The document provides an overview of multi-factor authentication (MFA) implementation best practices and common mistakes. It discusses both the benefits of MFA in providing an extra layer of security beyond passwords, as well as potential downsides such as false security if not implemented properly. Examples are given of poor implementations, including not enforcing MFA, allowing insecure methods like SMS, and design flaws. Ideal implementations encourage the use of hardware security keys and push notifications with centralized administration and user training. Bypasses of MFA like man-in-the-middle attacks are also mentioned. The document concludes with a demonstration of using AI to assist with social engineering and phishing attacks.
Using Vuln Chaining and Other Factors for a Better Risk PerspectiveCurtis Brazzell
I introduce what I think is a new idea to track and relate vulns to each other in a data store.
In AppSec, most people understand that context is everything when it comes to assigning risk. Certain factors and other vulnerabilities, when combined together, can increase the severity of a vulnerability. Defenders and bug hunters alike help organizations understand a more accurate threat landscape from experience, but it's not something that is well documented. Join Curtis as he discuses this gap and introduces some tools and new resources for vuln chaining.
A recent revision to the US Government’s authentication guideline, NIST SP 800-63B "Authentication and Lifecycle Management", puts a greater emphasis on the usability of authentication in its recommendations. This talk will discuss the ways in which it attempts to relieve the users’ burden and shift more responsibility to the services themselves, hopefully improving overall security in the process.
Presentation to BayCHI, December 12, 2017
Using Vuln Chaining and Other Factors for a Better Risk PerspectiveCurtis Brazzell
I introduce what I think is a new idea to track and relate vulns to each other in a data store.
In AppSec, most people understand that context is everything when it comes to assigning risk. Certain factors and other vulnerabilities, when combined together, can increase the severity of a vulnerability. Defenders and bug hunters alike help organizations understand a more accurate threat landscape from experience, but it's not something that is well documented. Join Curtis as he discuses this gap and introduces some tools and new resources for vuln chaining.
A recent revision to the US Government’s authentication guideline, NIST SP 800-63B "Authentication and Lifecycle Management", puts a greater emphasis on the usability of authentication in its recommendations. This talk will discuss the ways in which it attempts to relieve the users’ burden and shift more responsibility to the services themselves, hopefully improving overall security in the process.
Presentation to BayCHI, December 12, 2017
"Shadow IT" is a name often given to Information Technology systems used within an organization without proper authorization.
But in order for Shadow IT to exist, there has to be enablers encouraging and/or providing a way.
This talk looks at some of the enablers of Shadow IT, and proposes one mitigation towards dealing with the problem.
Presented at the Health Informatics and Health Information Technology Course, Doctor of Philosophy and Master of Science Programs in Data Science for Health Care (International Program), Faculty of Medicine Ramathibodi Hospital, Mahidol University on October 17, 2017
Three Step Multifactor Authentication Systems for Modern Securityijtsrd
Three factor authentication includes all major features in password authentication such as one factor authentication. Using passwords and two factor authentication is not enough to provide the best protection in the digital age significantly. Advances in the field of information technology. Even when one or two feature authentication was used to protect the remote control system, hacking tools, it was a simple computer program to collect private keys, and private generators made it difficult to provide protection. Security threats based on malware, such as key trackers installed, continue to be available to improve security risks. This requires the use of safe and easy to use materials. As a result, Three Level Security is an easy to use software. Soumyashree RK | Goutham S "Three Step Multifactor Authentication Systems for Modern Security" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-6 | Issue-3 , April 2022, URL: https://www.ijtsrd.com/papers/ijtsrd49785.pdf Paper URL: https://www.ijtsrd.com/computer-science/computer-security/49785/three-step-multifactor-authentication-systems-for-modern-security/soumyashree-rk
Security and data theft is the single most important topic any IT professional should consider when reviewing their own infrastructure.
Data is the core... the past, present, and future of any business.
Data is finance, your intellectual property (IP), your communications, and the list goes on. Without any single component, the company would not survive.
Data IS the business!
Make sure you have all of your bases covered.
