SlideShare a Scribd company logo

Google-Jacking: A Review of Google 2-Factor Authentication

nCircle - a Tripwire Company
nCircle - a Tripwire Company

nCircle's Craig Young presented his research on the Google 2-step verification system at BSides San Francisco 2013. More information: http://community.ncircle.com/t5/VERT-Security-Research-Blog/Google-Jacking-A-Review-of-Google-s-2-Step-Verification-BSides/ba-p/7876

TechnologyBusiness
1 of 24
Download to read offline
A Review of Google 2-Factor Authentication Google-Jacking CraigYoung Security B Sides San Francisco, USA 2013
Look Who’sTalking
• Defining 2-Factor Authentication (2FA) • Defining 2-Step Verification (2SV) • diff -Burp 2FA 2SV # Compare & Contrast • Attacking Application-Specific Passwords • DEMO: Do androids dream of übertokens? • TODO: Making 2SV Better Talk Overview
Define: 2-Factor Authentication
• 2SV is Google’s 2FA branding • Phone becomes the ‘something you have’ - STEP 1 – Login to with account password - STEP 2 – Enter code from phone • Application-Specific Passwords (ASPs) - Used for 3rd party & legacy support - 16 lowercase letters - Limited by application (in theory anyway) man 2SV
Authentication Credentials 2FA 2SV Something you have + Something you know ♦ ♦ Something you know ♦ Something you have ♦ $ diff –Burp 2FA 2SV Bottom Line? 2FA enhances security by compromising convenience 2SV enhances security but only when it is convenient
• Are ASPs the Achilles heal of 2SV? 1. ASPs are all powerful 2. ASP revocation is broken 3. ASPs increase the risk of token attacks 4. Google recommends saving ASPs Attacking Application-Specific Passwords
Google attempts to restrict browser-based ASP use: Android browser auto sign-in bypasses this restriction: ASPs Provide Full Account Access
HOWTO: punting the intruder Recovery MeasureTested Result Revoke application-specific passwords No effect on logged in intruder ‘Sign out all other sessions’ from Gmail No effect on logged in intruder Revoke ‘Android Login Service’ Androids must re-authenticate Change account password Androids must re-authenticate Recommended Procedure: STEP 1 : Revoke allASPs STEP 2: Change account password STEP 3:Verify account settings
• Pay attention to permissions! • Apps with root can directly access acounts.db • ASPs are backdoors by design AndroidApps Can Generate ASPs
• Privacy advisors don’t look at token related permissions • Far too many apps have the ability to request tokens There’s An App ForThat
Auditing the ASP Auditing ASPs added and removed in the same activity period are not reported!
Check “Remember Password”
• Saving passwords gives attackers an edge - OS X Keychain can be dumped • Pidgin (chat) doesn’t bother to use crypto - Most applications provide limited protection What could go wrong?
DEMO!
• Ideal Solution: - ASPs are no longer part of 2SV - Use account password + time-based code • Quick Fix: - Force authentication when generating ASPs - Allow users to disable ASP creation TODO: Ditch ASPs
• Ideal Solution: - Tokens should be revoked along with the ASP - Requires tokens & ASPs to be related • Quick Fix: - Treat ASP removal like a password change - All sessions are forced to authenticate again TODO: Fix ASP Revocation
NO MORE ANDROID LOGIN WITH ASP! • Explicit ASP Model: - Specify allowed services for an ASP - Limits abuse of compromised ASPs • Implicit ASP Model: - Restrict the ASP to the 1st application using it TODO: Make ASPs Application Specific
• Require a password to enable auto sign-in • Don’t allow auto sign-in for account settings • Allow disabling auto sign-in at an account level TODO: Lock Down Auto Sign-In
• Audit how and when an ASP is used • ‘Access type: Mobile’ is too vague • ASP name in the activity screen would help TODO: ASP Auditing
1. Android is a logged in browser session • Use caution when sharing your device • Consider unlinking your Google account when traveling • Watch app permissions closely (guard your tokens) • Use a strong password (Lock screen widgets FTW) 2. Don’t save ASPs without encryption 3. Monitor ASPs & change your passwords How to ProtectYourself Android 4.2 Lock Screen DialerWidget
Concluding Remarks • 2SV is vulnerable-by-design • 2SV increases risk from token-based attacks • Android + 2SV reduces security • ASPs are a bad idea - Password + OTP code makes security in 1-step - Let users decide whether ASPs are allowed
1. 11/26/12-11/30/12 - Multiple 2SV/ASP issues reported to Google 2. 12/5/12 – Confirmation of reported behavior as known issues 3. 1/11/13 – Google notified of BSides SF CFP submission 4. 2/18/13 – Account Activity Logic Error Reported to Google 5. 2/22/13 – Fix details received (Re-auth requirement implemented) 6. 2/24/13 – BSides presentation 7. 2/25/13 – ASP revocation fix begins to roll out DisclosureTimeline
For more information about enterprise risk management or Google 2-step verification: • Visit nCircle RSA booth 1023 • Check out the nCircleVERT blog: http://vert.ncircle.com • Follow @craigtweets Questions?

