Security for the People: End-User Authentication Security on the Internet

Transcript

1. Security For The People

   End-User Authentication Security On The Internet
   Mark Stanislav
   [email protected]
   

   View Slide

2. Security Is A Process, Not A Product.
   

   View Slide

3. A Few Notes on Research Methodology
   • Worked “backwards” by establishing a list of services that provide
   users with availability of two-factor authentication
   • Provides us with a more security-forward data set to begin with

   • Gathered additional details per service regarding not just 2FA details
   but also TLS usage, browser headers, and cookie security
   !
   • Focus on data completeness and accuracy as much as reasonably
   possible but this is *not* a scientific study
   !
   • Does not include software packages with two factor
   

   View Slide

4. Primary Data Points Utilized
   Two-Factor Authentication
   When was it first offered to users?
   How do users enroll to enable it?
   What method(s) are available?
   Browser Security Features
   HTTP Strict Transport Security
   Content Security Policy
   X-Frame-Options
   X-XSS-Protection
   Session Cookie HttpOnly
   Transport Security
   Do they utilize SSL/TLS for logins?
   What is their SSL Labs score?
   Session Cookie Secure
   X-Content-Type-Options
   What do companies even call it?
   

   View Slide

5. Gathering Data Can Be Really, Really Annoying
   

   View Slide

6. Two Factor Deployments Per Year Since 2005
   Number of Deployments
   0
   9
   18
   27
   36
   45
   Year of Deployment
   2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
   30
   47
   18
   13
   7
   5
   4
   3
   3
   2
   * Note, data is only through June 2014
   *
   • Google Authenticator’s
   presence in 2011 has
   likely led to the mass
   adoption of TOTP
   • Many services that
   support TOTP just say
   they use Authenticator
   • Facebook also enabled
   2FA for users in 2011
   • Allows SMS + TOTP
   

   View Slide

7. How Does A User Actually Enroll In Two Factor?
   Number of Services
   0
   26
   53
   79
   106
   132
   Method of Two Factor Enrollment
   Phone Call E-Mail Mixed Self Enroll
   132
   4
   3
   2
   • Ease of enrollment is crucial for
   adoption of security controls
   • Having to call, fax, or even e-mail
   may be enough for a user to go
   “this seems like too much effort…”
   !
   • It’s great to see such a high percent
   of services allowing users to self
   enroll (94%)
   • But what about ease of use?
   

   View Slide

8. Collective Method Availability Across Services
   Number of Services Offering
   0
   14
   29
   43
   58
   72
   Method
   E-Mail SMS Call Card Token Yubikey TOTP HOTP Mobile Duo Authy Rublon
   1
   12
   6
   25
   2
   74
   13
   15
   7
   14
   62
   14
   • 12 of the 74 services that support TOTP are Bitcoin related
   • 92% of all Bitcoin services offer TOTP, 62% only offer it to use
   • 73% of hardware token-enabled services are financial or gaming
   

   View Slide

9. Companies Should Point Out Two Factor Availability
   Shown upon first login… nice work, Zoho!
   

   View Slide

10. 2%
    4%
    11%
    33%
    51%
    1 2 3 4 5+
    • Of services that offer only a single
    method, 51% provide TOTP and
    14% provide SMS
    !
    • 62% of services that offer two
    methods pair TOTP with SMS
    !
    • MailChimp and OneLogin offer
    five methods for users to leverage
    • …Clavid offers six methods!
    Number Of Methods Per Service By Percentage
    

    View Slide

11. Two Factor Moniker Usage Since 2005
    Deployment Year
    2005
    2006
    2007
    2008
    2009
    2010
    2011
    2012
    2013
    2014
    Moniker Usage Per Year
    0 9 19 28 38 47
    3
    4
    3
    4
    2
    1
    1
    1
    5
    10
    5
    2
    2
    1
    2
    1
    1
    1
    1
    20
    33
    12
    6
    2
    2
    3
    2
    2
    2FA
    MFA
    2SV
    Other
    * Note, data is only through July 2014
    *
    Google Deploys 2SV
    • 2-Step Verification as
    a moniker seems to be
    going away…
    • 2011: 15%
    • 2012: 28%
    • 2013: 21%
    • 2014: 17%
    • “Other” is usually for
    custom branding of
    the service’s feature
    

