SlideShare a Scribd company logo

LASCON 2015

Clare Nelson, CISSP, CIPP-E
Clare Nelson, CISSP, CIPP-E

This document summarizes a talk given by Clare Nelson at OWASP on why some multi-factor authentication technology is irresponsible. Nelson discusses issues with the outdated NIST definition of multi-factor authentication and how some vendors rely on weak factors like SMS, biometrics, or location data. The talk argues for updated definitions of authentication factors and more responsible choices by vendors to better secure user accounts.

Technology
1 of 50
Download to read offline
www.owasp.org The  Inmates  Are  Running  the  Asylum    Why  Some  Mul,-­‐Factor  Authen,ca,on  Technology     is  Irresponsible       Clare  Nelson,  CISSP                        clare.nelson@owasp.org                          @Safe_SaaS                        October  22,  2015                      AusFn,  TX  
www.owasp.org Clare  Nelson,  CISSP   Independent:  not  an  analyst,  not  with  a  vendor     •  Scar  Fssue   –  Encrypted  TCP/IP  variants  for  NSA   –  Product  Management  at  DEC  (HP),  EMC2   –  Director  Global  Alliances  at  Dell,  Novell  (IAM)   –  VP  Business  Development,  MetaIntelli  (Mobile  Security)   –  CEO  ClearMark,  MFA  Technology  and  Architecture   •  2001  CEO  ClearMark  ConsulFng     •  2014  Co-­‐founder  C1ph3r_Qu33ns   •  2015  April,  ISSA  Journal,  Mul,-­‐Factor   Authen,ca,on:  What  to  Look  For   •  Talks:  OWASP  AppSec  USA,  HackFormers,  BSides,   LASCON;  clients  including  Fortune  500  financial   services,  IdenFty  Management   •  B.S.  MathemaFcs    
www.owasp.org Scope   •  External  customers,  consumers   –  Not  internal  employees,  no  hardware  tokens   –  IoT  preview   •  No  authenFcaFon  protocols   –  OAuth,  OpenID,  UMA,  SCIM,  SAML   •  United  States     –  EU  regulaFons   o  France:  legal  constraints  for  biometrics   §  Need  authorizaFon  from  NaFonal  Commission  for  InformaFcs   and  Liberty  (CNIL)1   –  India:  e-­‐commerce  Snapdeal,  Reserve  Bank  of  India   o  Move  from  two-­‐factor  to  single-­‐factor  authenFcaFon  for   transacFons  less  than  Rs.  3,0002       1Source:  h+p://www.diva-­‐portal.org/smash/get/diva2:512852/FULLTEXT01.pdfl     2Source:   h+p://economicFmes.indiaFmes.com/industry/services/retail/snapdeal-­‐for-­‐single-­‐factor-­‐authenFcaFon-­‐for-­‐low-­‐value-­‐ deals/arFcleshow/46251251.cms    
www.owasp.org NIST  DefiniFon1   Origin  of  definiFon?   •  NIST:  might  be  Gene  Spafford,  or  “ancient  lore”2   –  @TheRealSpaf,  “Nope  —  that's  even  older  than  me!”3   –  1970s?  NSA?  Academia?     1Source:  h+p://nvlpubs.nist.gov/nistpubs/SpecialPublicaFons/NIST.SP.800-­‐63-­‐2.pdf     2Source:  February  26,  2015  email  response  from  a  NIST  SP  800-­‐63-­‐2  author   3Source:  February  27,  2015  response  from  @TheRealSpaf  (Gene  Spafford)    
www.owasp.org How  can  one  write  a  guide   based  on  a  defini,on  of   unknown,  ancient  origin?     How  can  you  implement   MFA  without  a  current,   coherent  defini,on?   Photo:  The  Thinker  by  Auguste  Rodin,   h+ps://commons.wikimedia.org/wiki/File:Auguste_Rodin-­‐The_Thinker-­‐Legion_of_Honor-­‐Lincoln_Park-­‐San_Francisco.jpg      
www.owasp.org NIST  versus  New  DefiniFons   MulF-­‐Factor  AuthenFcaFon  (MFA)  Factors:   •  Knowledge     •  Possession     –  Mobile  device  idenFficaFon   •  Inherence     –  Biometrics:  Physical  or  Behavioral   •  LocaFon     –  GeolocaFon   –  Geofencing   –  Geovelocity   •  Time1       1Source:  h+p://searchsecurity.techtarget.com/definiFon/mulFfactor-­‐authenFcaFon-­‐MFA   2Source:  h+p://nvlpubs.nist.gov/nistpubs/SpecialPublicaFons/NIST.SP.800-­‐63-­‐2.pdf     NIST:   Device  idenFficaFon,  Fme,  and  geo-­‐ locaFon  could  be  used  to  challenge   an  idenFty;  but  “they  are  not   considered  authenFcaFon  factors”2  
www.owasp.org Authen,ca,on  in  an  Internet  Banking  Environment   •  OUT:  Simple  device  idenFficaFon   •  IN:  Complex  device  idenFficaFon,  “digital  fingerprinFng”   use  PC  configuraFon,  IP  address,  geo-­‐locaFon,  other   factors   –  Implement  Fme  of  day  restricFons  for  funds  transfers   –  Consider  keystroke  dynamics,  biometric-­‐based  responses1     1Source:  hjps://www.fdic.gov/news/news/press/2011/pr11111a.pdf     “…virtually  every  authenFcaFon   technique  can  be  compromised”  
www.owasp.org Why  200+  MFA  Vendors?   Authen,ca,on  has  been  the   Holy  Grail  since  the  early  days   of  the  Web.1     The  iPhone  of  Authen,ca,on  has   yet  to  be  invented.2   1Source:  h+p://sciencewriters.ca/2014/03/26/will-­‐your-­‐brain-­‐waves-­‐become-­‐your-­‐new-­‐password/     2Source:  Clare  Nelson,  February  2015.    
www.owasp.org                SubopFmal  Choices   AuthenFcaFon  Factors/Technology   1.  Biometrics,  2D  fingerprint   2.  Short  Message  Service  (SMS)   –  One-­‐Time  Password  (OTP)   3.  Quick  Response  (QR)  codes   4.  JavaScript  (behavioral  biometrics)   5.  Overreliance  on  GPS,  insufficient  geolocaFon  data   6.  Weak,  arcane,  account  recovery   7.  AssumpFon  mobile  devices  are  secure   8.  EncrypFon  (without  disclaimers)     –  Quantum  compuFng  may  break  RSA  or  ECC  by  20301   •  Update  on  NSA’s  $80M  Penetra,ng  Hard  Targets  project2   –  EncrypFon  backdoors,  is  it  NSA-­‐free  and  NIST-­‐free  cryptography?   –  No  mysterious  constants  or  “magic  numbers”  of  unknown  provenance”3   1Source:  January  18,  2015:  Ralph  Spencer  Poore,  cryptologist,  AusFn  ISSA  guest  lecturer   2Source:   h+p://www.washingtonpost.com/world/naFonal-­‐security/nsa-­‐seeks-­‐to-­‐build-­‐quantum-­‐computer-­‐that-­‐could-­‐crack-­‐most-­‐ types-­‐of-­‐encrypFon/2014/01/02/8fff297e-­‐7195-­‐11e3-­‐8def-­‐a33011492df2_story.html   3Source:  h+ps://www.grc.com/sqrl/sqrl.htm    
www.owasp.org Juniper  Research:   •  By  2019,  770  million  apps  that  use  biometric  authenFcaFon  will  be   downloaded  annually   -  Up  from  6  million  in  2015   •  Fingerprint  authenFcaFon  will  account  for  an  overwhelming  majority   -  Driven  by  increase  of  fingerprint  scanners  in  smartphones1       IrraFonal  Exuberance  of  Biometric  AdopFon   Samsung  Pay   1Source:  h+p://www.nfcworld.com/2015/01/22/333665/juniper-­‐forecasts-­‐biometric-­‐authenFcaFon-­‐market/      
www.owasp.org 1Source:  h+ps://www.youtube.com/watch?v=q3ymzRYXezI     Apple  Touch  ID:  Cat  Demo  
www.owasp.org 1Source:  h+p://www.dw.de/image/0,,18154223_303,00.jpg      
www.owasp.org 2D  Fingerprint  Hacks   •  Starbug,  aka  Jan  Krissler   •  2014:  Cloned  fingerprint  of  German  Defense   Minister,  Ursula  Von  der  Leyen   –  From  photographs1,2   •  2013:  Hacked  Apple’s  Touch  ID  on  iPhone  5S  ~24   hours  ater  release  in  Germany   –  Won  IsTouchIDHackedYet.com  compeFFon3   •  2006:  Published  research  on  hacking  fingerprint   recogniFon  systems4   1Source:  h+ps://www.youtube.com/watch?v=vVivA0eoNGM     2Source:  h+p://www.forbes.com/sites/paulmonckton/2014/12/30/hacker-­‐clones-­‐fingerprint-­‐from-­‐photograph/     3Source:  h+p://istouchidhackedyet.com   4Source:  h+p://berlin.ccc.de/~starbug/talks/0611-­‐pacsec-­‐hacking_fingerprint_recogniFon_systems.pdf        
www.owasp.org Starbug  Faking  Touch  ID   1Source:  h+p://istouchidhackedyet.com    
www.owasp.org Android:  Remote  Fingerprint  Thet  at  Scale1   “…hackers  can  remotely  steal  fingerprints  without  the  owner  of   the  device  ever  knowing  about  it.  Even  more  dangerous,  this  can   be  done  on  a  “large  scale.”2       1Source:   h+ps://www.blackhat.com/docs/us-­‐15/materials/us-­‐15-­‐Zhang-­‐Fingerprints-­‐On-­‐Mobile-­‐Devices-­‐Abusing-­‐And-­‐Leaking-­‐ wp.pdf     2Source:  h+p://www.forbes.com/sites/thomasbrewster/2015/04/21/samsung-­‐galaxy-­‐s5-­‐fingerprint-­‐a+acks/     Hardware   User  Space   Kernel  Space  
www.owasp.org Krissler  versus  Riccio         “Don't  use  fingerprint   recogniFon  systems  for   security  relevant   applicaFons!”1    –  Jan  Krissler  (Starbug)     “Fingerprints  are  one  of  the   best  passwords  in  the   world.”2    –  Dan  Riccio          SVP,  Apple              1Source:  h+p://berlin.ccc.de/~starbug/talks/0611-­‐pacsec-­‐hacking_fingerprint_recogniFon_systems.pdf     2Source:  h+p://www.imore.com/how-­‐touch-­‐id-­‐works   Photo:  h+p://www.mirror.co.uk/news/world-­‐news/revealed-­‐ni-­‐believed-­‐legendary-­‐fight-­‐3181991      
www.owasp.org Behavioral  Biometrics   1Source:  h+p://www.behaviosec.com     Issues   •  Requires  JavaScript   Learning  curve   •  Privacy,  constant   monitoring   •  Injury  to  hand   •  “Highly  intoxicated”  
www.owasp.org Behavioral  Biometrics:  Invisible  Challenge   •  Analyze  hundreds  of  bio-­‐ behavioral,  cogniFve  and   physiological  parameters   –  Invisible  challenge   –  No  user  interacFon  for  step-­‐up   authenFcaFon   –  How  you  find  missing  cursor1   1Source:  h+p://www.biocatch.com     1Source:  h+p://www.biocatch.com    
