Security For The People

End-User Authentication Security On The Internet
Mark Stanislav
mstanislav@duosecurity.com
Security Is A Process, Not A Product.
A Few Notes on Research Methodology
• Worked “backwards” by establishing a list of services that provide
users with availa...
Primary Data Points Utilized
Two-Factor Authentication
When was it first offered to users?
How do users enroll to enable it...
Gathering Data Can Be Really, Really Annoying
Two Factor Deployments Per Year Since 2005
NumberofDeployments
0
9
18
27
36
45
Year of Deployment
2005 2006 2007 2008 2009...
How Does A User Actually Enroll In Two Factor?
NumberofServices
0
26
53
79
106
132
Method of Two Factor Enrollment
Phone C...
Collective Method Availability Across Services
NumberofServicesOffering
0
14
29
43
58
72
Method
E-Mail SMS Call Card Token...
Companies Should Point Out Two Factor Availability
Shown upon first login… nice work, Zoho!
2%4%
11%
33%
51%
1 2 3 4 5+
• Of services that offer only a single
method, 51% provide TOTP and
14% provide SMS
!
• 62% of...
Two Factor Moniker Usage Since 2005
DeploymentYear
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
Moniker Usage Per Yea...
Built-In Two Factor Bypass? Recovery Gone Wrong.
Can’t 2FA? No Problem! Just replace it with more 1-factor :)
A Bit Of A Glossary
HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a
web server declares...
Browser Security Features For Service Logins
Total
Sites
HSTS CSP X-FRAME X-XSS X-Content
Cookie!
Secure
Cookie!
HttpOnly
...
Browser Security All-Stars
4 of 141 services utilized all of tested browser security features
12 more had all security fea...
Unexpected Headers During Research
If you're reading this, you should visit automattic.com/jobs and apply
to join the fun,...
SSL/TLS Implementation for Service Logins
TotalOccurrences
0
7
14
21
28
35
Score
A+ A A- B C F
17
3
3434
32
21
• 14 of the...
We Take Security Seriously, Erm…
Browser Security + SSL Security All-Stars
2 of 141 services utilized all of tested browser security features
and managed t...
The Weirdest Thing I Saw During Research
They don’t use SSL at all and do JS crypto for logins
Security Pages — Yes, Really :)
Many companies dedicate an entire page (or at least a big section of
a page) to how they p...
Security Pages Across Two Factor-enabled Services
Count
0
18
36
54
72
90
Security Page
Yes No
51
90
• 15 of 51 sites (29%)...
So What Does This All Mean?
• Consider the data points we now have:
• Browser security (HTTP headers and cookie security)
...
Mark’s Authentication Security Scoring
Algorithm — Crudely Realized Edition
MASSACRE
How Do We Get a Composite MASSACRE Score?
SSL Implementation
Score Points
A+, A, A-!
B+, B, B-
15
C+, C, C-!
D+, D, D-
10
...
Professional MASSACRE Scale
81-100
61-80
41-60
21-40
0-20 5
Score Count
27
53
41
15
Keep in mind, everyone “starts” with 1...
MASSACRE Scoring Outcomes — Best and Worst!
Company Score
GitHub 100
Kraken 100
LastPass 100
FastMail 95
Facebook 90
Best ...
Further Parsing MASSACRE Scores
Mean Median Mode
57 55 55
Mean Median Mode
57 55 75
Technology
Mean Median Mode
57 55 55
F...
How Do Security Features Increase MASSACRE Scores?
Mean Median Mode
57 55 55
Overall Values
Mean Median Mode
87 93 100
CSP...
MASSACRE FAQ, #1
MASSACRE FAQ, #2
MASSACRE FAQ, #3
Have A Crappy Algorithm? Make A Crappy Extension!
Breaches Of Service Security (Data Loss, Especially)
• A breach does not include DDoS attacks, direct
phishing against cus...
Two Factor Deployments After A Breach
• Of 37 services that had a deployment date and a breach data,
54% already offered s...
SaaS 2FA Service Provider Shoot-Out!
• Includes 2FA providers with a customer login on their web site
• Sorry if I missed ...
Random Thoughts On Lessons Learned
• Scouring the Internet to find release
dates and documentation for service
features is ...
Thanks Go Out To…
• Vikas Kumar and Domenic Rizzolo, two of the amazing interns at
Duo Security for doing a ton of data ga...
All Done! Questions?
E-Mail:

mstanislav@duosecurity.com
!
Twitter: 

@markstanislav


Presentations:

speakerdeck.com/mst...
Upcoming SlideShare
Loading in...5
×

Security for the People: End-User Authentication Security on the Internet

655

Published on

Despite the continued success by attackers to brute-force accounts, phish credentials, and otherwise impact the online security of consumers, a large portion of the sites and services consumers utilize still don't take authentication security seriously enough.

