Modern Two-Factor Authentication: Defending Against User-Targeted Attacks

Transcript

1. MODERN TWO-FACTOR AUTHENTICATION

2. ABOUT DUO ˒ Est. 2009, founders & management from ˒

   Backed by top-tier investors ($7m seed / Series A) ˒ Breakthrough DoD-sponsored security research ˒ 800+ organizations with users in over 80 countries

3. ABOUT DUG Technology Break Build Firewalls A Stateful Inspection of

   FW-1 OpenBSD PF Network authentication krb4 dictionary a ack (JtR) krb5 / RPCSEC_GSS IDS/IPS fragroute Anzen / NFR (Check Point) Secure network protocols dsniff OpenSSH Network availability DDoS Arbor Networks

4. MISSION ˒ To solve the biggest problems in security today:

   Account Takeover and Online Fraud ˒ By making security easy and scalable, eliminating the cost and complexity of traditional point solutions ˒ Democratize two-factor authentication ˒ For enterprise, provider, consumer web ˒ Leverage and secure mobile devices for account access

5. AGENDA ˒ A (Brief) History of Internet Security ˒ Modern

   user-targeted a acks ˒ Overview of two-factor authentication ˒ Evolution of two-factor authentication ˒ Summary

6. 
   1985–1995: SALAD DAYS OF THE INTERNET Password guessing, cracking

7. 
   1985–1995: SALAD DAYS OF THE INTERNET Password guessing, cracking

8. 
   
   
   1995–2000: BATTEN DOWN THE HATCHES Phishing Sniffing

   Password guessing, cracking

9. 
   
   
   1995–2000: BATTEN DOWN THE HATCHES Phishing Sniffing

   Password guessing, cracking

10. 
    
    
    
    
    2000–2005: OPEN FOR BUSINESS^W ATTACK

    Phishing Sniffing Password guessing, cracking Malware Web app a acks (XSS, XSRF, SQLI)

11. 
    
    
    
    
    2000–2005: OPEN FOR BUSINESS^W ATTACK

    Phishing Sniffing Password guessing, cracking Malware Web app a acks (XSS, XSRF, SQLI)

12. 
    
    
    
    
    
    
    
    
    
    

    2005–2012: MOBILE, VIRTUAL, INFECTED Phishing Sniffing Password guessing, cracking Malware Web app a acks (XSS, XSRF, SQLI) Botnets, RATs APTs

13. No Antivirus 31% Out of Date 14% Up to Date

    55% No Antivirus Out of Date Up to Date Zeus beats Anti-Virus Hackers entice users to click on contaminated websites or trick users to open e-mail a achments Users open the file, installing the malware The malware sends back stored logins and data typed into web pages The malware checks in periodically for updates, providing a gateway to the internal network Trojan 66% Adware 18% 7% 6% 3% Trojan Adware Virus Spyware Worm Other Users are Backdoors Source: Panda Labs, 2010 Source: Trusteer, 2009 PolyPack: An Automated Online Packing Service for Optimal Antivirus Evasion Jon Oberheide, M. Bailey, & F. Jahanian MODERN USER-TARGETED ATTACKS

14. MALWARE AUTOMATION AND TARGETING ˒ ex. SilentBanker ˒ 3-line modification

    to a configuration file ˒ h p://PhishMe.com

15. MALWARE & CYBERCRIME SUCCESS Delaware FINCEN SARs AV-Test Malware Samples

16. 2006 2007 2008 2009 2010 2011 Google buys Postini: $625M

    July 2007 Barracuda buys Purewire October 2009 IBM buys ISS: $1.2B October 2006 Entrust buys Business Signatures: $50M July 2006 Heartland settles w/ Visa: $60M January 2010 SYMC buys MessageLabs: $695M October 2008 Banking trojans 2005 Chinese "Aurora" attacks January 2010 CVS HIPAA Fine: $2.25M February 2010 FFIEC multifactor requirement: Dec 2006 June 2005 FTC Red Flags Rule January 2008 Deadline extended 7 times now Jan 2011 HIPAA HITECH Act October 2009 HITECH: CT Attorney General vs. Health Net January 2010 HIPAA Security Rule Deadline April 2005 RSA buys Cyota: $145M December 2005 FBI Alert: Rampant ACH Fraud November 2009 “malware and work-at-home scams” Thoma Bravo buys Entrust July 2009 ABA: Commercial Banking Under Attack August 2009 “Only use dedicated PC for online banking” EMC buys RSA: $2.1B June 2006 ISS OEM's Arbor February 2006 Oracle buys Bharosa: $48M July 2007 McAfee buys MX Logic: $140M July 2009 RSA buys Passmark: $44M April 2006 Cisco buys ScanSafe: $183M December 2009 SYMC buys VRSN auth: $1.2B May 2010 MARKET FAIL Delaware FINCEN SARs

17. BREACHED/INFECTED IN THE LAST YEAR Gov & Defense Media Cyber

    Supply Chain Tech Enterprise + countless others...