www.owasp.org Biometrics:  In  Use,  Proposed   •  Fingerprints  2D,  3D  via  ultrasonic  waves   •  Palms,  its  prints  and/or  the  whole  hand  (feet?)   •  Signature   •  Keystroke,  art  of  typing,  mouse,  touch  pad   •  Voice   •  Iris,  reFna,  features  of  eye  movements   •  Face,  head  –  its  shape,  specific  movements   •  Ears,  lip  prints   •  Gait,  Odor,  DNA,     •  ECG  (Bionym’s  Nymi  wristband,  smartphone,  laptop,  car,      home  security)   •  EEG1   •  Methods:  Pills,  Tajoos   •  Smartphone/behavioral:  AirSig  authenFcates  based  on  g-­‐sensor  and   gyroscope,  how  you  write  your  signature  in  the  air2   1Source:  h+p://www.optel.pl/arFcle/future%20of%20biometrics.pdf     2Source:  h+p://www.airsig.com   Digital  Ta+oo:  h+p://motorola-­‐blog.blogspot.com/2014/07/-­‐unlock-­‐your-­‐moto-­‐x-­‐with-­‐a-­‐digital-­‐ta+oo.html      
www.owasp.org “Thought  Auth”1   EEG  Biosensor   •  MindWave™  headset2   •  Measures  brainwave   signals   •  EEG  monitor   •  InternaFonal   Conference  on  Financial   Cryptography  and  Data   Security3   1Source:  Clare  Nelson,  March  2015   2Source:  h+p://neurosky.com/biosensors/eeg-­‐sensor/biosensors/   3Source:  h+p://www.technewsworld.com/story/77762.html    
www.owasp.org 3D  Fingerprint1   1Source:  h+p://sonavaFon.com/technology/       No  ma+er  how  advanced  the  biometric  is,  the  same  basic  threat  model  persists.  
www.owasp.org          How  do  you  stump  an  MFA  vendor?   Ask  for  a  threat  model.   Photo:  h+p://www.huffingtonpost.co.uk/2015/08/09/parents-­‐reveal-­‐why-­‐quesFon-­‐woes_n_7963152.html    
www.owasp.org “…  biometrics  cannot,  and   absolutely  must  not,  be  used     to  authen,cate  an  iden,ty”1              –  DusFn  Kirkland,  Ubuntu  Cloud  SoluFons  Product              Manager  and  Strategist  at  Canonical                 1Source:  h+p://blog.dusFnkirkland.com/2013/10/fingerprints-­‐are-­‐user-­‐names-­‐not.html         “Fingerprints  are  Usernames,  Not  Passwords”    
www.owasp.org @drfuture  on  Biometrics   1Source:   h+ps://www.blackhat.com/docs/us-­‐15/materials/us-­‐15-­‐Keenan-­‐Hidden-­‐Risks-­‐Of-­‐Biometric-­‐IdenFfiers-­‐And-­‐How-­‐ To-­‐Avoid-­‐Them.pdf     Diagram  Source:     h+p://security.stackexchange.com/quesFons/57589/determining-­‐the-­‐accuracy-­‐of-­‐a-­‐biometric-­‐system         Hidden  Risks   •  Biometric  reliability  and  the   percep,on  of  it     •  Lack  of  discussion  of  the   consequences  of  errors   •  Biometric  data’s  irreversibility  and   the  implicaFons   •  Our  biometrics  can  be  grabbed   without  our  consent   •  Our  behavior  can  rat  us  out  –   someFmes  incorrectly   •  Giving  our  biometric  and  behavioral   data  may  be  (de  facto)  mandatory   •  Biometric  data  thieves  and   aggregators1           Threshold    
www.owasp.org 1.  Difficult  to  reset,  revoke   2.  Exist  in  public  domain,  and  elsewhere   (56M+  fingerprints  stolen  in  2015  OPM   breach1)   3.  May  undermine  privacy,  make  idenFty   thet  more  likely2   4.  Persist  in  government  and  private   databases,  accreFng  informaFon  whether   we  like  it  or  not3   5.  Hygiene  (e.g.,  Bank  of  America  hand   geometry  scanner  for  safe  deposit  box   room  entry)   6.  User  acceptance  or  preference  varies  by   geography,  demographic   What  Will  Cause  Biometric  Backlash?   1Source:  h+p://money.cnn.com/2015/07/10/technology/opm-­‐hack-­‐fingerprints/index.html     2Source:  h+p://www.diva-­‐portal.org/smash/get/diva2:512852/FULLTEXT01.pdfl     3Source:  h+p://www.pbs.org/wgbh/nova/next/tech/biometrics-­‐and-­‐the-­‐future-­‐of-­‐idenFficaFon/     Photo:  h+p://www.rineypackard.com/facial-­‐recogniFon.php    
www.owasp.org •  Intel’s  Dmientrienko,  et  al   -  Circumvented  SMS  OTP  of  4  large   banks1   •  Northeastern  University  and  Technische   Universität  Berlin     -  “SMS  OTP  systems  cannot  be   considered  secure  anymore”2   •  SMS  OTP  threat  model   -  Physical  access  to  phone   -  SIM  swap  ajack   -  Wireless  intercepFon   -  Mobile  phone  trojans3   SMS  OTP  Ajacks   1Source:  h+p://www.chrisFan-­‐rossow.de/publicaFons/mobile2FA-­‐intel2014.pdf     2,3Source:  h+ps://www.eecs.tu-­‐berlin.de/fileadmin/f4/TechReports/2014/tr_2014-­‐02.pdf    
www.owasp.org •  OperaFon  Emmental   •  Defeated  2FA   -  2014,  discovered  by  Trend  Micro1   -  European,  Japanese  banks   -  Online  banking   1.  Customer  enters  username,   password   2.  Token  sent  to  mobile  device   (SMS  OTP)   3.  Customer  enters  token  (OTP)   -  Ajackers  scraped  SMS  OTPs  off   customers’  Android  phones2,  3     SMS  OTP  Ajack:  Banking  Example   1Source:  h+p://blog.trendmicro.com/finding-­‐holes-­‐operaFon-­‐emmental/     2Source:   h+p://www.trendmicro.com/cloud-­‐content/us/pdfs/security-­‐intelligence/white-­‐papers/wp-­‐finding-­‐holes-­‐operaFon-­‐ emmental.pdf      3Source:  h+ps://www.youtube.com/watch?v=gchKFumYHWc    
www.owasp.org SMS  OTP  Ajacks   1Source:  h+p://www.chrisFan-­‐rossow.de/publicaFons/mobile2FA-­‐intel2014.pdf   Diagram  Source:  h+ps://devcentral.f5.com/arFcles/malware-­‐analysis-­‐report-­‐cridex-­‐cross-­‐device-­‐online-­‐banking-­‐trojan     Banking  trojans   deploy  mobile   malware,  allow   ajackers  to  steal   SMS  OTP  1  
www.owasp.org QR  Code  Risks1   Example:  two-­‐factor  authenFcaFon   •  User  captures  QR  code  with  mobile  device   •  User  enters  PIN  code  to  log  on,  or  validate  transacFon2   QR  code  redirects  user  to  URL   •  Even  if  the  URL  is  displayed,  not  everyone  reads   •  Could  link  to  a  malicious  website     1Source:  h+p://www.csoonline.com/arFcle/2133890/mobile-­‐security/the-­‐dangers-­‐of-­‐qr-­‐codes-­‐for-­‐security.html   2Source:  h+ps://www.vasco.com/products/client_products/sotware_digipass/digipass_for_mobile.aspx          
www.owasp.org GeolocaFon   •  Are  laFtude  and  longitude  sufficient?   •  Digital  AuthenFcaFon  Technologies:   Contextual  LocaFon  Fingerprint™1   –  Not  based  on  geo-­‐locaFon   •  Issues  in  buildings   •  Error  rates   •  GPS  spoofing2   •  Cellphone  power  meter  can  be  turned  into   a  GPS3   •  PowerSpy:  Android  phone’s  geolocaFon  by   tracking  its  power  use  over  Fme   –  Unlike  GPS  or  Wi-­‐Fi  locaFon  tracking,   available  to  any  installed  app  without  user’s   permission4       1Source:  h+p://www.dathq.com/OurStrategy.aspx     2Source:  h+p://news.utexas.edu/2013/07/29/ut-­‐ausFn-­‐researchers-­‐successfully-­‐spoof-­‐an-­‐80-­‐million-­‐yacht-­‐at-­‐sea     3Source:  Dan  Boneh,  quoted  in  h+p://cacm.acm.org/magazines/2015/9/191171-­‐qa-­‐a-­‐passion-­‐for-­‐pairings/abstract       4Source:  h+p://www.wired.com/2015/02/powerspy-­‐phone-­‐tracking/    
www.owasp.org 1Source:  h+p://www.zdnet.com/arFcle/google-­‐unveils-­‐5-­‐year-­‐roadmap-­‐for-­‐strong-­‐authenFcaFon/       Account  recovery   is  the  Achilles  heel   of  2FA               –    Eric  Sachs   Product  Management  Director,  IdenFty   at  Google    
www.owasp.org Account  Recovery1   1Source:  h+ps://support.google.com/accounts/answer/1187538?hl=en      
www.owasp.org What’s  Wrong  with  Mobile  Device  as  AuthenFcaFon  Device?   MetaIntelli  research:  sample  of  38,000  mobile  apps,  67%  had  M32   Source:  h+ps://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Risks     Source:   h+p://metaintelli.com/blog/2015/01/06/industry-­‐first-­‐metaintelli-­‐research-­‐discovers-­‐large-­‐number-­‐of-­‐mobile-­‐ apps-­‐affected-­‐by-­‐owasp-­‐mobile-­‐top-­‐10-­‐risks/    
www.owasp.org MFA  Double  Standard   Consumers   •  Facial  and  voice  for   mobile  login2   Employees   •  Symantec  VIP3   1Source:  h+p://cdn.themetapicture.com/media/funny-­‐puppy-­‐poop-­‐double-­‐standards.jpg     2Source:   h+p://www.americanbanker.com/news/bank-­‐technology/biometric-­‐Fpping-­‐point-­‐usaa-­‐deploys-­‐face-­‐voice-­‐ recogniFon-­‐1072509-­‐1.html     3Source:  h+p://www.slideshare.net/ExperianBIS/70-­‐006idenFtyauthenFcaFonandcredenFalinginpracFce     1  
www.owasp.org Perfect  Storm   •  Crowded  market   –  200+  MFA  vendors     –  ~$1.8B  market1   •  Apple,  VISA,  Samsung   –  2D  fingerprint   authenFcaFon  is  cool,   secure   •  Breaches   •  LegislaFon   •  FIDO  Alliance     1Source:   h+p://www.slideshare.net/FrostandSullivan/analysis-­‐of-­‐the-­‐strong-­‐authenFcaFon-­‐and-­‐one-­‐Fme-­‐password-­‐ otp-­‐market    