Recommended

Penetrating Android Aapplications
Penetrating Android AapplicationsPenetrating Android Aapplications
Penetrating Android AapplicationsRoshan Thomas
 
The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptxAnkit Giri
 
Mobile_app_security
Mobile_app_securityMobile_app_security
Mobile_app_securityHassan El Hadary
 
Hacking By Nirmal
Hacking By NirmalHacking By Nirmal
Hacking By NirmalNIRMAL RAJ
 
Testing Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionJose Manuel Ortega Candel
 
You installed what Thierry Sans
You installed what Thierry SansYou installed what Thierry Sans
You installed what Thierry SansOWASP-Qatar Chapter
 
Save Time & Be More Creative With Content Ideas
Save Time & Be More Creative With Content IdeasSave Time & Be More Creative With Content Ideas
Save Time & Be More Creative With Content IdeasAlice Seba
 
ESAPI
ESAPIESAPI
ESAPIn|u - The Open Security Community
 

Recommended

Penetrating Android Aapplications
Penetrating Android AapplicationsPenetrating Android Aapplications
Penetrating Android AapplicationsRoshan Thomas
 
The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptxAnkit Giri
 
Mobile_app_security
Mobile_app_securityMobile_app_security
Mobile_app_securityHassan El Hadary
 
Hacking By Nirmal
Hacking By NirmalHacking By Nirmal
Hacking By NirmalNIRMAL RAJ
 
Testing Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionJose Manuel Ortega Candel
 
You installed what Thierry Sans
You installed what Thierry SansYou installed what Thierry Sans
You installed what Thierry SansOWASP-Qatar Chapter
 
Save Time & Be More Creative With Content Ideas
Save Time & Be More Creative With Content IdeasSave Time & Be More Creative With Content Ideas
Save Time & Be More Creative With Content IdeasAlice Seba
 
ESAPI
ESAPIESAPI
ESAPIn|u - The Open Security Community
 
State of Web Security RailsConf 2016
State of Web Security RailsConf 2016State of Web Security RailsConf 2016
State of Web Security RailsConf 2016IMMUNIO
 
Intro to IronWASP
Intro to IronWASPIntro to IronWASP
Intro to IronWASPn|u - The Open Security Community
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Ajin Abraham
 
Security guidelines
Security guidelinesSecurity guidelines
Security guidelineskarthz
 
Enough with the Mobile SDK Mess: A New Technology Is Born
Enough with the Mobile SDK Mess: A New Technology Is BornEnough with the Mobile SDK Mess: A New Technology Is Born
Enough with the Mobile SDK Mess: A New Technology Is BornSafeDK
 