This presentation will review recent research into the state of end-user-facing authentication security as it relates to strong authentication, transport security, breach history, security transparency, and complementary browser security features. Through analysis of the ways organizations protect consumer authentication and deploy relevant browser security features, we can gain insight into which sites and services are most focused on ensuring consumers have the best chance defending against attackers.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
655
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
16
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Security for the People: End-User Authentication Security on the Internet

  1. 1. Security For The People
 End-User Authentication Security On The Internet Mark Stanislav mstanislav@duosecurity.com
  2. 2. Security Is A Process, Not A Product.
  3. 3. A Few Notes on Research Methodology • Worked “backwards” by establishing a list of services that provide users with availability of two-factor authentication • Provides us with a more security-forward data set to begin with
 • Gathered additional details per service regarding not just 2FA details but also TLS usage, browser headers, and cookie security ! • Focus on data completeness and accuracy as much as reasonably possible but this is *not* a scientific study ! • Does not include software packages with two factor
  4. 4. Primary Data Points Utilized Two-Factor Authentication When was it first offered to users? How do users enroll to enable it? What method(s) are available? Browser Security Features HTTP Strict Transport Security Content Security Policy X-Frame-Options X-XSS-Protection Session Cookie HttpOnlyTransport Security Do they utilize SSL/TLS for logins? What is their SSL Labs score? Session Cookie Secure X-Content-Type-Options What do companies even call it?
  5. 5. Gathering Data Can Be Really, Really Annoying
  6. 6. Two Factor Deployments Per Year Since 2005 NumberofDeployments 0 9 18 27 36 45 Year of Deployment 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 30471813754332 * Note, data is only through June 2014 * • Google Authenticator’s presence in 2011 has likely led to the mass adoption of TOTP • Many services that support TOTP just say they use Authenticator • Facebook also enabled 2FA for users in 2011 • Allows SMS + TOTP
  7. 7. How Does A User Actually Enroll In Two Factor? NumberofServices 0 26 53 79 106 132 Method of Two Factor Enrollment Phone Call E-Mail Mixed Self Enroll 132432 • Ease of enrollment is crucial for adoption of security controls • Having to call, fax, or even e-mail may be enough for a user to go “this seems like too much effort…” ! • It’s great to see such a high percent of services allowing users to self enroll (94%) • But what about ease of use?
  8. 8. Collective Method Availability Across Services NumberofServicesOffering 0 14 29 43 58 72 Method E-Mail SMS Call Card Token Yubikey TOTP HOTP Mobile Duo Authy Rublon 1126 25 2 74 1315 714 62 14 • 12 of the 74 services that support TOTP are Bitcoin related • 92% of all Bitcoin services offer TOTP, 62% only offer it to use • 73% of hardware token-enabled services are financial or gaming
  9. 9. Companies Should Point Out Two Factor Availability Shown upon first login… nice work, Zoho!
  10. 10. 2%4% 11% 33% 51% 1 2 3 4 5+ • Of services that offer only a single method, 51% provide TOTP and 14% provide SMS ! • 62% of services that offer two methods pair TOTP with SMS ! • MailChimp and OneLogin offer five methods for users to leverage • …Clavid offers six methods! Number Of Methods Per Service By Percentage
  11. 11. Two Factor Moniker Usage Since 2005 DeploymentYear 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 Moniker Usage Per Year 0 9 19 28 38 47 3 4 3 4 2 1 1 1 5 10 5 2 2 1 2 1 1 1 1 20 33 12 6 2 2 3 2 2 2FA MFA 2SV Other * Note, data is only through July 2014 * Google Deploys 2SV • 2-Step Verification as a moniker seems to be going away… • 2011: 15% • 2012: 28% • 2013: 21% • 2014: 17% • “Other” is usually for custom branding of the service’s feature
  12. 12. Built-In Two Factor Bypass? Recovery Gone Wrong. Can’t 2FA? No Problem! Just replace it with more 1-factor :)