www.owasp.org FIDO  Alliance   •  Fast  ID  Online  (FIDO)  Alliance   •  Proponent  of  interoperability   –  Universal  2nd  Factor  (U2F)   –  Universal  AuthenFcaFon  Framework  (UAF)   •  Triumph  of  markeFng  over  technology   •  Store  secrets  on  device  (Android  phone),  versus   hardened  server   •  Network-­‐resident  versus  device-­‐resident  biometrics   –  FIDO  advocates  device-­‐resident   •  Problems,  especially  with  voice1   1Source:  January  2015,  “Network  vs  Device  Resident  Biometrics,”  ValidSot  
www.owasp.org “Legacy  thinking  subverts    the  security  of  a     well-­‐constructed  system”1            –  David  Birch,  Digital  Money  and  IdenFty  Consultant,              Author  of  IdenFty  is  the  New  Money2       1Source:  h+ps://www.ted.com/talks/david_birch_idenFty_without_a_name?language=en#t-­‐112382   2Source:  h+p://www.amazon.com/IdenFty-­‐Is-­‐New-­‐Money-­‐PerspecFves/dp/1907994122        
www.owasp.org 1Source:   h+p://www.slideshare.net/IoTBruce/iot-­‐meets-­‐big-­‐data-­‐the-­‐opportuniFes-­‐and-­‐challenges-­‐by-­‐syed-­‐hoda-­‐of-­‐ parstream           Internet  of  Things  (IoT)     1  
www.owasp.org OWASP  IoT  Top  10   1Source:  h+p://www.slideshare.net/SebasFenGioria/clusir-­‐infonord-­‐owasp-­‐iot-­‐2014         A1:  Insecure  Web   Interface   A2:  Insufficient   AuthenFcaFon,   AuthorizaFon   A3:  Insecure   Network  Services   A4:  Lack  of   Transport   EncrypFon   A5:  Privacy   Concern   A6  :  Insecure  Cloud   Interface   A8:  Insecure   Security   Configurability   A10:    Poor  Physical   Security   A7:  Insecure   Mobile  Interface   A9:  Insecure   Sotware  /   Firmware  
www.owasp.org IoT  PredicFons   Crea,ve  Cryptography,  Uneven  Protocol  Adop,ons   •  Enhanced  Privacy  ID  (EPID®)   –   "ImplemenFng  Intel  EPID  offers  IoT  designers  …proven   security  opFons”1   •  PKI:  instead  of  one-­‐to-­‐one  mapping  public  and  private  key   pairs,  uses  one-­‐to-­‐many  mapping  of  public  to  private  keys   •  Autobahn  to  dirt  road   –  E.g.,  HTTPS  to  Constrained  ApplicaFon  Protocol  (CoAP)   with  OAuth2,  OpenID,  UMA   –  Different  implementaFon  constraints   –  “Security  of  these  …  mechanisms  is  highly  dependent  on   the  ability  of  the  programmers  creaFng  it.”2   1Source:   h+p://www.prnewswire.com/news-­‐releases/atmel-­‐collaborates-­‐with-­‐intel-­‐on-­‐epid-­‐technology-­‐to-­‐enable-­‐more-­‐secure-­‐iot-­‐ applicaFons-­‐300130062.html     2Source:  Using  OAuth  for  Access  Control  on  the  Internet  of  Things,  Windley,  2015      
www.owasp.org Consider  Risk-­‐Based  AuthenFcaFon   (aka  Context-­‐Based  AuthenFcaFon,  AdapFve  AuthenFcaFon)   •  Device  registraFon  and  fingerprinFng     •  Source  IP  reputaFon  data     •  IdenFty  store  lookup     •  Geo-­‐locaFon,  geo-­‐fencing,  geo-­‐velocity     •  Behavioral  analysis1   •  AnalyFcs,  machine  learning,  conFnuous  authenFcaFon2     1Source:   h+p://www.darkreading.com/endpoint/authenFcaFon/moving-­‐beyond-­‐2-­‐factor-­‐authenFcaFon-­‐with-­‐ context/a/d-­‐id/1317911     2Source:  Clare  Nelson,  August  2015   Layer  mulFple  contextual  factors.    Build  a  risk  profile.  
www.owasp.org What  You  Can  Do  (1  of  2)   •  Request  threat  models  from  MFA   vendors     •  Beware   –  2D  fingerprints   –  Already-­‐hacked  biometrics   –  QR  codes   –  SMS  OTP   –  JavaScript  requirements   –  Overreliance  on  geolocaFon   –  Weak  account  recovery   –  Lack  of  mobile  device  risk  analysis   –  EncrypFon  with  backdoors   Comic:  Greg  Larson,  h+ps://www.pinterest.com/pin/418834834066762730/      
www.owasp.org What  You  Can  Do  (2  of  2)   •  Do  not  be  swayed  by  latest  InfoSec  fashion   trends   –  Apple  Touch  ID   •  IntegraFon  with  VISA   •  Samsung  Pay   –  FIDO  Alliance   •  Rethink  MFA  definiFon   –  Beware  of  odd  interpretaFons   •  AuthenFcaFon  as  a  conFnuous  process   –  Not  just  login  and  transacFons   –  Cross-­‐channel  risk   •  Depending  on  risk  and  use  case,  chain  or   combine   –  MFA  +  (locaFon,  Fme,  device  ID)  +  context-­‐ based  analyFcs   Photo:  h+p://northonharper.com/2014/04/wish-­‐list-­‐mini-­‐midi-­‐maxi/      
www.owasp.org QuesFons?       Clare  Nelson,  CISSP                        clare.nelson@owasp.org                          @Safe_SaaS                        October  22,  2015                      AusFn,  TX   s  
www.owasp.org QuesFons?   Clare  Nelson,  CISSP   @Safe_SaaS       clare.nelson@owasp.org  
www.owasp.org AddiFonal  References  (1  of  3)   •  Stanislav,  Mark;  Two-­‐Factor  Authen9ca9on,  IT  Governance  Publishing  (2015)   •  Wouk,  Kristofer;  Flaw  in  Samsung  Galaxy  S5  Could  Give  Hackers  Access  to  Your   Fingerprints, h+p://www.digitaltrends.com/mobile/galaxy-­‐s5-­‐fingerprint-­‐scanner-­‐flaw/  (April   2015)   •  IDC  Technology  Spotlight,  sponsored  by  SecureAuth,  Dynamic  AuthenFcaFon:   Smarter  Security  to  Protect  User  AuthenFcaFon  (September  2014)   Six  technologies  that  are  taking  on  the  password.  —  UN/  HACKABLE  —  Medium     •  Barbir,  Abbie,  Ph.D;  Mul9-­‐Factor  Authen9ca9on  Methods  Taxonomy,   h+p://docslide.us/documents/mulF-­‐factor-­‐authenFcaFon-­‐methods-­‐taxonomy-­‐ abbie-­‐barbir.html  (2014)     •  Nelson,  Clare,  Mul9-­‐Factor  Authen9ca9on:  What  to  Look  For,  InformaFon  Systems   Security  AssociaFon  (ISSA)  Journal hJp://www.bluetoad.com/publica9on/?i=252353    (April  2015)    
www.owasp.org AddiFonal  References  (2  of  3)   •  Keenan,  Thomas;  Hidden  Risks  of  Biometric  Iden9fiers  and  How  to  Avoid  Them,   University  of  Calgary,  Black  Hat  USA,   h+ps://www.blackhat.com/docs/us-­‐15/materials/us-­‐15-­‐Keenan-­‐Hidden-­‐Risks-­‐Of-­‐ Biometric-­‐IdenFfiers-­‐And-­‐How-­‐To-­‐Avoid-­‐Them-­‐wp.pdf  (August  2015)   •  Pagliery,  Jose;  OPM’s  hack’s  unprecedented  haul:  1.1  million  fingerprints:   h+p://money.cnn.com/2015/07/10/technology/opm-­‐hack-­‐fingerprints/index.html     (July  2015)   •  Bonneau,  Joseph,  et  al,  Passwords  and  the  Evolu9on  of  Imperfect  Authen9ca9on,   CommunicaFons  of  the  ACM,  Vol.  58,  No.  7  (July  2015)   •  White,  Conor;  CTO  Doan,  Biometrics  and  Cybersecurity,   h+p://www.slideshare.net/karthihaa/biometrics-­‐and-­‐cyber-­‐security  (2009,   published  2013)   •  Gloria,  SébasFen,  OWASP  IoT  Top  10,  the  life  and  the  universe,   h+p://www.slideshare.net/SebasFenGioria/clusir-­‐infonord-­‐owasp-­‐iot-­‐2014   (December  2014)  
www.owasp.org AddiFonal  References  (3  of  3)   •  Steves,  Michelle,  et  al,  NISTIR,  Report:  Authen9ca9on  Diary  Study,     h+p://nvlpubs.nist.gov/nistpubs/ir/2014/NIST.IR.7983.pdf    (February  2014)   •  Andres,  Joachim;  blog,  Smarter  Security  with  Device  Fingerprints,   h+ps://forgerock.org/2015/09/smarter-­‐security-­‐with-­‐device-­‐fingerprints/? mkt_tok=3RkMMJWWfF9wsRonv6TIeu%2FhmjTEU5z16u8kWaSyhokz2EFye %2BLIHETpodcMTcFnM7DYDBceEJhqyQJxPr3GKtYNysBvRhXlDQ%3D%3D   (September  2015)   •  Perrot,  Didier;  There’s  No  Ideal  Authen9ca9on  Solu9on,   h+p://www.inwebo.com/blog/theres-­‐no-­‐ideal-­‐authenFcaFon-­‐soluFon/  (August   2015)  
www.owasp.org "A  rose  by  any  other  name  would  smell  as  sweet”1   •  AdapFve  authenFcaFon   •  MulF-­‐modal  authenFcaFon   •  ConFnuous  authenFcaFon   •  2FA,  TFA,  Two-­‐factor  authenFcaFon   •  MulF-­‐factor  authenFcaFon   •  Strong  authenFcaFon   –  United  States:  Many  interpretaFons,  depends  on  context   –  European  Central  Bank  (ECB):  strong  authenFcaFon,  or  strong   customer  authenFcaFon,  set  of  specific  recommendaFons2   •  Apple:  Two-­‐step  authenFcaFon   •  MulF-­‐step  authenFcaFon   •  SecureAuth:  AdapFve,  risk-­‐based,  context-­‐based   authenFcaFon     •  IDC:  advanced  authenFcaFon,  dynamic  user  authenFcaFon,   mulFform  authenFcaFon,  mulFframe  authenFcaFon,   standard  authenFcaFon,  tradiFonal  authenFcaFon   –  TradiFonal  authenFcaFon:  authenFcate  at  beginning  of  session   –  Dynamic  authenFcaFon:  users  may  be  asked  to  authenFcate  at   “various  points  during  a  session,  for  various  reasons”3   •  Step-­‐up  authenFcaFon   •  Re-­‐AuthenFcaFon   •  Out-­‐of-­‐Band  AuthenFcaFons   1Source:  Shakespeare,  Romeo  and  Juliet,  h+p://shakespeare.mit.edu/romeo_juliet/romeo_juliet.2.2.html     1Source:  IDC  Technology  Spotlight,  sponsored  by  SecureAuth,  Dynamic  AuthenFcaFon:  Smarter  Security  to  Protect  User   AuthenFcaFon  (September  2014)       2Source:  h+ps://www.ecb.europa.eu/press/pr/date/2013/html/pr130131_1.en.html      
www.owasp.org Advice  for  Startups   •  For  startup  internal  employees:   –  www.gluu.org,  100%  open  source  and  open  standards   –  Many  offer  free  service  for  a  small  team   •  Apersona  free  up  to  5  users:  h+p://www.apersona.com/#!pricing/c1c8c     •  Duo  free  up  to  10  users:  h+ps://www.duosecurity.com/     •  Build  authenFcaFon  into  your  products   –  Originally  cars  did  not  have  seat  belts.  In  the  future,  authenFcaFon  will  be  designed  in.  