Android mobile app security offensive security workshop
Android mobile app security offensive security workshopAndroid mobile app security offensive security workshop
Android mobile app security offensive security workshopAbhinav Sejpal
 
Learnings from Hybrid App Testing Jijesh Mohan
Learnings from Hybrid App Testing Jijesh MohanLearnings from Hybrid App Testing Jijesh Mohan
Learnings from Hybrid App Testing Jijesh MohanvodQA
 
Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...owaspindia
 
Pro Mobile web Apps with Phonegap 3.X - Adobe Mobile Day
Pro Mobile web Apps with Phonegap 3.X - Adobe Mobile DayPro Mobile web Apps with Phonegap 3.X - Adobe Mobile Day
Pro Mobile web Apps with Phonegap 3.X - Adobe Mobile Daybersoriano
 
Building an SSO platform in php (Zendcon 2010)
Building an SSO platform in php (Zendcon 2010)Building an SSO platform in php (Zendcon 2010)
Building an SSO platform in php (Zendcon 2010)Ivo Jansch
 
GoSec 2015 - Protecting the web from within
GoSec 2015 - Protecting the web from withinGoSec 2015 - Protecting the web from within
GoSec 2015 - Protecting the web from withinIMMUNIO
 
BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)
BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)
BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)Davide Cioccia
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersInon Shkedy
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101OWASP
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2drewz lin
 
Hacking mobile apps
Hacking mobile appsHacking mobile apps
Hacking mobile appskunwaratul hax0r
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security WorkshopOWASP
 
Building mobile back ends with windows azure mobile services
Building mobile back ends with windows azure mobile servicesBuilding mobile back ends with windows azure mobile services
Building mobile back ends with windows azure mobile servicesAidan Casey
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsJorge Orchilles
 
128-ch4.pptx
128-ch4.pptx128-ch4.pptx
128-ch4.pptxSankalpKabra
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsCláudio André
 
Cloud Foundry Summit 2015: 12 Factor Apps For Operations
Cloud Foundry Summit 2015: 12 Factor Apps For OperationsCloud Foundry Summit 2015: 12 Factor Apps For Operations
Cloud Foundry Summit 2015: 12 Factor Apps For OperationsVMware Tanzu
 

More Related Content

What's hot

State of Web Security RailsConf 2016
State of Web Security RailsConf 2016State of Web Security RailsConf 2016
State of Web Security RailsConf 2016IMMUNIO
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Ajin Abraham
 
Security guidelines
Security guidelinesSecurity guidelines
Security guidelineskarthz
 
Enough with the Mobile SDK Mess: A New Technology Is Born
Enough with the Mobile SDK Mess: A New Technology Is BornEnough with the Mobile SDK Mess: A New Technology Is Born
Enough with the Mobile SDK Mess: A New Technology Is BornSafeDK
 
Android mobile app security offensive security workshop
Android mobile app security offensive security workshopAndroid mobile app security offensive security workshop
Android mobile app security offensive security workshopAbhinav Sejpal
 
Learnings from Hybrid App Testing Jijesh Mohan
Learnings from Hybrid App Testing Jijesh MohanLearnings from Hybrid App Testing Jijesh Mohan
Learnings from Hybrid App Testing Jijesh MohanvodQA
 
Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...owaspindia
 
Pro Mobile web Apps with Phonegap 3.X - Adobe Mobile Day
Pro Mobile web Apps with Phonegap 3.X - Adobe Mobile DayPro Mobile web Apps with Phonegap 3.X - Adobe Mobile Day
Pro Mobile web Apps with Phonegap 3.X - Adobe Mobile Daybersoriano
 
Building an SSO platform in php (Zendcon 2010)
Building an SSO platform in php (Zendcon 2010)Building an SSO platform in php (Zendcon 2010)
Building an SSO platform in php (Zendcon 2010)Ivo Jansch
 