  13. 13. A Bit Of A Glossary HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents are to interact with it using only secure HTTPS connections. Content Security Policy (CSP) provides a header that allows websites to declare approved sources of content that browsers should be allowed to load on that page. X-Frame-Options can prevent any framing, prevent framing by external sites, or allow framing only by the specified site. X-XSS-Protection enables the XSS filter built into most web browsers — IE8, for instance, already has this on by default. X-Content-Type-Options reduces exposure to drive-by download attacks and sites serving user uploaded content that, by clever naming, could be treated by MSIE as executable/dynamic HTML. Mostly a copy/paste from Wikipedia and OWASP <3 ‘Secure’ Cookie makes supported browsers only send cookies with the secure flag when the request is going to a HTTPS page. ‘HttpOnly’ Cookie mitigates cross-site scripting (XSS) attacks by not allowing supported browsers to access cookies client-side
  14. 14. Browser Security Features For Service Logins Total Sites HSTS CSP X-FRAME X-XSS X-Content Cookie! Secure Cookie! HttpOnly All Sectors 141 38% 7% 56% 22% 22% 75% 78% Technology 83 40% 10% 49% 20% 20% 73% 78% Financial 36 33% 8% 50% 14% 8% 69% 64% Gaming 12 17% 0% 25% 8% 0% 58% 67% Retail 4 50% 0% 75% 50% 50% 75% 100% Social 6 50% 17% 83% 17% 33% 100% 83% • Gaming is far behind versus other sectors for browser security • Likely because most users spend little time in the browser • Social media organizations have more of a focus on browser security due to the common nature of client-side attacks against users
  15. 15. Browser Security All-Stars 4 of 141 services utilized all of tested browser security features 12 more had all security features except Content Security Policy
  16. 16. Unexpected Headers During Research If you're reading this, you should visit automattic.com/jobs and apply to join the fun, mention this header. WordPress.com: x-hacker REKEYED: 2014-04-08; see http://heartbleedheader.com App.net: heartbleed We’re hiring! Apply at hr@dnc.io, use this header in your subject Directnic: X-Hackers
  17. 17. SSL/TLS Implementation for Service Logins TotalOccurrences 0 7 14 21 28 35 Score A+ A A- B C F 17 3 3434 32 21 • 14 of the ‘F’ ratings were because of the OpenSSL CCS vulnerability (CVE-2014-0224) • Star Wars: The Old Republic actually supported SSL v2! ! • Amazingly enough, SSLTrust of all people received a ‘C’ rating for their allowance of both 40- bit and 56-bit cipher suites
  18. 18. We Take Security Seriously, Erm…
  19. 19. Browser Security + SSL Security All-Stars 2 of 141 services utilized all of tested browser security features and managed to receive an ‘A+’ SSL implementation rating
  20. 20. The Weirdest Thing I Saw During Research They don’t use SSL at all and do JS crypto for logins
  21. 21. Security Pages — Yes, Really :) Many companies dedicate an entire page (or at least a big section of a page) to how they protect you and how you can protect yourself …and others definitely do not… Seems legit. Example #1 Example #2 Example #3
  22. 22. Security Pages Across Two Factor-enabled Services Count 0 18 36 54 72 90 Security Page Yes No 51 90 • 15 of 51 sites (29%) that do not have a security page are in the domain registration/DNS space • …including GoDaddy, NameCheap, and Hover ! • Some of these pages even have a bug bounty and/or responsible disclosure section which is fantastic for further helping to protect users • …including Google, Facebook, and Coinkite ! • These pages show real concern for security and transparency — we could use more!
  23. 23. So What Does This All Mean? • Consider the data points we now have: • Browser security (HTTP headers and cookie security) • Transport security (SSL/TLS implementation) • Strong authentication (two factor deployments) • Corporate security focus (company security page) ! • What if we could assign a point-scale to those data points and create a composite value of authentication security per service? • …and what if you had no idea what the hell you were doing?
  24. 24. Mark’s Authentication Security Scoring Algorithm — Crudely Realized Edition MASSACRE
  25. 25. How Do We Get a Composite MASSACRE Score? SSL Implementation Score Points A+, A, A-! B+, B, B- 15 C+, C, C-! D+, D, D- 10 F! No SSL/TLS 0 Security Page Exists? Points Yes 5 Browser Security Features Feature Points HTTP Strict Transport Security 10 Content Security Policy 15 X-Frame-Options 10 X-XSS-Protection 5 X-Content-Type-Options 5 Secure Session Cookie 10 HttpOnly Session Cookie 10 100 point scale… add up values to get a score! Two Factor Enabled? Points Yes 15