Recommended

Stealth Mango and the Prevalence of Mobile Surveillanceware
Stealth Mango and the Prevalence of Mobile SurveillancewareStealth Mango and the Prevalence of Mobile Surveillanceware
Stealth Mango and the Prevalence of Mobile Surveillanceware
Priyanka Aash
 
Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledg...
Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledg...Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledg...
Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledg...
Clare Nelson, CISSP, CIPP-E
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the Code
NowSecure
 
Jerod Brennen - What You Need to Know About OSINT
Jerod Brennen - What You Need to Know About OSINTJerod Brennen - What You Need to Know About OSINT
Jerod Brennen - What You Need to Know About OSINT
centralohioissa
 
Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Texas Bitcoin Conference: Are Privacy Coins Private Enough?Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Clare Nelson, CISSP, CIPP-E
 
Attack Vectors in Biometric Recognition Systems
Attack Vectors in Biometric Recognition SystemsAttack Vectors in Biometric Recognition Systems
Attack Vectors in Biometric Recognition Systems
Clare Nelson, CISSP, CIPP-E
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic Menace
NowSecure
 
Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013drewz lin
 

Recommended

Stealth Mango and the Prevalence of Mobile Surveillanceware
Stealth Mango and the Prevalence of Mobile SurveillancewareStealth Mango and the Prevalence of Mobile Surveillanceware
Stealth Mango and the Prevalence of Mobile Surveillanceware
Priyanka Aash
 
Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledg...
Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledg...Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledg...
Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledg...
Clare Nelson, CISSP, CIPP-E
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the Code
NowSecure
 
Jerod Brennen - What You Need to Know About OSINT
Jerod Brennen - What You Need to Know About OSINTJerod Brennen - What You Need to Know About OSINT
Jerod Brennen - What You Need to Know About OSINT
centralohioissa
 
Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Texas Bitcoin Conference: Are Privacy Coins Private Enough?Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Clare Nelson, CISSP, CIPP-E
 
Attack Vectors in Biometric Recognition Systems
Attack Vectors in Biometric Recognition SystemsAttack Vectors in Biometric Recognition Systems
Attack Vectors in Biometric Recognition Systems
Clare Nelson, CISSP, CIPP-E
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic Menace
NowSecure
 
Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013drewz lin
 
MacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk FundamentalsMacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk Fundamentals
Alison Gianotto
 
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
viaForensics
 
How Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat DetectionHow Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat Detection
NowSecure
 
Porque Investir em um time de segurança ofensiva?
Porque Investir em um time de segurança ofensiva?Porque Investir em um time de segurança ofensiva?
Porque Investir em um time de segurança ofensiva?
Arthur Paixão
 
Zero-Knowledge Proofs: Identity Proofing and Authentication
Zero-Knowledge Proofs: Identity Proofing and AuthenticationZero-Knowledge Proofs: Identity Proofing and Authentication
Zero-Knowledge Proofs: Identity Proofing and Authentication
Clare Nelson, CISSP, CIPP-E
 
I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2drewz lin
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
LonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security KeynoteLonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security Keynote
Alison Gianotto
 
Zero-Knowledge Proofs in Light of Digital Identity
Zero-Knowledge Proofs in Light of Digital IdentityZero-Knowledge Proofs in Light of Digital Identity
Zero-Knowledge Proofs in Light of Digital Identity
Clare Nelson, CISSP, CIPP-E
 
OWASP AppSec USA 2015, San Francisco
OWASP AppSec USA 2015, San FranciscoOWASP AppSec USA 2015, San Francisco
OWASP AppSec USA 2015, San Francisco
Clare Nelson, CISSP, CIPP-E
 
What you need to know about OSINT
What you need to know about OSINTWhat you need to know about OSINT
What you need to know about OSINT
Jerod Brennen
 
Ethical hacking : Beginner to advanced
Ethical hacking : Beginner to advancedEthical hacking : Beginner to advanced
Ethical hacking : Beginner to advanced
Kavin K
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To Noise
Andrew Morris
 
임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판
임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판
임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판
Minseok(Jacky) Cha
 
Hacking Diversity – Hacker Halted . 2019 – Marcelle Lee
Hacking Diversity – Hacker Halted . 2019 – Marcelle LeeHacking Diversity – Hacker Halted . 2019 – Marcelle Lee
Hacking Diversity – Hacker Halted . 2019 – Marcelle Lee
EC-Council
 
Share Orlando Ulf Mattsson session 9353 2011
Share Orlando Ulf Mattsson session 9353 2011Share Orlando Ulf Mattsson session 9353 2011
Share Orlando Ulf Mattsson session 9353 2011Ulf Mattsson
 
Threat Hunting with Splunk
Threat Hunting with Splunk Threat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
Malware Most Wanted: Security Ecosystem
Malware Most Wanted: Security EcosystemMalware Most Wanted: Security Ecosystem
Malware Most Wanted: Security Ecosystem
Cyphort
 
Evolution of-ai-bots-for-real-time-adaptive-security
Evolution of-ai-bots-for-real-time-adaptive-securityEvolution of-ai-bots-for-real-time-adaptive-security
Evolution of-ai-bots-for-real-time-adaptive-security
DESMOND YUEN
 
OSINT Black Magic: Listen who whispers your name in the dark!!!
OSINT Black Magic: Listen who whispers your name in the dark!!!OSINT Black Magic: Listen who whispers your name in the dark!!!
OSINT Black Magic: Listen who whispers your name in the dark!!!
Nutan Kumar Panda
 