18. ˒ Stolen - sniffed, phished ˒ Shared - between users,

    sites ˒ Guessed - weak / default ˒ Cracked - John the Ripper ˒ Forgo en - account recovery THE PROBLEM WITH PASSWORDS

19. STRONG AUTHENTICATION = TWO-FACTOR KNOW HAVE ARE DO Passwords ID

    Questions Secret Images Token (Smart) Card Phone Face Iris Hand/Finger Behavior Location Reputation

20. WHAT YOU KNOW + WHAT YOU HATE ˒ Two factors:

    cost & complexity ˒ Driven by regulatory requirements ˒

21. TWO-FACTOR PROBLEMS ˒ Deployment ˒ Integration ˒ Management ˒ Usability

    ˒ Security

22. PROBLEM: 2FA DEPLOYMENT ˒ Complex footprint across distributed environments ˒

    Security independence?

23. TREND: AUTHENTICATION AS A SERVICE +;A>%1>B1>ȵ'!%1>B5/1 +;A>'?1> Your User Your

    System + Our Service ˒ Easy to Deploy – no hardware or so ware ˒ Easy to Scale – on-demand infrastructure ˒ Easy to Secure – wholly independent

24. PROBLEM: 2FA INTEGRATION ˒ Interfaces optimized for machines, not humans

    ˒ Difficult/sub-standard: GSSAPI, PAM ˒ Outdated/limited: RADIUS (UDP?!), TACACS+, SASL, SAML (web only, federation only) ˒ More wonky web protocols: OpenID, BrowserID ˒ Missing/wrong: 2FA for mobile devices; login reduced to a bearer token, vs. transaction authz

25. TREND: OPEN SOURCE, APIS, STANDARDS ˒ OATH HOTP, TOTP standards

    ˒ Google Authenticator ˒ MailChimp’s AlterEgo service ˒ Yubico’s APIs and OSS ˒ Duo Security’s Web APIs and OSS ˒ NIST 800-63 LOAs, NSTIC, etc.

26. PROBLEM: 2FA USABILITY

27. TREND: FLEXIBLE CHOICES (BYOD) smart dumb online offline DUO PUSH

    (2010s) SOFT TOKENS (90s) CALLBACK / SMS (2000s) HARDWARE TOKENS (80s) (patent-pending)

28. TREND: FLEXIBLE CHOICES (BYOD) smart dumb online offline DUO PUSH

    (2010s) SOFT TOKENS (90s) CALLBACK / SMS (2000s) HARDWARE TOKENS (80s) (patent-pending)

29. EASY DOES IT ˒ Duo Push: One tap to login!

    ˒ Defeats MITM, MITB a acks ˒ Offline? Use One-Time Passcodes ˒ Supports all mobile platforms

30. EASY DOES IT ˒ Duo Push: One tap to login!

    ˒ Defeats MITM, MITB a acks ˒ Offline? Use One-Time Passcodes ˒ Supports all mobile platforms

31. EASY DOES IT ˒ Duo Push: One tap to login!

    ˒ Defeats MITM, MITB a acks ˒ Offline? Use One-Time Passcodes ˒ Supports all mobile platforms

32. EASY DOES IT ˒ Duo Push: One tap to login!

    ˒ Defeats MITM, MITB a acks ˒ Offline? Use One-Time Passcodes ˒ Supports all mobile platforms

33. EASY DOES IT ˒ Duo Push: One tap to login!

    ˒ Defeats MITM, MITB a acks ˒ Offline? Use One-Time Passcodes ˒ Supports all mobile platforms

34. EASY DOES IT ˒ Duo Push: One tap to login!

    ˒ Defeats MITM, MITB a acks ˒ Offline? Use One-Time Passcodes ˒ Supports all mobile platforms

35. EASY DOES IT ˒ Duo Push: One tap to login!

    ˒ Defeats MITM, MITB a acks ˒ Offline? Use One-Time Passcodes ˒ Supports all mobile platforms

36. EASY DOES IT ˒ Duo Push: One tap to login!

    ˒ Defeats MITM, MITB a acks ˒ Offline? Use One-Time Passcodes ˒ Supports all mobile platforms