This presentation is in English; the announcement (beneath) & talk were in Dutch (NL)
OpenTechTalks | Ethisch hacken met Kali
Overheden, bedrijven en particulieren worden steeds kwetsbaarder voor aanvallen van black hat hackers, criminelen die de lekken in computers uitbuiten voor geldgewin of louter om schade te veroorzaken. Daartegenover staan de white hat hackers: zij testen computersystemen op fouten en dichten de lekken voordat malafide hackers inbreken. Tijl Deneut (UGent/Howest) geeft een overzicht van welke vormen van cybercriminalteit er bestaan en hoe je je ertegen kunt wapenen. De focus ligt op Kali Linux, een besturingssysteem dat honderden beveiligings- en testprogramma's bundelt. Volgende vragen komen aan bod: hoe installeer je Kali Linux? Hoe kun je in een veilige omgeving testen? Is ethisch hacken eigenlijk wel legaal? Algemene IT-kennis is aangewezen. Achteraf drinken we een glas in het café van Vooruit.
Running head CHALLENGES OF CYBER SECURITY9.docxsusanschei
Running head: CHALLENGES OF CYBER SECURITY 9
Challenges of Cyber Security
Challenges of Cyber Security
Currently, computer security constitutes one of the fields with increasing significance because many people rely on computer systems and the internet for various operations. By the term ‘cyber security’, it refers to the provision of safety measures for computer systems against theft and destruction to the hardware, software and the information contained therein. It also includes protecting computer systems from any form of interference that hinders their efficiency to service delivery. According to (Vasconcelos et al., 2017), cyber security means limiting the physical access to certain hardware and providing safety against destruction that could result due to malpractice or when system operators become tricked and deviate from what is known secure guidelines.
There are many challenges for cyber security measures to be effective. Computer system operators experience great challenges in providing reliable and effective cyber security. Therefore, the question is that; how should system operators get the proper training to overcome numerous cyber security challenges? It is important to pose the question because today there are many businesses that feel insecure. For example, most enterprises doubt the preparedness by system operators and their ability to ensure that there is security in the corporate networks. In addition, a recent research carried by Enterprise Strategy Group established that about a quarter of system operators do not possess the desired skills. Lack of enough personnel who are equipped with right skills is the key factor attributed to challenges of cyber security. While cyber security significantly assists in to protecting us, many enterprises together with their esteemed clients, from someone falsely representing something as beneficial to them or to infiltrate our systems, it is in great need to be expanded on in order to safeguard us, and to create a safer environment protecting companies and our personal information and data, but it can and does fail to provide us complete security, if safe practices are not followed.
Protecting the Home Front
Home front is an informal term commonly used by the civilians of a nation, which faces a war, and their active support system of the military. As a result, military forces largely rely on home front civilian aid services. However, due to increased potential of destruction to the home front, there is a need to offer them appropriate protection (Wang & Lu, 2013). The military has the ability to design systems to help protect and deal with the vulnerabilities to the home front from direct attacks. There a number of things, that can be done to protect the home front against various attacks.
First, one could use automatic light timers fixed throughout in their systems. Light timers can be programmed to switch on and off in a way that helps simulate an in ...
Beyond Passwords: The Future of CybersecurityCurtis Brazzell
We're going to talk about one of the most pressing issues facing individuals and organizations alike: cybersecurity. We're going to explore the latest trends and advancements in the field of cybersecurity and discuss how they're changing the game. More specifically, we'll take a closer look at how the traditional method of using passwords to secure digital systems is no longer enough.
My 2020 submission of the SANS' annual KringleCon HolidayHack Challenge. This is the third year I've participated and like usual, I try to make it in a red team deliverable format.
"Shadow IT" is a name often given to Information Technology systems used within an organization without proper authorization.
But in order for Shadow IT to exist, there has to be enablers encouraging and/or providing a way.
This talk looks at some of the enablers of Shadow IT, and proposes one mitigation towards dealing with the problem.