Erika natalia reyes archila
Erika natalia reyes archilaErika natalia reyes archila
Erika natalia reyes archilaErika Reyes
 
Cristiane Stoever - 31mai14 1º Congresso A&R SUS
Cristiane Stoever - 31mai14 1º Congresso A&R SUSCristiane Stoever - 31mai14 1º Congresso A&R SUS
Cristiane Stoever - 31mai14 1º Congresso A&R SUSAutismo & Realidade
 

More Related Content

What's hot

MacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk FundamentalsMacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk Fundamentals
Alison Gianotto
 
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
viaForensics
 
How Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat DetectionHow Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat Detection
NowSecure
 
Porque Investir em um time de segurança ofensiva?
Porque Investir em um time de segurança ofensiva?Porque Investir em um time de segurança ofensiva?
Porque Investir em um time de segurança ofensiva?
Arthur Paixão
 
Zero-Knowledge Proofs: Identity Proofing and Authentication
Zero-Knowledge Proofs: Identity Proofing and AuthenticationZero-Knowledge Proofs: Identity Proofing and Authentication
Zero-Knowledge Proofs: Identity Proofing and Authentication
Clare Nelson, CISSP, CIPP-E
 
I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2drewz lin
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
LonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security KeynoteLonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security Keynote
Alison Gianotto
 
Zero-Knowledge Proofs in Light of Digital Identity
Zero-Knowledge Proofs in Light of Digital IdentityZero-Knowledge Proofs in Light of Digital Identity
Zero-Knowledge Proofs in Light of Digital Identity
Clare Nelson, CISSP, CIPP-E
 
OWASP AppSec USA 2015, San Francisco
OWASP AppSec USA 2015, San FranciscoOWASP AppSec USA 2015, San Francisco
OWASP AppSec USA 2015, San Francisco
Clare Nelson, CISSP, CIPP-E
 
What you need to know about OSINT
What you need to know about OSINTWhat you need to know about OSINT
What you need to know about OSINT
Jerod Brennen
 
Ethical hacking : Beginner to advanced
Ethical hacking : Beginner to advancedEthical hacking : Beginner to advanced
Ethical hacking : Beginner to advanced
Kavin K
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To Noise
Andrew Morris
 
임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판
임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판
임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판
Minseok(Jacky) Cha
 
Hacking Diversity – Hacker Halted . 2019 – Marcelle Lee
Hacking Diversity – Hacker Halted . 2019 – Marcelle LeeHacking Diversity – Hacker Halted . 2019 – Marcelle Lee
Hacking Diversity – Hacker Halted . 2019 – Marcelle Lee
EC-Council
 
Share Orlando Ulf Mattsson session 9353 2011
Share Orlando Ulf Mattsson session 9353 2011Share Orlando Ulf Mattsson session 9353 2011
Share Orlando Ulf Mattsson session 9353 2011Ulf Mattsson
 
Threat Hunting with Splunk
Threat Hunting with Splunk Threat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
Malware Most Wanted: Security Ecosystem
Malware Most Wanted: Security EcosystemMalware Most Wanted: Security Ecosystem
Malware Most Wanted: Security Ecosystem
Cyphort
 
Evolution of-ai-bots-for-real-time-adaptive-security
Evolution of-ai-bots-for-real-time-adaptive-securityEvolution of-ai-bots-for-real-time-adaptive-security
Evolution of-ai-bots-for-real-time-adaptive-security
DESMOND YUEN
 
OSINT Black Magic: Listen who whispers your name in the dark!!!
OSINT Black Magic: Listen who whispers your name in the dark!!!OSINT Black Magic: Listen who whispers your name in the dark!!!
OSINT Black Magic: Listen who whispers your name in the dark!!!
Nutan Kumar Panda
 

What's hot (20)

MacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk FundamentalsMacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk Fundamentals
 
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
 
How Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat DetectionHow Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat Detection
 
Porque Investir em um time de segurança ofensiva?
Porque Investir em um time de segurança ofensiva?Porque Investir em um time de segurança ofensiva?
Porque Investir em um time de segurança ofensiva?
 
Zero-Knowledge Proofs: Identity Proofing and Authentication
Zero-Knowledge Proofs: Identity Proofing and AuthenticationZero-Knowledge Proofs: Identity Proofing and Authentication
Zero-Knowledge Proofs: Identity Proofing and Authentication
 
I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
LonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security KeynoteLonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security Keynote
 
Zero-Knowledge Proofs in Light of Digital Identity
Zero-Knowledge Proofs in Light of Digital IdentityZero-Knowledge Proofs in Light of Digital Identity
Zero-Knowledge Proofs in Light of Digital Identity
 
OWASP AppSec USA 2015, San Francisco
OWASP AppSec USA 2015, San FranciscoOWASP AppSec USA 2015, San Francisco
OWASP AppSec USA 2015, San Francisco
 
What you need to know about OSINT
What you need to know about OSINTWhat you need to know about OSINT
What you need to know about OSINT
 
Ethical hacking : Beginner to advanced
Ethical hacking : Beginner to advancedEthical hacking : Beginner to advanced
Ethical hacking : Beginner to advanced
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To Noise
 
임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판
임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판
임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판
 
Hacking Diversity – Hacker Halted . 2019 – Marcelle Lee
Hacking Diversity – Hacker Halted . 2019 – Marcelle LeeHacking Diversity – Hacker Halted . 2019 – Marcelle Lee
Hacking Diversity – Hacker Halted . 2019 – Marcelle Lee
 
Share Orlando Ulf Mattsson session 9353 2011
Share Orlando Ulf Mattsson session 9353 2011Share Orlando Ulf Mattsson session 9353 2011
Share Orlando Ulf Mattsson session 9353 2011
 
Threat Hunting with Splunk
Threat Hunting with Splunk Threat Hunting with Splunk
Threat Hunting with Splunk
 
Malware Most Wanted: Security Ecosystem
Malware Most Wanted: Security EcosystemMalware Most Wanted: Security Ecosystem
Malware Most Wanted: Security Ecosystem
 
Evolution of-ai-bots-for-real-time-adaptive-security
Evolution of-ai-bots-for-real-time-adaptive-securityEvolution of-ai-bots-for-real-time-adaptive-security
Evolution of-ai-bots-for-real-time-adaptive-security
 
OSINT Black Magic: Listen who whispers your name in the dark!!!
OSINT Black Magic: Listen who whispers your name in the dark!!!OSINT Black Magic: Listen who whispers your name in the dark!!!
OSINT Black Magic: Listen who whispers your name in the dark!!!
 

Viewers also liked

Erika natalia reyes archila
Erika natalia reyes archilaErika natalia reyes archila
Erika natalia reyes archilaErika Reyes
 
Cristiane Stoever - 31mai14 1º Congresso A&R SUS
Cristiane Stoever - 31mai14 1º Congresso A&R SUSCristiane Stoever - 31mai14 1º Congresso A&R SUS
Cristiane Stoever - 31mai14 1º Congresso A&R SUSAutismo & Realidade
 
Informativo n° 24 3º básico b- viernes 30 de agosto
Informativo n° 24 3º básico b- viernes 30 de agostoInformativo n° 24 3º básico b- viernes 30 de agosto
Informativo n° 24 3º básico b- viernes 30 de agostoColegio Camilo Henríquez
 
gases homewok 1
gases homewok 1gases homewok 1
gases homewok 1
Ahmed Fahmi Elmandrawi
 
SearchInform. Владимир Велич. "Как выбрать идеальную DLP-систему?"
SearchInform. Владимир Велич. "Как выбрать идеальную DLP-систему?"SearchInform. Владимир Велич. "Как выбрать идеальную DLP-систему?"
SearchInform. Владимир Велич. "Как выбрать идеальную DLP-систему?"
Expolink
 
16329032 generation-of-computers
16329032 generation-of-computers16329032 generation-of-computers
16329032 generation-of-computersInayat Ullah
 
El estreñimiento puede ser causado por problemas orgánicos
El estreñimiento puede ser causado por problemas orgánicosEl estreñimiento puede ser causado por problemas orgánicos
El estreñimiento puede ser causado por problemas orgánicos
Eduardo Rodriguez
 
Sept 2015 Joseph M Wolenberg
Sept 2015 Joseph M WolenbergSept 2015 Joseph M Wolenberg
Sept 2015 Joseph M WolenbergJoseph Wolenberg
 
BioSmart
BioSmartBioSmart
BioSmart
dremin_alex
 
SUE AGILE Architettura (Italiano)
SUE AGILE Architettura (Italiano)SUE AGILE Architettura (Italiano)
SUE AGILE Architettura (Italiano)
Sabino Labarile
 
Ativa e passiva ft
Ativa e passiva ftAtiva e passiva ft
Ativa e passiva ft
Eleonora Moita
 
Trabajo práctico n°1
Trabajo práctico n°1Trabajo práctico n°1
Trabajo práctico n°1
Agus Sci
 
Imperva, держи марку!
Imperva, держи марку! Imperva, держи марку!
Imperva, держи марку!
Компания УЦСБ
 
What is Public Policy?
What is Public Policy?What is Public Policy?
What is Public Policy?
Dhanuraj D
 
Biometric Authentication, Dragon Unleashed, V1.5
Biometric Authentication, Dragon Unleashed, V1.5Biometric Authentication, Dragon Unleashed, V1.5
Biometric Authentication, Dragon Unleashed, V1.5Clare Nelson, CISSP, CIPP-E
 

Viewers also liked (18)

Erika natalia reyes archila
Erika natalia reyes archilaErika natalia reyes archila
Erika natalia reyes archila
 
Cristiane Stoever - 31mai14 1º Congresso A&R SUS
Cristiane Stoever - 31mai14 1º Congresso A&R SUSCristiane Stoever - 31mai14 1º Congresso A&R SUS
Cristiane Stoever - 31mai14 1º Congresso A&R SUS
 
Informativo n° 24 3º básico b- viernes 30 de agosto
Informativo n° 24 3º básico b- viernes 30 de agostoInformativo n° 24 3º básico b- viernes 30 de agosto
Informativo n° 24 3º básico b- viernes 30 de agosto
 
gases homewok 1
gases homewok 1gases homewok 1
gases homewok 1
 
SearchInform. Владимир Велич. "Как выбрать идеальную DLP-систему?"
SearchInform. Владимир Велич. "Как выбрать идеальную DLP-систему?"SearchInform. Владимир Велич. "Как выбрать идеальную DLP-систему?"
SearchInform. Владимир Велич. "Как выбрать идеальную DLP-систему?"
 