37. TWO-FACTOR GONE MAINSTREAM ˒ Hacked, then got serious ˒ Blizzard

    ˒ Paypal ˒ Facebook ˒ Google ˒ Amazon ˒ Lasspass ˒ Dropbox ˒ ArenaNet

38. PROBLEM: 2FA MANAGEMENT ˒ Provisioning ˒ Issuance ˒ Training ˒

    Reset ˒ Revocation

39. TREND: SELF-SERVICE ENROLLMENT ˒ Most users are trustworthy ˒ Distribute

    responsibility to users ˒ Self-authorize transactions over trusted path ˒ Granular authorization ˒ Trust-On-First-Use self-enrollment ˒ e.g. SSH hostkeys ˒ Exposure window mitigated by feedback ˒ Natural transition from 1-factor login

40. TREND: WEB OR API-BASED ADMINISTRATION

41. TREND: WEB OR API-BASED ADMINISTRATION

42. PROBLEM: 2FA SECURITY ˒ Know: Intercepted ˒ Have: Hijacked ˒

    Are: Forged ˒ Do: Mimicked

43. REAL-WORLD TWO-FACTOR FAILURES ˒ EMI vs. Comerica ˒ RSA MITM

    - two-factors, one channel ˒ “Failure to implement monitoring” ˒ CloudFlare breach ˒ Gmail recovery PIN sent to redirected AT&T voicemail ˒ EMC/RSA breach ˒ Cobbler’s son...

44. AN AUTHENTICATION THREAT MODEL A acker A acker A acker

    Span of Control Degree of Control Technique App/Server access Passive/Offline Guess/reset Auth DB access Passive/Offline Crack/SQLI Network Passive/Offline Sniff Conversation Passive/Offline Phish/Forge Conversation Active/Online MITM Endpoint Active/Online Trojan/Keylog Endpoint Real-Time Sidejack/MITB Transaction Persistent Modify Multiple Devices Coordinated MITMobile Remote User

45. PASSWORDS / KNOWLEDGE-BASED AUTH ˒ Knowledge-based authentication ˒ Challenges ˒

    Weak ˒ Forge able (hence weak recovery modes) ˒ Easily shared ˒ Failure modes ˒ Guessable / dictionary a ack ˒ Credential recovery / reset ˒ Sniffed / stolen / relayed

46. PASSWORDS / KNOWLEDGE-BASED AUTH A acker A acker A acker

    Factor Span of Control Degree of Control Technique Passwords App/Server access Passive/Offline Guess/reset ✘ Auth DB access Passive/Offline Crack/SQLI ✘ Network Passive/Offline Sniff ✘ Conversation Passive/Offline Phish/Forge ✘ Conversation Active/Online MITM ✘ Endpoint Active/Online Trojan/Keylog ✘ Endpoint Real-Time Sidejack/MITB ✘ Transaction Persistent Modify ✘ Multiple Devices Coordinated MITMobile ✘

47. WEAK BIOMETRICS ˒ Convenient: Face, Finger ˒ Challenges ˒ Enrollment

    & Privacy ˒ Accuracy ˒ Failure modes ˒ Forgery & Replay ˒ “Gummy fingers” ˒ “Your Face Is Not Your PW” ˒ Untrustworthy

48. WEAK BIOMETRICS A acker A acker A acker Factor Span

    of Control Degree of Control Technique Weak Biometric App/Server access Passive/Offline Guess/reset ✔ Auth DB access Passive/Offline Crack/SQLI ✔ Network Passive/Offline Sniff ✔ Conversation Passive/Offline Phish/Forge ✘ Conversation Active/Online MITM ✘ Endpoint Active/Online Trojan/Keylog ✘ Endpoint Real-Time Sidejack/MITB ✘ Transaction Persistent Modify ✘ Multiple Devices Coordinated MITMobile ✘

49. OTP TOKEN / CARD ˒ Challenges ˒ Easily lost ˒

    Multiple device burden ˒ Poor usability ˒ Failure modes ˒ MITM relay ˒ Clonable: RSA breach, Cain & Abel ˒ Forgeable (SecurID KDF)? ˒ Dictionary a ack: OPIE, S/Key
    

50. OTP TOKEN / CARD A acker A acker A acker

    Factor Span of Control Degree of Control Technique OTP Token/Card App/Server access Passive/Offline Guess/reset ✔ Auth DB access Passive/Offline Crack/SQLI ✔ Network Passive/Offline Sniff ✔ Conversation Passive/Offline Phish/Forge ✔ Conversation Active/Online MITM ✘ Endpoint Active/Online Trojan/Keylog ✘ Endpoint Real-Time Sidejack/MITB ✘ Transaction Persistent Modify ✘ Multiple Devices Coordinated MITMobile ✘