Presented at the Health Informatics and Health Information Technology Course, Doctor of Philosophy and Master of Science Programs in Data Science for Health Care (International Program), Faculty of Medicine Ramathibodi Hospital, Mahidol University on October 17, 2017
Three Step Multifactor Authentication Systems for Modern Securityijtsrd
Three factor authentication includes all major features in password authentication such as one factor authentication. Using passwords and two factor authentication is not enough to provide the best protection in the digital age significantly. Advances in the field of information technology. Even when one or two feature authentication was used to protect the remote control system, hacking tools, it was a simple computer program to collect private keys, and private generators made it difficult to provide protection. Security threats based on malware, such as key trackers installed, continue to be available to improve security risks. This requires the use of safe and easy to use materials. As a result, Three Level Security is an easy to use software. Soumyashree RK | Goutham S "Three Step Multifactor Authentication Systems for Modern Security" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-6 | Issue-3 , April 2022, URL: https://www.ijtsrd.com/papers/ijtsrd49785.pdf Paper URL: https://www.ijtsrd.com/computer-science/computer-security/49785/three-step-multifactor-authentication-systems-for-modern-security/soumyashree-rk
Security and data theft is the single most important topic any IT professional should consider when reviewing their own infrastructure.
Data is the core... the past, present, and future of any business.
Data is finance, your intellectual property (IP), your communications, and the list goes on. Without any single component, the company would not survive.
Data IS the business!
Make sure you have all of your bases covered.
This presentation is in English; the announcement (beneath) & talk were in Dutch (NL)
OpenTechTalks | Ethisch hacken met Kali
Overheden, bedrijven en particulieren worden steeds kwetsbaarder voor aanvallen van black hat hackers, criminelen die de lekken in computers uitbuiten voor geldgewin of louter om schade te veroorzaken. Daartegenover staan de white hat hackers: zij testen computersystemen op fouten en dichten de lekken voordat malafide hackers inbreken. Tijl Deneut (UGent/Howest) geeft een overzicht van welke vormen van cybercriminalteit er bestaan en hoe je je ertegen kunt wapenen. De focus ligt op Kali Linux, een besturingssysteem dat honderden beveiligings- en testprogramma's bundelt. Volgende vragen komen aan bod: hoe installeer je Kali Linux? Hoe kun je in een veilige omgeving testen? Is ethisch hacken eigenlijk wel legaal? Algemene IT-kennis is aangewezen. Achteraf drinken we een glas in het café van Vooruit.
Running head CHALLENGES OF CYBER SECURITY9.docxsusanschei
Running head: CHALLENGES OF CYBER SECURITY 9
Challenges of Cyber Security
Challenges of Cyber Security
Currently, computer security constitutes one of the fields with increasing significance because many people rely on computer systems and the internet for various operations. By the term ‘cyber security’, it refers to the provision of safety measures for computer systems against theft and destruction to the hardware, software and the information contained therein. It also includes protecting computer systems from any form of interference that hinders their efficiency to service delivery. According to (Vasconcelos et al., 2017), cyber security means limiting the physical access to certain hardware and providing safety against destruction that could result due to malpractice or when system operators become tricked and deviate from what is known secure guidelines.
There are many challenges for cyber security measures to be effective. Computer system operators experience great challenges in providing reliable and effective cyber security. Therefore, the question is that; how should system operators get the proper training to overcome numerous cyber security challenges? It is important to pose the question because today there are many businesses that feel insecure. For example, most enterprises doubt the preparedness by system operators and their ability to ensure that there is security in the corporate networks. In addition, a recent research carried by Enterprise Strategy Group established that about a quarter of system operators do not possess the desired skills. Lack of enough personnel who are equipped with right skills is the key factor attributed to challenges of cyber security. While cyber security significantly assists in to protecting us, many enterprises together with their esteemed clients, from someone falsely representing something as beneficial to them or to infiltrate our systems, it is in great need to be expanded on in order to safeguard us, and to create a safer environment protecting companies and our personal information and data, but it can and does fail to provide us complete security, if safe practices are not followed.
Protecting the Home Front
Home front is an informal term commonly used by the civilians of a nation, which faces a war, and their active support system of the military. As a result, military forces largely rely on home front civilian aid services. However, due to increased potential of destruction to the home front, there is a need to offer them appropriate protection (Wang & Lu, 2013). The military has the ability to design systems to help protect and deal with the vulnerabilities to the home front from direct attacks. There a number of things, that can be done to protect the home front against various attacks.
First, one could use automatic light timers fixed throughout in their systems. Light timers can be programmed to switch on and off in a way that helps simulate an in ...