  26. 26. Professional MASSACRE Scale 81-100 61-80 41-60 21-40 0-20 5 Score Count 27 53 41 15 Keep in mind, everyone “starts” with 15 points
  27. 27. MASSACRE Scoring Outcomes — Best and Worst! Company Score GitHub 100 Kraken 100 LastPass 100 FastMail 95 Facebook 90 Best Scores Company Score easyDNS 15 Frostbox 15 Sendloop 15 Fabulous 20 Pobox 20 Worst Scores Sector Company Score Technology Github, LastPass 100 Financial Kraken 100 Gaming Elder Scrolls Online 65 Retail Etsy 85 Social Facebook 90 Best Per Sector Worst Per Sector Sector Company Score Technology easyDNS, Frostbox, Sendloop 15 Financial WeMineLTC 30 Gaming Guild Wars 2, Star Wars: Old Republic, Wildstar 35 Retail Humble Bundle 50 Social HootSuite 45
  28. 28. Further Parsing MASSACRE Scores Mean Median Mode 57 55 55 Mean Median Mode 57 55 75 Technology Mean Median Mode 57 55 55 Financial Overall Values Mean Median Mode 47 48 N/A Gaming Mean Median Mode 68 68 N/A Retail Mean Median Mode 72 73 N/A Social
  29. 29. How Do Security Features Increase MASSACRE Scores? Mean Median Mode 57 55 55 Overall Values Mean Median Mode 87 93 100 CSP Enabled Mean Median Mode 63 65 55 Security Page? Mean Median Mode 75 75 75 HSTS Enabled Mean Median Mode 60 55 55 SSL ~(A|B) Mean Median Mode 40 40 N/A SSL ~(C|D) Mean Median Mode 37 35 N/A SSL ~(F/None)
  30. 30. MASSACRE FAQ, #1
  31. 31. MASSACRE FAQ, #2
  32. 32. MASSACRE FAQ, #3
  33. 33. Have A Crappy Algorithm? Make A Crappy Extension!
  34. 34. Breaches Of Service Security (Data Loss, Especially) • A breach does not include DDoS attacks, direct phishing against customers, dumb users, etc. • 28% of services had a public corporate breach • Breached services had an average MASSACRE score of 64 while unbreached had a worse, 54 • So, moot point. Everyone can get hacked :) Count 0 18 36 54 72 90 Corporate Breach Yes No 102 39 Sector Total # Breached % Breached Technology 83 19 23% Financial 36 11 31% Gaming 12 3 25% Retail 4 2 50% Social 6 4 67%
  35. 35. Two Factor Deployments After A Breach • Of 37 services that had a deployment date and a breach data, 54% already offered some form of two-factor authentication ! • Of the 19 services that added 2FA after a breach, it took an average of 255 days to deploy with a median of 128 days • It took Linode, Dropbox, MaxCDN, and Buffer < 1 month to deploy
 • 74% offer TOTP (52% offer it across all services) • 63% provide 2+ methods (49% across all services)
  36. 36. SaaS 2FA Service Provider Shoot-Out! • Includes 2FA providers with a customer login on their web site • Sorry if I missed your company, it was definitely not on purpose! • I am assuming these services all require 2FA for logins :) Company HSTS CSP X-Frame X-XSS X-Content Cookie
 Secure Cookie! HttpOnly SSL 
 Score Security
 Page MASSACRE Authy ✓ ✗ ✓ ✓ ✓ ✗ ✓ F ✓ 60 Duo Security ✓ ✓ ✓ ✗ ✗ ✓ ✓ A+ ✓ 90 LaunchKey ✓ ✗ ✓ ✓ ✓ ✓ ✓ A+ ✓ 85 MePIN ✗ ✗ ✗ ✗ ✗ ✗ ✓ B ✗ 40 Rublon ✗ ✗ ✗ ✗ ✗ ✓ ✓ A- ✓ 55 SAASPASS ✗ ✗ ✗ ✗ ✗ ✓ ✓ A ✗ 50 TeleSign ✗ ✗ ✗ ✗ ✗ ✗ ✗ A- ✗ 30 TextPower ✗ ✗ ✗ ✗ ✗ ✓ ✗ F ✗ 25 *phew* glad Duo didn’t lose :P
  37. 37. Random Thoughts On Lessons Learned • Scouring the Internet to find release dates and documentation for service features is way harder than it should be
 • Authentication security still ultimately comes down to the security of your operations and your codebase • Bug in your authentication code? None of this other stuff really matters
 • We need better SSL implementations and more security pages for services! Data research is tiring, let’s just break stuff.
  38. 38. Thanks Go Out To… • Vikas Kumar and Domenic Rizzolo, two of the amazing interns at Duo Security for doing a ton of data gathering and organization ! • http://twofactorauth.org for being a hugely helpful resource for trying to aggregate 2FA-enabled sites/services to get started with • https://www.ssllabs.com/ssltest/ from Qualys for SSL Scoring
 • Steve Werby did similar research on a grander scale last year — http://www.slideshare.net/stevewerby/crunching-the- top-10000-websites-password-policies-and-controls- presented-by-steve-werby-at-rich-sec-2013
  39. 39. All Done! Questions? E-Mail:
 mstanislav@duosecurity.com ! Twitter: 
 @markstanislav 
 Presentations:
 speakerdeck.com/mstanislav
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×