51. CERT / SMARTCARD / STRONG BIOMETRIC ˒ Challenges ˒ Enrollment/Provisioning

    ˒ Deployment ˒ Credential management & Revocation ˒ Failures ˒ CA compromise (ComodoHacker, 2011) ˒ Supply chain breach (EMV readers, 2008) ˒ Malware (Sykipot DoD CAC trojan, 2012) ˒ Bodily harm! (Big Lebowski, 1998)
    

52. CERT / SMARTCARD / STRONG BIOMETRIC A acker A acker

    A acker Factor Span of Control Degree of Control Technique Cert/SCard/Bio App/Server access Passive/Offline Guess/reset ✔ Auth DB access Passive/Offline Crack/SQLI ✔ Network Passive/Offline Sniff ✔ Conversation Passive/Offline Phish/Forge ✔ Conversation Active/Online MITM ✔ Endpoint Active/Online Trojan/Keylog ✘ Endpoint Real-Time Sidejack/MITB ✘ Transaction Persistent Modify ✘ Multiple Devices Coordinated MITMobile ✘

53. PHONE CALL / SMS OTP ˒ e.g. Modem callback in

    the 80’s ˒ Challenges ˒ Online requirement ˒ Used for other purposes ˒ Platform security ˒ Failure modes ˒ No cell service, no login ˒ Social engineering ˒ Smartphone malware

54. PHONE CALL / SMS OTP A acker A acker A

    acker Factor Span of Control Degree of Control Technique Phone/SMS App/Server access Passive/Offline Guess/reset ✔ Auth DB access Passive/Offline Crack/SQLI ✔ Network Passive/Offline Sniff ✔ Conversation Passive/Offline Phish/Forge ✔ Conversation Active/Online MITM ✔ Endpoint Active/Online Trojan/Keylog ✔ Endpoint Real-Time Sidejack/MITB ✘ Transaction Persistent Modify ✘ Multiple Devices Coordinated MITMobile ✘

55. ANOMALY DETECTION ˒ Challenges ˒ Training ˒ Deployment ˒ Probabilistic

    accuracy ˒ Failure modes ˒ False training leads to false negatives ˒ Baseline a acks as normal ˒ False positives: Bayesian base rate fallacy ˒ False negatives: Authentication fail

56. ANOMALY DETECTION A acker A acker A acker Factor Span

    of Control Degree of Control Technique Behavior App/Server access Passive/Offline Guess/reset ✔ Auth DB access Passive/Offline Crack/SQLI ✔ Network Passive/Offline Sniff ✔ Conversation Passive/Offline Phish/Forge ✔ Conversation Active/Online MITM ✔ Endpoint Active/Online Trojan/Keylog ✔ Endpoint Real-Time Sidejack/MITB ✔ Transaction Persistent Modify ✘ Multiple Devices Coordinated MITMobile ✘

57. TRANSACTION VERIFICATION ˒ “Sign what you see” – Gartner ˒

    User-verified behavioral policy ˒ Challenges ˒ Online requirement ˒ Platform security ˒ Failure modes ˒ Mobile malware ˒ Coercion - but potential for duress signalling

58. TRANSACTION VERIFICATION A acker A acker A acker Factor Span

    of Control Degree of Control Technique Duo Push App/Server access Passive/Offline Guess/reset ✔ Auth DB access Passive/Offline Crack/SQLI ✔ Network Passive/Offline Sniff ✔ Conversation Passive/Offline Phish/Forge ✔ Conversation Active/Online MITM ✔ Endpoint Active/Online Trojan/Keylog ✔ Endpoint Real-Time Sidejack/MITB ✔ Transaction Persistent Modify ✔ Multiple Devices Coordinated MITMobile ✘

59. HARDENED AUTHENTICATOR ˒ “Trusted Path” (DoD Orange Book) ˒ AuthN

    → AuthZ ˒ IBM Zurich ZTIC ˒ Bloomberg B-Unit ˒ Chip & PIN ˒ Duo Push

60. ˒ Anti-virus/malware ˒ Vulnerability assessment ˒ Hardware-assisted security ˒ Device

    compliance & policy ˒ Risk-parameterized login MOBILE SECURITY IN DEPTH » xray.io

61. SUMMARY ˒ User-targeted, automated malware renders nearly all other security

    controls impotent ˒ Authentication factors can be mapped to risk ˒ Users can be empowered against endpoint compromise through a mobile Trusted Path ˒ Two-factor must be easy to deploy and use to be relevant
62. None