are owned by Apple.