Zaragoza turismo 341
Zaragoza turismo 341Zaragoza turismo 341
Zaragoza turismo 341
 
16329032 generation-of-computers
16329032 generation-of-computers16329032 generation-of-computers
16329032 generation-of-computers
 
The
TheThe
The
 
El estreñimiento puede ser causado por problemas orgánicos
El estreñimiento puede ser causado por problemas orgánicosEl estreñimiento puede ser causado por problemas orgánicos
El estreñimiento puede ser causado por problemas orgánicos
 
Sept 2015 Joseph M Wolenberg
Sept 2015 Joseph M WolenbergSept 2015 Joseph M Wolenberg
Sept 2015 Joseph M Wolenberg
 
Grafitilore
GrafitiloreGrafitilore
Grafitilore
 
BioSmart
BioSmartBioSmart
BioSmart
 
SUE AGILE Architettura (Italiano)
SUE AGILE Architettura (Italiano)SUE AGILE Architettura (Italiano)
SUE AGILE Architettura (Italiano)
 
Ativa e passiva ft
Ativa e passiva ftAtiva e passiva ft
Ativa e passiva ft
 
Trabajo práctico n°1
Trabajo práctico n°1Trabajo práctico n°1
Trabajo práctico n°1
 
Imperva, держи марку!
Imperva, держи марку! Imperva, держи марку!
Imperva, держи марку!
 
What is Public Policy?
What is Public Policy?What is Public Policy?
What is Public Policy?
 
Biometric Authentication, Dragon Unleashed, V1.5
Biometric Authentication, Dragon Unleashed, V1.5Biometric Authentication, Dragon Unleashed, V1.5
Biometric Authentication, Dragon Unleashed, V1.5
 

Similar to LASCON 2015

The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
Clare Nelson, CISSP, CIPP-E
 
Smart Defense: Strategic Approach to fight contemporary Security, Privacy & A...
Smart Defense: Strategic Approach to fight contemporary Security, Privacy & A...Smart Defense: Strategic Approach to fight contemporary Security, Privacy & A...
Smart Defense: Strategic Approach to fight contemporary Security, Privacy & A...
Abhinav Biswas
 
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10thCYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
United Technology Group (UTG)
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
SplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral Analytics
Splunk
 
Needlesand haystacks i360-dublin
Needlesand haystacks i360-dublinNeedlesand haystacks i360-dublin
Needlesand haystacks i360-dublin
Derek King
 
Operationalizing Security Intelligence
Operationalizing Security IntelligenceOperationalizing Security Intelligence
Operationalizing Security Intelligence
Splunk
 
DEFCON 23 - Patrick Mcneil and Owen - sorry wrong number
DEFCON 23 - Patrick Mcneil and Owen - sorry wrong numberDEFCON 23 - Patrick Mcneil and Owen - sorry wrong number
DEFCON 23 - Patrick Mcneil and Owen - sorry wrong number
Felipe Prado
 
Ending the Tyranny of Expensive Security Tools
Ending the Tyranny of Expensive Security ToolsEnding the Tyranny of Expensive Security Tools
Ending the Tyranny of Expensive Security Tools
SolarWinds
 
Ending the Tyranny of Expensive Security Tools
Ending the Tyranny of Expensive Security ToolsEnding the Tyranny of Expensive Security Tools
Ending the Tyranny of Expensive Security Tools
Michele Chubirka
 
NPTs
NPTsNPTs
NPTs
Brandon Levene
 
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckLuncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
North Texas Chapter of the ISSA
 
Biometric Recognition for Authentication, BSides Austin, May 2017
Biometric Recognition for Authentication, BSides Austin, May 2017Biometric Recognition for Authentication, BSides Austin, May 2017
Biometric Recognition for Authentication, BSides Austin, May 2017
Clare Nelson, CISSP, CIPP-E
 
Financial services 20150503
Financial services 20150503Financial services 20150503
Financial services 20150503
Clare Nelson, CISSP, CIPP-E
 
SplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakout
Splunk
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement Detection
Greg Foss
 
Question of trust
Question of trustQuestion of trust
Question of trust
ssuserd8f6cf1
 
The evolving threat in the face of increased connectivity
The evolving threat in the face of increased connectivityThe evolving threat in the face of increased connectivity
The evolving threat in the face of increased connectivity
APNIC
 
Splunk for Enterprise Security Featuring UBA
Splunk for Enterprise Security Featuring UBASplunk for Enterprise Security Featuring UBA
Splunk for Enterprise Security Featuring UBA
Splunk
 

Similar to LASCON 2015 (20)

The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
 
Smart Defense: Strategic Approach to fight contemporary Security, Privacy & A...
Smart Defense: Strategic Approach to fight contemporary Security, Privacy & A...Smart Defense: Strategic Approach to fight contemporary Security, Privacy & A...
Smart Defense: Strategic Approach to fight contemporary Security, Privacy & A...
 
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10thCYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
SplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral Analytics
 
Needlesand haystacks i360-dublin
Needlesand haystacks i360-dublinNeedlesand haystacks i360-dublin
Needlesand haystacks i360-dublin
 
Operationalizing Security Intelligence
Operationalizing Security IntelligenceOperationalizing Security Intelligence
Operationalizing Security Intelligence
 
DEFCON 23 - Patrick Mcneil and Owen - sorry wrong number
DEFCON 23 - Patrick Mcneil and Owen - sorry wrong numberDEFCON 23 - Patrick Mcneil and Owen - sorry wrong number
DEFCON 23 - Patrick Mcneil and Owen - sorry wrong number
 
Ending the Tyranny of Expensive Security Tools
Ending the Tyranny of Expensive Security ToolsEnding the Tyranny of Expensive Security Tools
Ending the Tyranny of Expensive Security Tools
 
Ending the Tyranny of Expensive Security Tools
Ending the Tyranny of Expensive Security ToolsEnding the Tyranny of Expensive Security Tools
Ending the Tyranny of Expensive Security Tools
 
NPTs
NPTsNPTs
NPTs
 
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckLuncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
 
Biometric Recognition for Authentication, BSides Austin, May 2017
Biometric Recognition for Authentication, BSides Austin, May 2017Biometric Recognition for Authentication, BSides Austin, May 2017
Biometric Recognition for Authentication, BSides Austin, May 2017
 
Financial services 20150503
Financial services 20150503Financial services 20150503
Financial services 20150503
 
SplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakout
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement Detection
 
Question of trust
Question of trustQuestion of trust
Question of trust
 
The evolving threat in the face of increased connectivity
The evolving threat in the face of increased connectivityThe evolving threat in the face of increased connectivity
The evolving threat in the face of increased connectivity
 
Splunk for Enterprise Security Featuring UBA
Splunk for Enterprise Security Featuring UBASplunk for Enterprise Security Featuring UBA
Splunk for Enterprise Security Featuring UBA
 

More from Clare Nelson, CISSP, CIPP-E

IoT Security, Mirai Revisited
IoT Security, Mirai RevisitedIoT Security, Mirai Revisited
IoT Security, Mirai Revisited
Clare Nelson, CISSP, CIPP-E
 
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/E
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/EISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/E
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/E
Clare Nelson, CISSP, CIPP-E
 
Biometrics and Multi-Factor Authentication, The Unleashed Dragon
Biometrics and Multi-Factor Authentication, The Unleashed DragonBiometrics and Multi-Factor Authentication, The Unleashed Dragon
Biometrics and Multi-Factor Authentication, The Unleashed Dragon
Clare Nelson, CISSP, CIPP-E
 
#BiometAuth Podcast
#BiometAuth Podcast#BiometAuth Podcast
#BiometAuth Podcast
Clare Nelson, CISSP, CIPP-E
 
What Every CISO, Product Strategist, or Consumer Needs to Know About Biometri...
What Every CISO, Product Strategist, or Consumer Needs to Know About Biometri...What Every CISO, Product Strategist, or Consumer Needs to Know About Biometri...
What Every CISO, Product Strategist, or Consumer Needs to Know About Biometri...
Clare Nelson, CISSP, CIPP-E
 
FTC Start with Security: Panel
FTC Start with Security: PanelFTC Start with Security: Panel
FTC Start with Security: Panel
Clare Nelson, CISSP, CIPP-E
 
Multi factor authentication issa0415-x9
Multi factor authentication issa0415-x9Multi factor authentication issa0415-x9
Multi factor authentication issa0415-x9
Clare Nelson, CISSP, CIPP-E
 
HackFormers Talk: Beware Wolves in Sheep's Clothing
HackFormers Talk: Beware Wolves in Sheep's ClothingHackFormers Talk: Beware Wolves in Sheep's Clothing
HackFormers Talk: Beware Wolves in Sheep's Clothing
Clare Nelson, CISSP, CIPP-E
 

More from Clare Nelson, CISSP, CIPP-E (8)

IoT Security, Mirai Revisited
IoT Security, Mirai RevisitedIoT Security, Mirai Revisited
IoT Security, Mirai Revisited
 
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/E
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/EISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/E
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/E
 
Biometrics and Multi-Factor Authentication, The Unleashed Dragon
Biometrics and Multi-Factor Authentication, The Unleashed DragonBiometrics and Multi-Factor Authentication, The Unleashed Dragon
Biometrics and Multi-Factor Authentication, The Unleashed Dragon
 
#BiometAuth Podcast
#BiometAuth Podcast#BiometAuth Podcast
#BiometAuth Podcast
 
What Every CISO, Product Strategist, or Consumer Needs to Know About Biometri...
What Every CISO, Product Strategist, or Consumer Needs to Know About Biometri...What Every CISO, Product Strategist, or Consumer Needs to Know About Biometri...
What Every CISO, Product Strategist, or Consumer Needs to Know About Biometri...
 