GoSec 2015 - Protecting the web from within
GoSec 2015 - Protecting the web from withinGoSec 2015 - Protecting the web from within
GoSec 2015 - Protecting the web from withinIMMUNIO
 

What's hot (11)

State of Web Security RailsConf 2016
State of Web Security RailsConf 2016State of Web Security RailsConf 2016
State of Web Security RailsConf 2016
 
Intro to IronWASP
Intro to IronWASPIntro to IronWASP
Intro to IronWASP
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
 
Security guidelines
Security guidelinesSecurity guidelines
Security guidelines
 
Enough with the Mobile SDK Mess: A New Technology Is Born
Enough with the Mobile SDK Mess: A New Technology Is BornEnough with the Mobile SDK Mess: A New Technology Is Born
Enough with the Mobile SDK Mess: A New Technology Is Born
 
Android mobile app security offensive security workshop
Android mobile app security offensive security workshopAndroid mobile app security offensive security workshop
Android mobile app security offensive security workshop
 
Learnings from Hybrid App Testing Jijesh Mohan
Learnings from Hybrid App Testing Jijesh MohanLearnings from Hybrid App Testing Jijesh Mohan
Learnings from Hybrid App Testing Jijesh Mohan
 
Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...
 
Pro Mobile web Apps with Phonegap 3.X - Adobe Mobile Day
Pro Mobile web Apps with Phonegap 3.X - Adobe Mobile DayPro Mobile web Apps with Phonegap 3.X - Adobe Mobile Day
Pro Mobile web Apps with Phonegap 3.X - Adobe Mobile Day
 
Building an SSO platform in php (Zendcon 2010)
Building an SSO platform in php (Zendcon 2010)Building an SSO platform in php (Zendcon 2010)
Building an SSO platform in php (Zendcon 2010)
 
GoSec 2015 - Protecting the web from within
GoSec 2015 - Protecting the web from withinGoSec 2015 - Protecting the web from within
GoSec 2015 - Protecting the web from within
 

Similar to Google-Jacking: A Review of Google 2-Factor Authentication

BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)
BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)
BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)Davide Cioccia
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersInon Shkedy
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101OWASP
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2drewz lin
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security WorkshopOWASP
 
Building mobile back ends with windows azure mobile services
Building mobile back ends with windows azure mobile servicesBuilding mobile back ends with windows azure mobile services
Building mobile back ends with windows azure mobile servicesAidan Casey
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsJorge Orchilles
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsCláudio André
 
Cloud Foundry Summit 2015: 12 Factor Apps For Operations
Cloud Foundry Summit 2015: 12 Factor Apps For OperationsCloud Foundry Summit 2015: 12 Factor Apps For Operations
Cloud Foundry Summit 2015: 12 Factor Apps For OperationsVMware Tanzu
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)ClubHack
 
CNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidCNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidSam Bowne
 
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...Area41
 
A Walk through SSO
A Walk through SSOA Walk through SSO
A Walk through SSOWSO2
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
iOS Application Security.pdf
iOS Application Security.pdfiOS Application Security.pdf
iOS Application Security.pdfRavi Aggarwal
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 

Similar to Google-Jacking: A Review of Google 2-Factor Authentication (20)

BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)
BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)
BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentesters
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2
 
Hacking mobile apps
Hacking mobile appsHacking mobile apps
Hacking mobile apps
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop
 
Building mobile back ends with windows azure mobile services
Building mobile back ends with windows azure mobile servicesBuilding mobile back ends with windows azure mobile services
Building mobile back ends with windows azure mobile services
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 Apps
 
128-ch4.pptx
128-ch4.pptx128-ch4.pptx
128-ch4.pptx
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
 
Cloud Foundry Summit 2015: 12 Factor Apps For Operations
Cloud Foundry Summit 2015: 12 Factor Apps For OperationsCloud Foundry Summit 2015: 12 Factor Apps For Operations
Cloud Foundry Summit 2015: 12 Factor Apps For Operations
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
 
CNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidCNIT 128 Ch 4: Android
CNIT 128 Ch 4: Android
 
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
 
Sql securitytesting
Sql securitytestingSql securitytesting
Sql securitytesting
 
Sso walk-through
Sso walk-throughSso walk-through
Sso walk-through
 
A Walk through SSO
A Walk through SSOA Walk through SSO
A Walk through SSO
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
iOS Application Security.pdf
iOS Application Security.pdfiOS Application Security.pdf
iOS Application Security.pdf
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
 

More from nCircle - a Tripwire Company

2012 nCircle Federal Security and Compliance Trends Survey
2012 nCircle Federal Security and Compliance Trends Survey 2012 nCircle Federal Security and Compliance Trends Survey
2012 nCircle Federal Security and Compliance Trends Survey nCircle - a Tripwire Company
 
Applying Boyd's OODA Loop Strategy to Drive IT Security Decision and Action
Applying Boyd's OODA Loop Strategy to Drive IT Security Decision and ActionApplying Boyd's OODA Loop Strategy to Drive IT Security Decision and Action
Applying Boyd's OODA Loop Strategy to Drive IT Security Decision and ActionnCircle - a Tripwire Company
 

More from nCircle - a Tripwire Company (9)

Computer Forensics Bootcamp
Computer Forensics BootcampComputer Forensics Bootcamp
Computer Forensics Bootcamp
 
Password War Games Webinar
Password War Games Webinar Password War Games Webinar
Password War Games Webinar
 
Continuous Monitoring 2.0
Continuous Monitoring 2.0Continuous Monitoring 2.0
Continuous Monitoring 2.0
 
2012 nCircle Federal Security and Compliance Trends Survey
2012 nCircle Federal Security and Compliance Trends Survey 2012 nCircle Federal Security and Compliance Trends Survey
2012 nCircle Federal Security and Compliance Trends Survey
 
Applying Boyd's OODA Loop Strategy to Drive IT Security Decision and Action
Applying Boyd's OODA Loop Strategy to Drive IT Security Decision and ActionApplying Boyd's OODA Loop Strategy to Drive IT Security Decision and Action
Applying Boyd's OODA Loop Strategy to Drive IT Security Decision and Action
 
Compliance what does security have to do with it
Compliance what does security have to do with it Compliance what does security have to do with it
Compliance what does security have to do with it
 
Security on a budget
Security on a budget Security on a budget
Security on a budget
 
nCircle Webinar: Get your Black Belt
nCircle Webinar: Get your Black Belt nCircle Webinar: Get your Black Belt
nCircle Webinar: Get your Black Belt
 
Real world security webinar (v2012-05-30)
Real world security webinar (v2012-05-30)Real world security webinar (v2012-05-30)
Real world security webinar (v2012-05-30)
 

Recently uploaded

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 

Recently uploaded (20)