    View Slide

12. Built-In Two Factor Bypass? Recovery Gone Wrong.
    Can’t 2FA? No Problem! Just replace it with more 1-factor :)
    

    View Slide

13. A Bit Of A Glossary
    HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a
    web server declares that complying user agents are to interact with it using only secure
    HTTPS connections.
    Content Security Policy (CSP) provides a header that allows websites to declare
    approved sources of content that browsers should be allowed to load on that page.
    X-Frame-Options can prevent any framing, prevent framing by external sites, or allow
    framing only by the specified site.
    X-XSS-Protection enables the XSS filter built into most web browsers — IE8, for instance,
    already has this on by default.
    X-Content-Type-Options reduces exposure to drive-by download attacks and sites
    serving user uploaded content that, by clever naming, could be treated by MSIE as
    executable/dynamic HTML.
    Mostly a copy/paste from Wikipedia and OWASP <3
    ‘Secure’ Cookie makes supported browsers only send cookies with the secure flag when
    the request is going to a HTTPS page.
    ‘HttpOnly’ Cookie mitigates cross-site scripting (XSS) attacks by not allowing supported
    browsers to access cookies client-side
    

    View Slide

14. Browser Security Features For Service Logins
    Total
    Sites
    HSTS CSP X-FRAME X-XSS X-Content
    Cookie!
    Secure
    Cookie!
    HttpOnly
    All Sectors 141 38% 7% 56% 22% 22% 75% 78%
    Technology 83 40% 10% 49% 20% 20% 73% 78%
    Financial 36 33% 8% 50% 14% 8% 69% 64%
    Gaming 12 17% 0% 25% 8% 0% 58% 67%
    Retail 4 50% 0% 75% 50% 50% 75% 100%
    Social 6 50% 17% 83% 17% 33% 100% 83%
    • Gaming is far behind versus other sectors for browser security
    • Likely because most users spend little time in the browser
    • Social media organizations have more of a focus on browser security
    due to the common nature of client-side attacks against users
    

    View Slide

15. Browser Security All-Stars
    4 of 141 services utilized all of tested browser security features
    12 more had all security features except Content Security Policy
    

    View Slide

16. Unexpected Headers During Research
    If you're reading this, you should visit automattic.com/jobs and apply
    to join the fun, mention this header.
    WordPress.com: x-hacker
    REKEYED: 2014-04-08; see http://heartbleedheader.com
    App.net: heartbleed
    We’re hiring! Apply at [email protected], use this header in your subject
    Directnic: X-Hackers
    

    View Slide

17. SSL/TLS Implementation for Service Logins
    Total Occurrences
    0
    7
    14
    21
    28
    35
    Score
    A+ A A- B C F
    17
    3
    34
    34
    32
    21
    • 14 of the ‘F’ ratings were
    because of the OpenSSL CCS
    vulnerability (CVE-2014-0224)
    • Star Wars: The Old Republic
    actually supported SSL v2!
    !
    • Amazingly enough, SSLTrust of
    all people received a ‘C’ rating
    for their allowance of both 40-
    bit and 56-bit cipher suites
    

    View Slide

18. We Take Security Seriously, Erm…
    

    View Slide

19. Browser Security + SSL Security All-Stars
    2 of 141 services utilized all of tested browser security features
    and managed to receive an ‘A+’ SSL implementation rating
    

    View Slide

20. The Weirdest Thing I Saw During Research
    They don’t use SSL at all and do JS crypto for logins
    

    View Slide

21. Security Pages — Yes, Really :)
    Many companies dedicate an entire page (or at least a big section of
    a page) to how they protect you and how you can protect yourself
    …and others definitely do not…
    Seems legit.
    Example #1
    Example #2
    Example #3
    