FTC Start with Security: Panel
FTC Start with Security: PanelFTC Start with Security: Panel
FTC Start with Security: Panel
 
Multi factor authentication issa0415-x9
Multi factor authentication issa0415-x9Multi factor authentication issa0415-x9
Multi factor authentication issa0415-x9
 
HackFormers Talk: Beware Wolves in Sheep's Clothing
HackFormers Talk: Beware Wolves in Sheep's ClothingHackFormers Talk: Beware Wolves in Sheep's Clothing
HackFormers Talk: Beware Wolves in Sheep's Clothing
 

Recently uploaded

FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
Alex Pruden
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
UiPathCommunity
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
Peter Spielvogel
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
Vlad Stirbu
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 

Recently uploaded (20)

FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 

LASCON 2015

  • 1. www.owasp.org The  Inmates  Are  Running  the  Asylum    Why  Some  Mul,-­‐Factor  Authen,ca,on  Technology     is  Irresponsible       Clare  Nelson,  CISSP                        clare.nelson@owasp.org                          @Safe_SaaS                        October  22,  2015                      AusFn,  TX  
  • 2. www.owasp.org Clare  Nelson,  CISSP   Independent:  not  an  analyst,  not  with  a  vendor     •  Scar  Fssue   –  Encrypted  TCP/IP  variants  for  NSA   –  Product  Management  at  DEC  (HP),  EMC2   –  Director  Global  Alliances  at  Dell,  Novell  (IAM)   –  VP  Business  Development,  MetaIntelli  (Mobile  Security)   –  CEO  ClearMark,  MFA  Technology  and  Architecture   •  2001  CEO  ClearMark  ConsulFng     •  2014  Co-­‐founder  C1ph3r_Qu33ns   •  2015  April,  ISSA  Journal,  Mul,-­‐Factor   Authen,ca,on:  What  to  Look  For   •  Talks:  OWASP  AppSec  USA,  HackFormers,  BSides,   LASCON;  clients  including  Fortune  500  financial   services,  IdenFty  Management   •  B.S.  MathemaFcs    
  • 3. www.owasp.org Scope   •  External  customers,  consumers   –  Not  internal  employees,  no  hardware  tokens   –  IoT  preview   •  No  authenFcaFon  protocols   –  OAuth,  OpenID,  UMA,  SCIM,  SAML   •  United  States     –  EU  regulaFons   o  France:  legal  constraints  for  biometrics   §  Need  authorizaFon  from  NaFonal  Commission  for  InformaFcs   and  Liberty  (CNIL)1   –  India:  e-­‐commerce  Snapdeal,  Reserve  Bank  of  India   o  Move  from  two-­‐factor  to  single-­‐factor  authenFcaFon  for   transacFons  less  than  Rs.  3,0002       1Source:  h+p://www.diva-­‐portal.org/smash/get/diva2:512852/FULLTEXT01.pdfl     2Source:   h+p://economicFmes.indiaFmes.com/industry/services/retail/snapdeal-­‐for-­‐single-­‐factor-­‐authenFcaFon-­‐for-­‐low-­‐value-­‐ deals/arFcleshow/46251251.cms    
  • 4. www.owasp.org NIST  DefiniFon1   Origin  of  definiFon?   •  NIST:  might  be  Gene  Spafford,  or  “ancient  lore”2   –  @TheRealSpaf,  “Nope  —  that's  even  older  than  me!”3   –  1970s?  NSA?  Academia?     1Source:  h+p://nvlpubs.nist.gov/nistpubs/SpecialPublicaFons/NIST.SP.800-­‐63-­‐2.pdf     2Source:  February  26,  2015  email  response  from  a  NIST  SP  800-­‐63-­‐2  author   3Source:  February  27,  2015  response  from  @TheRealSpaf  (Gene  Spafford)    
  • 5. www.owasp.org How  can  one  write  a  guide   based  on  a  defini,on  of   unknown,  ancient  origin?     How  can  you  implement   MFA  without  a  current,   coherent  defini,on?   Photo:  The  Thinker  by  Auguste  Rodin,   h+ps://commons.wikimedia.org/wiki/File:Auguste_Rodin-­‐The_Thinker-­‐Legion_of_Honor-­‐Lincoln_Park-­‐San_Francisco.jpg      
  • 6. www.owasp.org NIST  versus  New  DefiniFons   MulF-­‐Factor  AuthenFcaFon  (MFA)  Factors:   •  Knowledge     •  Possession     –  Mobile  device  idenFficaFon   •  Inherence     –  Biometrics:  Physical  or  Behavioral   •  LocaFon     –  GeolocaFon   –  Geofencing   –  Geovelocity   •  Time1       1Source:  h+p://searchsecurity.techtarget.com/definiFon/mulFfactor-­‐authenFcaFon-­‐MFA   2Source:  h+p://nvlpubs.nist.gov/nistpubs/SpecialPublicaFons/NIST.SP.800-­‐63-­‐2.pdf     NIST:   Device  idenFficaFon,  Fme,  and  geo-­‐ locaFon  could  be  used  to  challenge   an  idenFty;  but  “they  are  not   considered  authenFcaFon  factors”2  
  • 7. www.owasp.org Authen,ca,on  in  an  Internet  Banking  Environment   •  OUT:  Simple  device  idenFficaFon   •  IN:  Complex  device  idenFficaFon,  “digital  fingerprinFng”   use  PC  configuraFon,  IP  address,  geo-­‐locaFon,  other   factors   –  Implement  Fme  of  day  restricFons  for  funds  transfers   –  Consider  keystroke  dynamics,  biometric-­‐based  responses1     1Source:  hjps://www.fdic.gov/news/news/press/2011/pr11111a.pdf     “…virtually  every  authenFcaFon   technique  can  be  compromised”  
  • 8. www.owasp.org Why  200+  MFA  Vendors?   Authen,ca,on  has  been  the   Holy  Grail  since  the  early  days   of  the  Web.1     The  iPhone  of  Authen,ca,on  has   yet  to  be  invented.2   1Source:  h+p://sciencewriters.ca/2014/03/26/will-­‐your-­‐brain-­‐waves-­‐become-­‐your-­‐new-­‐password/     2Source:  Clare  Nelson,  February  2015.    
  • 9. www.owasp.org                SubopFmal  Choices   AuthenFcaFon  Factors/Technology   1.  Biometrics,  2D  fingerprint   2.  Short  Message  Service  (SMS)   –  One-­‐Time  Password  (OTP)   3.  Quick  Response  (QR)  codes   4.  JavaScript  (behavioral  biometrics)   5.  Overreliance  on  GPS,  insufficient  geolocaFon  data   6.  Weak,  arcane,  account  recovery   7.  AssumpFon  mobile  devices  are  secure   8.  EncrypFon  (without  disclaimers)     –  Quantum  compuFng  may  break  RSA  or  ECC  by  20301   •  Update  on  NSA’s  $80M  Penetra,ng  Hard  Targets  project2   –  EncrypFon  backdoors,  is  it  NSA-­‐free  and  NIST-­‐free  cryptography?   –  No  mysterious  constants  or  “magic  numbers”  of  unknown  provenance”3   1Source:  January  18,  2015:  Ralph  Spencer  Poore,  cryptologist,  AusFn  ISSA  guest  lecturer   2Source:   h+p://www.washingtonpost.com/world/naFonal-­‐security/nsa-­‐seeks-­‐to-­‐build-­‐quantum-­‐computer-­‐that-­‐could-­‐crack-­‐most-­‐ types-­‐of-­‐encrypFon/2014/01/02/8fff297e-­‐7195-­‐11e3-­‐8def-­‐a33011492df2_story.html   3Source:  h+ps://www.grc.com/sqrl/sqrl.htm    
  • 10. www.owasp.org Juniper  Research:   •  By  2019,  770  million  apps  that  use  biometric  authenFcaFon  will  be   downloaded  annually   -  Up  from  6  million  in  2015   •  Fingerprint  authenFcaFon  will  account  for  an  overwhelming  majority   -  Driven  by  increase  of  fingerprint  scanners  in  smartphones1       IrraFonal  Exuberance  of  Biometric  AdopFon   Samsung  Pay   1Source:  h+p://www.nfcworld.com/2015/01/22/333665/juniper-­‐forecasts-­‐biometric-­‐authenFcaFon-­‐market/      
  • 13. www.owasp.org 2D  Fingerprint  Hacks   •  Starbug,  aka  Jan  Krissler   •  2014:  Cloned  fingerprint  of  German  Defense   Minister,  Ursula  Von  der  Leyen   –  From  photographs1,2   •  2013:  Hacked  Apple’s  Touch  ID  on  iPhone  5S  ~24   hours  ater  release  in  Germany   –  Won  IsTouchIDHackedYet.com  compeFFon3   •  2006:  Published  research  on  hacking  fingerprint   recogniFon  systems4   1Source:  h+ps://www.youtube.com/watch?v=vVivA0eoNGM     2Source:  h+p://www.forbes.com/sites/paulmonckton/2014/12/30/hacker-­‐clones-­‐fingerprint-­‐from-­‐photograph/     3Source:  h+p://istouchidhackedyet.com   4Source:  h+p://berlin.ccc.de/~starbug/talks/0611-­‐pacsec-­‐hacking_fingerprint_recogniFon_systems.pdf        
  • 14. www.owasp.org Starbug  Faking  Touch  ID   1Source:  h+p://istouchidhackedyet.com    