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 

Google-Jacking: A Review of Google 2-Factor Authentication

  • 1. A Review of Google 2-Factor Authentication Google-Jacking CraigYoung Security B Sides San Francisco, USA 2013
  • 3. • Defining 2-Factor Authentication (2FA) • Defining 2-Step Verification (2SV) • diff -Burp 2FA 2SV # Compare & Contrast • Attacking Application-Specific Passwords • DEMO: Do androids dream of übertokens? • TODO: Making 2SV Better Talk Overview
  • 5. • 2SV is Google’s 2FA branding • Phone becomes the ‘something you have’ - STEP 1 – Login to with account password - STEP 2 – Enter code from phone • Application-Specific Passwords (ASPs) - Used for 3rd party & legacy support - 16 lowercase letters - Limited by application (in theory anyway) man 2SV
  • 6. Authentication Credentials 2FA 2SV Something you have + Something you know ♦ ♦ Something you know ♦ Something you have ♦ $ diff –Burp 2FA 2SV Bottom Line? 2FA enhances security by compromising convenience 2SV enhances security but only when it is convenient
  • 7. • Are ASPs the Achilles heal of 2SV? 1. ASPs are all powerful 2. ASP revocation is broken 3. ASPs increase the risk of token attacks 4. Google recommends saving ASPs Attacking Application-Specific Passwords
  • 8. Google attempts to restrict browser-based ASP use: Android browser auto sign-in bypasses this restriction: ASPs Provide Full Account Access
  • 9. HOWTO: punting the intruder Recovery MeasureTested Result Revoke application-specific passwords No effect on logged in intruder ‘Sign out all other sessions’ from Gmail No effect on logged in intruder Revoke ‘Android Login Service’ Androids must re-authenticate Change account password Androids must re-authenticate Recommended Procedure: STEP 1 : Revoke allASPs STEP 2: Change account password STEP 3:Verify account settings
  • 10. • Pay attention to permissions! • Apps with root can directly access acounts.db • ASPs are backdoors by design AndroidApps Can Generate ASPs
  • 11. • Privacy advisors don’t look at token related permissions • Far too many apps have the ability to request tokens There’s An App ForThat
  • 12. Auditing the ASP Auditing ASPs added and removed in the same activity period are not reported!
  • 14. • Saving passwords gives attackers an edge - OS X Keychain can be dumped • Pidgin (chat) doesn’t bother to use crypto - Most applications provide limited protection What could go wrong?
  • 15. DEMO!
  • 16. • Ideal Solution: - ASPs are no longer part of 2SV - Use account password + time-based code • Quick Fix: - Force authentication when generating ASPs - Allow users to disable ASP creation TODO: Ditch ASPs
  • 17. • Ideal Solution: - Tokens should be revoked along with the ASP - Requires tokens & ASPs to be related • Quick Fix: - Treat ASP removal like a password change - All sessions are forced to authenticate again TODO: Fix ASP Revocation
  • 18. NO MORE ANDROID LOGIN WITH ASP! • Explicit ASP Model: - Specify allowed services for an ASP - Limits abuse of compromised ASPs • Implicit ASP Model: - Restrict the ASP to the 1st application using it TODO: Make ASPs Application Specific
  • 19. • Require a password to enable auto sign-in • Don’t allow auto sign-in for account settings • Allow disabling auto sign-in at an account level TODO: Lock Down Auto Sign-In
  • 20. • Audit how and when an ASP is used • ‘Access type: Mobile’ is too vague • ASP name in the activity screen would help TODO: ASP Auditing
  • 21. 1. Android is a logged in browser session • Use caution when sharing your device • Consider unlinking your Google account when traveling • Watch app permissions closely (guard your tokens) • Use a strong password (Lock screen widgets FTW) 2. Don’t save ASPs without encryption 3. Monitor ASPs & change your passwords How to ProtectYourself Android 4.2 Lock Screen DialerWidget
  • 22. Concluding Remarks • 2SV is vulnerable-by-design • 2SV increases risk from token-based attacks • Android + 2SV reduces security • ASPs are a bad idea - Password + OTP code makes security in 1-step - Let users decide whether ASPs are allowed
  • 23. 1. 11/26/12-11/30/12 - Multiple 2SV/ASP issues reported to Google 2. 12/5/12 – Confirmation of reported behavior as known issues 3. 1/11/13 – Google notified of BSides SF CFP submission 4. 2/18/13 – Account Activity Logic Error Reported to Google 5. 2/22/13 – Fix details received (Re-auth requirement implemented) 6. 2/24/13 – BSides presentation 7. 2/25/13 – ASP revocation fix begins to roll out DisclosureTimeline
  • 24. For more information about enterprise risk management or Google 2-step verification: • Visit nCircle RSA booth 1023 • Check out the nCircleVERT blog: http://vert.ncircle.com • Follow @craigtweets Questions?