Beyond Passwords: The Future of CybersecurityCurtis Brazzell
We're going to talk about one of the most pressing issues facing individuals and organizations alike: cybersecurity. We're going to explore the latest trends and advancements in the field of cybersecurity and discuss how they're changing the game. More specifically, we'll take a closer look at how the traditional method of using passwords to secure digital systems is no longer enough.
My 2020 submission of the SANS' annual KringleCon HolidayHack Challenge. This is the third year I've participated and like usual, I try to make it in a red team deliverable format.
A Night of Phishing @ IUPUI Cyber Security ClubCurtis Brazzell
I was honored to present to students an the public about phishing techniques we use at Pondurance. By request I also demonstrated my PhishAPI tool @ https://github.com/curtbraz/Phishing-API
Be afraid. Be very afraid. Vulnerabilities in your web applications and networks is like leaving your door unlocked at night. Look out, chances are you may have some right now just lurking in the shadows. Join me during this spooky Halloween-themed discussion where I share scary stories from the trenches. These horrific events truly happened! "Whatever you do, don't fall asleep!"
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Climate Impact of Software Testing at Nordic Testing Days
CI-ISSA '23 - Bad Multi-Factor
1. Curtis Brazzell | CISSP
Managing Security Consultant @ GuidePoint Security
(My thoughts do not reflect.. blah blah.. Thanks Brad, for the pizza!! )
2. About Me
Local to This Community! (Brownsburg, IN)
Passionate about security since the 90’s
Former DBA/Sys Admin (4-6 years)
Security Consulting for 12+ years
SOC/IR Lead
DFIR Lead (Malware Analysis)
AppSec/Pentesting/Physical/Wireless/Architecture/Social Engineering
Currently an MSC for GuidePoint Security on the AppSec (Tactical) Team
Researcher/Blogger/”Author”
Presenting at BSides Fort Wayne on New Phishing Techniques!
3. Agenda
The Good, the Bad, and the Ugly Side of MFA
Examples of Poor Implementation (so many examples)
Nap
Even More Examples
Ideal Implementations (and their weaknesses)
Summary
Phishing Chat GPT PoC Demo
4. The “Good” Side of MFA
Extra layer of
protection
(something you
“have” or “are”)
Helps supplement
password security
(weak/reused/bre
ached credentials)
One of the
strongest
preventative
measures against
account takeover
5. The “Bad” Side of MFA
Insecure mediums (SMS, still better
than none)
Mobile authentication on mobile
platforms (Mixing “know” and
“have”)
Lost/stolen hardware and recovery
User opt-in (“We support it”)
6. The “Ugly” Side
of MFA
Bad user experience (Balancing user
convenience with security)
False sense of security
Not a silver bullet
User awareness training (locations/IPs, real-time
prompts, alternative methods)
Twitter charging extra for MFA
Poor implementations
7. Examples of Poor Implementation (BMF)
Implemented, But Not Enforced
Sometimes there are friendly reminders
Can jump into an account with only a password
Supporting and enforcing are not the same
Leaves security to the user (opt-in)
User preference of convenience over security
Don’t leave enrollment a choice for critical apps
If you do this, train your users and make MFA simple
Importance of protecting users (data exposure,
increased attack surface, etc)
8. Examples of Poor Implementation (cont.)
Less-Secure Methods Accepted
Recovery codes unsecured on filesystems
PINs/Tokens users’ type
9. Examples of Poor Implementation (cont.)
More PhishAPI (Real-time Phishing Framework)
MFA Requirements
Gamified
10. Examples of Poor Implementation (cont.)
Less-Secure Methods
Accepted
Even if SUPPORTED and
not the default, it’s still
a problem! (path of
least resistance)
Use hardware tokens or
push as the default?
Forms can be set to
only prompt for tokens!
11. Examples of Poor Implementation (cont.)
Less-Secure Methods Accepted
SMS Interception (“SMS ain’t no county I ever heard of!)
Seriously though, why’s this a problem?
No end-to-end encryption
SIM Swapping / Cloning / SE attacks
12. Examples of Poor Implementation (cont.)
Open Enrollment
Enforced, but at the user’s leisure or next login
Beat user to self-enrollment on attacker-owned device
Simply logged in as user and approved as they would
Sessions can be too long, won’t apply until next auth cycle if
already logged in when applied.