    View Slide

22. Security Pages Across Two Factor-enabled Services
    Count
    0
    18
    36
    54
    72
    90
    Security Page
    Yes No
    51
    90
    • 15 of 51 sites (29%) that do not have a security
    page are in the domain registration/DNS space
    • …including GoDaddy, NameCheap, and Hover
    !
    • Some of these pages even have a bug bounty
    and/or responsible disclosure section which is
    fantastic for further helping to protect users
    • …including Google, Facebook, and Coinkite
    !
    • These pages show real concern for security and
    transparency — we could use more!
    

    View Slide

23. So What Does This All Mean?
    • Consider the data points we now have:
    • Browser security (HTTP headers and cookie security)
    • Transport security (SSL/TLS implementation)
    • Strong authentication (two factor deployments)
    • Corporate security focus (company security page)
    !
    • What if we could assign a point-scale to those data points and create
    a composite value of authentication security per service?
    • …and what if you had no idea what the hell you were doing?
    

    View Slide

24. Mark’s Authentication Security Scoring
    Algorithm — Crudely Realized Edition
    MASSACRE
    

    View Slide

25. How Do We Get a Composite MASSACRE Score?
    SSL Implementation
    Score Points
    A+, A, A-!
    B+, B, B-
    15
    C+, C, C-!
    D+, D, D-
    10
    F!
    No SSL/TLS
    0
    Security Page
    Exists? Points
    Yes 5
    Browser Security Features
    Feature Points
    HTTP Strict Transport Security 10
    Content Security Policy 15
    X-Frame-Options 10
    X-XSS-Protection 5
    X-Content-Type-Options 5
    Secure Session Cookie 10
    HttpOnly Session Cookie 10
    100 point scale… add up values to get a score!
    Two Factor
    Enabled? Points
    Yes 15
    

    View Slide

26. Professional MASSACRE Scale
    81-100
    61-80
    41-60
    21-40
    0-20 5
    Score Count
    27
    53
    41
    15
    Keep in mind, everyone “starts” with 15 points
    

    View Slide

27. MASSACRE Scoring Outcomes — Best and Worst!
    Company Score
    GitHub 100
    Kraken 100
    LastPass 100
    FastMail 95
    Facebook 90
    Best Scores
    Company Score
    easyDNS 15
    Frostbox 15
    Sendloop 15
    Fabulous 20
    Pobox 20
    Worst Scores
    Sector Company Score
    Technology Github, LastPass 100
    Financial Kraken 100
    Gaming Elder Scrolls Online 65
    Retail Etsy 85
    Social Facebook 90
    Best Per Sector
    Worst Per Sector
    Sector Company Score
    Technology easyDNS, Frostbox, Sendloop 15
    Financial WeMineLTC 30
    Gaming Guild Wars 2, Star Wars: Old Republic, Wildstar 35
    Retail Humble Bundle 50
    Social HootSuite 45
    

    View Slide

28. Further Parsing MASSACRE Scores
    Mean Median Mode
    57 55 55
    Mean Median Mode
    57 55 75
    Technology
    Mean Median Mode
    57 55 55
    Financial
    Overall Values
    Mean Median Mode
    47 48 N/A
    Gaming
    Mean Median Mode
    68 68 N/A
    Retail
    Mean Median Mode
    72 73 N/A
    Social
    

    View Slide

29. How Do Security Features Increase MASSACRE Scores?
    Mean Median Mode
    57 55 55
    Overall Values
    Mean Median Mode
    87 93 100
    CSP Enabled
    Mean Median Mode
    63 65 55
    Security Page?
    Mean Median Mode
    75 75 75
    HSTS Enabled
    Mean Median Mode
    60 55 55
    SSL ~(A|B)
    Mean Median Mode
    40 40 N/A
    SSL ~(C|D)
    Mean Median Mode
    37 35 N/A
    SSL ~(F/None)
    

    View Slide

30. MASSACRE FAQ, #1
    

    View Slide

31. MASSACRE FAQ, #2
    

    View Slide

32. MASSACRE FAQ, #3
    

    View Slide

33. Have A Crappy Algorithm? Make A Crappy Extension!
    

    View Slide

34. Breaches Of Service Security (Data Loss, Especially)
    • A breach does not include DDoS attacks, direct
    phishing against customers, dumb users, etc.
    • 28% of services had a public corporate breach
    • Breached services had an average MASSACRE
    score of 64 while unbreached had a worse, 54
    • So, moot point. Everyone can get hacked :)
    Count
    0
    18
    36
    54
    72
    90
    Corporate Breach
    Yes No
    102
    39
    Sector Total # Breached % Breached
    Technology 83 19 23%
    Financial 36 11 31%
    Gaming 12 3 25%
    Retail 4 2 50%
    Social 6 4 67%
    

    View Slide

35. Two Factor Deployments After A Breach
    • Of 37 services that had a deployment date and a breach data,
    54% already offered some form of two-factor authentication
    !
    • Of the 19 services that added 2FA after a breach, it took an
    average of 255 days to deploy with a median of 128 days
    • It took Linode, Dropbox, MaxCDN, and Buffer < 1 month to deploy

    • 74% offer TOTP (52% offer it across all services)
    • 63% provide 2+ methods (49% across all services)
    

    View Slide

36. SaaS 2FA Service Provider Shoot-Out!
    • Includes 2FA providers with a customer login on their web site
    • Sorry if I missed your company, it was definitely not on purpose!
    • I am assuming these services all require 2FA for logins :)
    Company HSTS CSP X-Frame X-XSS X-Content
    Cookie

    Secure
    Cookie!
    HttpOnly
    SSL 

    Score
    Security

    Page
    MASSACRE
    Authy ✓ ✗ ✓ ✓ ✓ ✗ ✓ F ✓ 60
    Duo Security ✓ ✓ ✓ ✗ ✗ ✓ ✓ A+ ✓ 90
    LaunchKey ✓ ✗ ✓ ✓ ✓ ✓ ✓ A+ ✓ 85
    MePIN ✗ ✗ ✗ ✗ ✗ ✗ ✓ B ✗ 40
    Rublon ✗ ✗ ✗ ✗ ✗ ✓ ✓ A- ✓ 55
    SAASPASS ✗ ✗ ✗ ✗ ✗ ✓ ✓ A ✗ 50
    TeleSign ✗ ✗ ✗ ✗ ✗ ✗ ✗ A- ✗ 30
    TextPower ✗ ✗ ✗ ✗ ✗ ✓ ✗ F ✗ 25
    *phew* glad Duo didn’t lose :P
    

    View Slide

37. Random Thoughts On Lessons Learned
    • Scouring the Internet to find release
    dates and documentation for service
    features is way harder than it should be

    • Authentication security still ultimately
    comes down to the security of your
    operations and your codebase
    • Bug in your authentication code?
    None of this other stuff really matters

    • We need better SSL implementations
    and more security pages for services!
    Data research is tiring,
    let’s just break stuff.
    

    View Slide

38. Thanks Go Out To…
    • Vikas Kumar and Domenic Rizzolo, two of the amazing interns at
    Duo Security for doing a ton of data gathering and organization
    !
    • http://twofactorauth.org for being a hugely helpful resource for
    trying to aggregate 2FA-enabled sites/services to get started with
    • https://www.ssllabs.com/ssltest/ from Qualys for SSL Scoring

    • Steve Werby did similar research on a grander scale last year —
    http://www.slideshare.net/stevewerby/crunching-the-
    top-10000-websites-password-policies-and-controls-
    presented-by-steve-werby-at-rich-sec-2013
    

    View Slide

39. All Done! Questions?
    E-Mail:

    [email protected]
    !
    Twitter: 

    @markstanislav
    

    Presentations:

    speakerdeck.com/mstanislav
    

    View Slide