Huge security gap (20% of captured creds were not enrolled
yet. Customer was blindsided.)
13. Examples of Poor Implementation (cont.)
Infinite or Overly Long Enrollment Period
Increased risk when combined with Open Enrollment
Can’t assume users will access or within reasonable timeline (PTO, lack of need in roles, VPN, etc)
14. Examples of Poor Implementation (cont.)
Infinite Re-Enrollment (Link Doesn’t Expire After First Use)
Enroll again as attacker
Stale enrollment links in email can be exposed in logs or discovered by attackers
Not really an issue with most current MFA solutions
15. Nap
Anyone awake?
Survey room. If no one is awake grab pizza and quietly slip out. Otherwise, continue.
16. Examples of Poor Implementation Use
Users Accepting Attacker’s Push Requests
Timing is everything! (don’t assume)
Always review IP/Location information! (not all MFA solutions provide this)
Annoyance factor / alert fatigue
Confusion (lack of training, IT must need something, background process, location
with travel or VPN, etc)
Shockingly effective 🙈
17. Examples of Poor Implementation (cont.)
MFA is Disabled After Email Change or Password Reset
If enrollment is optional or not continuously enforced, it can lead to a gap of protection
Shouldn’t be performed automatically but as a centralized admin control (help desk ticket, etc)
18. Examples of Poor Implementation (cont.)
Logic Flaws (Homebrew Bad Design)
Ignoring or canceling MFA prompt still creates session (recent example)
“Forgot PIN” functionality reset with just a username and password (recent example)
PINs in mobile apps might be bypassed by hiding a view (recent example) – Hooking in Objection
Biometrics don’t tie to a specific user of the device (recent example)
Reset instructions go to email instead of phone number
19. Examples of Poor Implementation (cont.)
Insufficient Anti-Automation
Low entropy (last 4 SSN, phone, DoB, etc)
No rate-limiting server-side
No lockout policy
Brute Forcing until valid value is determined
20. Examples of Poor Implementation (cont.)
Security Questions
Security questions by themselves are NOT MFA (just something else you “know”)
Should NOT be Boolean values, years, or other short values (I’ve seen DoB & Last 4 SSN combos)
Should NOT be easily enumerated with wordlists (teacher’s first name, etc)
Should NOT be easily researched (OSINT, Google phone # example!)
Okay if used as an additional piece of user verification (usual login activity, etc)
21. Examples of Poor Implementation (cont.)
Security Questions (Google example)
Wrong way Google to do it (Something you know) A better way of handling it (Something you have)
22. Examples of Poor Implementation (cont.)
MFA Code Reusability
Say the code has high entropy and the server is rate-limiting with account lockouts…
Is the code invalidated after use?
Can I get a token as an attacker and apply it to a victim account?
23. Ideal Implementations
Still not a silver bullet!
My recommendation for best hardening practices?
Forced enrollment for all (when possible)
Short, one-click enrollment period (no first-time login)
Use U2F hardware proximity devices only (BLE, USB, NFC, etc - no tokens/pins/or hardware with tokens)
If implemented properly, some biometric auth is great!
If you can’t use U2F, use mobile push notifications
Central administration
Trusted SSO/MFA Providers (Okta, MS, Duo, OAuth, Auth0, etc)
Employee Training (prompts, backup methods, etc)
Mobile Device Management (for mobile MFA)
Alert on and monitor unsuccessful attempts
Bypass techniques STILL exist:
Machine-in-the-Middle (MitM) Session Hijacking (stealing tokens post-authentication)
Transparent/Reverse Proxies (Attacker’s fake login makes requests on behalf of users to facilitate login)
Assets not protected by MFA (internal, etc) – Don’t give up on password security!
26. Summary
MFA is a GOOD thing overall (don’t
discourage SMS to the point devs or execs
only use creds)
If done properly, it will greatly reduce
successful account takeover attacks (SE,
credential stuffing, brute forcing, cracking,
etc)
If done perfectly, users are still exposed to
some risk. Training is essential!
Sophisticated Phishing (and Vhishing)
attacks are increasingly sophisticated
(Deepfakes, AI, etc)