  • 15. www.owasp.org Android:  Remote  Fingerprint  Thet  at  Scale1   “…hackers  can  remotely  steal  fingerprints  without  the  owner  of   the  device  ever  knowing  about  it.  Even  more  dangerous,  this  can   be  done  on  a  “large  scale.”2       1Source:   h+ps://www.blackhat.com/docs/us-­‐15/materials/us-­‐15-­‐Zhang-­‐Fingerprints-­‐On-­‐Mobile-­‐Devices-­‐Abusing-­‐And-­‐Leaking-­‐ wp.pdf     2Source:  h+p://www.forbes.com/sites/thomasbrewster/2015/04/21/samsung-­‐galaxy-­‐s5-­‐fingerprint-­‐a+acks/     Hardware   User  Space   Kernel  Space  
  • 16. www.owasp.org Krissler  versus  Riccio         “Don't  use  fingerprint   recogniFon  systems  for   security  relevant   applicaFons!”1    –  Jan  Krissler  (Starbug)     “Fingerprints  are  one  of  the   best  passwords  in  the   world.”2    –  Dan  Riccio          SVP,  Apple              1Source:  h+p://berlin.ccc.de/~starbug/talks/0611-­‐pacsec-­‐hacking_fingerprint_recogniFon_systems.pdf     2Source:  h+p://www.imore.com/how-­‐touch-­‐id-­‐works   Photo:  h+p://www.mirror.co.uk/news/world-­‐news/revealed-­‐ni-­‐believed-­‐legendary-­‐fight-­‐3181991      
  • 17. www.owasp.org Behavioral  Biometrics   1Source:  h+p://www.behaviosec.com     Issues   •  Requires  JavaScript   Learning  curve   •  Privacy,  constant   monitoring   •  Injury  to  hand   •  “Highly  intoxicated”  
  • 18. www.owasp.org Behavioral  Biometrics:  Invisible  Challenge   •  Analyze  hundreds  of  bio-­‐ behavioral,  cogniFve  and   physiological  parameters   –  Invisible  challenge   –  No  user  interacFon  for  step-­‐up   authenFcaFon   –  How  you  find  missing  cursor1   1Source:  h+p://www.biocatch.com     1Source:  h+p://www.biocatch.com    
  • 19. www.owasp.org Biometrics:  In  Use,  Proposed   •  Fingerprints  2D,  3D  via  ultrasonic  waves   •  Palms,  its  prints  and/or  the  whole  hand  (feet?)   •  Signature   •  Keystroke,  art  of  typing,  mouse,  touch  pad   •  Voice   •  Iris,  reFna,  features  of  eye  movements   •  Face,  head  –  its  shape,  specific  movements   •  Ears,  lip  prints   •  Gait,  Odor,  DNA,     •  ECG  (Bionym’s  Nymi  wristband,  smartphone,  laptop,  car,      home  security)   •  EEG1   •  Methods:  Pills,  Tajoos   •  Smartphone/behavioral:  AirSig  authenFcates  based  on  g-­‐sensor  and   gyroscope,  how  you  write  your  signature  in  the  air2   1Source:  h+p://www.optel.pl/arFcle/future%20of%20biometrics.pdf     2Source:  h+p://www.airsig.com   Digital  Ta+oo:  h+p://motorola-­‐blog.blogspot.com/2014/07/-­‐unlock-­‐your-­‐moto-­‐x-­‐with-­‐a-­‐digital-­‐ta+oo.html      
  • 20. www.owasp.org “Thought  Auth”1   EEG  Biosensor   •  MindWave™  headset2   •  Measures  brainwave   signals   •  EEG  monitor   •  InternaFonal   Conference  on  Financial   Cryptography  and  Data   Security3   1Source:  Clare  Nelson,  March  2015   2Source:  h+p://neurosky.com/biosensors/eeg-­‐sensor/biosensors/   3Source:  h+p://www.technewsworld.com/story/77762.html    
  • 21. www.owasp.org 3D  Fingerprint1   1Source:  h+p://sonavaFon.com/technology/       No  ma+er  how  advanced  the  biometric  is,  the  same  basic  threat  model  persists.  
  • 22. www.owasp.org          How  do  you  stump  an  MFA  vendor?   Ask  for  a  threat  model.   Photo:  h+p://www.huffingtonpost.co.uk/2015/08/09/parents-­‐reveal-­‐why-­‐quesFon-­‐woes_n_7963152.html    
  • 23. www.owasp.org “…  biometrics  cannot,  and   absolutely  must  not,  be  used     to  authen,cate  an  iden,ty”1              –  DusFn  Kirkland,  Ubuntu  Cloud  SoluFons  Product              Manager  and  Strategist  at  Canonical                 1Source:  h+p://blog.dusFnkirkland.com/2013/10/fingerprints-­‐are-­‐user-­‐names-­‐not.html         “Fingerprints  are  Usernames,  Not  Passwords”    
  • 24. www.owasp.org @drfuture  on  Biometrics   1Source:   h+ps://www.blackhat.com/docs/us-­‐15/materials/us-­‐15-­‐Keenan-­‐Hidden-­‐Risks-­‐Of-­‐Biometric-­‐IdenFfiers-­‐And-­‐How-­‐ To-­‐Avoid-­‐Them.pdf     Diagram  Source:     h+p://security.stackexchange.com/quesFons/57589/determining-­‐the-­‐accuracy-­‐of-­‐a-­‐biometric-­‐system         Hidden  Risks   •  Biometric  reliability  and  the   percep,on  of  it     •  Lack  of  discussion  of  the   consequences  of  errors   •  Biometric  data’s  irreversibility  and   the  implicaFons   •  Our  biometrics  can  be  grabbed   without  our  consent   •  Our  behavior  can  rat  us  out  –   someFmes  incorrectly   •  Giving  our  biometric  and  behavioral   data  may  be  (de  facto)  mandatory   •  Biometric  data  thieves  and   aggregators1           Threshold    
  • 25. www.owasp.org 1.  Difficult  to  reset,  revoke   2.  Exist  in  public  domain,  and  elsewhere   (56M+  fingerprints  stolen  in  2015  OPM   breach1)   3.  May  undermine  privacy,  make  idenFty   thet  more  likely2   4.  Persist  in  government  and  private   databases,  accreFng  informaFon  whether   we  like  it  or  not3   5.  Hygiene  (e.g.,  Bank  of  America  hand   geometry  scanner  for  safe  deposit  box   room  entry)   6.  User  acceptance  or  preference  varies  by   geography,  demographic   What  Will  Cause  Biometric  Backlash?   1Source:  h+p://money.cnn.com/2015/07/10/technology/opm-­‐hack-­‐fingerprints/index.html     2Source:  h+p://www.diva-­‐portal.org/smash/get/diva2:512852/FULLTEXT01.pdfl     3Source:  h+p://www.pbs.org/wgbh/nova/next/tech/biometrics-­‐and-­‐the-­‐future-­‐of-­‐idenFficaFon/     Photo:  h+p://www.rineypackard.com/facial-­‐recogniFon.php    
  • 26. www.owasp.org •  Intel’s  Dmientrienko,  et  al   -  Circumvented  SMS  OTP  of  4  large   banks1   •  Northeastern  University  and  Technische   Universität  Berlin     -  “SMS  OTP  systems  cannot  be   considered  secure  anymore”2   •  SMS  OTP  threat  model   -  Physical  access  to  phone   -  SIM  swap  ajack   -  Wireless  intercepFon   -  Mobile  phone  trojans3   SMS  OTP  Ajacks   1Source:  h+p://www.chrisFan-­‐rossow.de/publicaFons/mobile2FA-­‐intel2014.pdf     2,3Source:  h+ps://www.eecs.tu-­‐berlin.de/fileadmin/f4/TechReports/2014/tr_2014-­‐02.pdf    
  • 27. www.owasp.org •  OperaFon  Emmental   •  Defeated  2FA   -  2014,  discovered  by  Trend  Micro1   -  European,  Japanese  banks   -  Online  banking   1.  Customer  enters  username,   password   2.  Token  sent  to  mobile  device   (SMS  OTP)   3.  Customer  enters  token  (OTP)   -  Ajackers  scraped  SMS  OTPs  off   customers’  Android  phones2,  3     SMS  OTP  Ajack:  Banking  Example   1Source:  h+p://blog.trendmicro.com/finding-­‐holes-­‐operaFon-­‐emmental/     2Source:   h+p://www.trendmicro.com/cloud-­‐content/us/pdfs/security-­‐intelligence/white-­‐papers/wp-­‐finding-­‐holes-­‐operaFon-­‐ emmental.pdf      3Source:  h+ps://www.youtube.com/watch?v=gchKFumYHWc    
  • 28. www.owasp.org SMS  OTP  Ajacks   1Source:  h+p://www.chrisFan-­‐rossow.de/publicaFons/mobile2FA-­‐intel2014.pdf   Diagram  Source:  h+ps://devcentral.f5.com/arFcles/malware-­‐analysis-­‐report-­‐cridex-­‐cross-­‐device-­‐online-­‐banking-­‐trojan     Banking  trojans   deploy  mobile   malware,  allow   ajackers  to  steal   SMS  OTP  1  
  • 29. www.owasp.org QR  Code  Risks1   Example:  two-­‐factor  authenFcaFon   •  User  captures  QR  code  with  mobile  device   •  User  enters  PIN  code  to  log  on,  or  validate  transacFon2   QR  code  redirects  user  to  URL   •  Even  if  the  URL  is  displayed,  not  everyone  reads   •  Could  link  to  a  malicious  website     1Source:  h+p://www.csoonline.com/arFcle/2133890/mobile-­‐security/the-­‐dangers-­‐of-­‐qr-­‐codes-­‐for-­‐security.html   2Source:  h+ps://www.vasco.com/products/client_products/sotware_digipass/digipass_for_mobile.aspx          
  • 30. www.owasp.org GeolocaFon   •  Are  laFtude  and  longitude  sufficient?   •  Digital  AuthenFcaFon  Technologies:   Contextual  LocaFon  Fingerprint™1   –  Not  based  on  geo-­‐locaFon   •  Issues  in  buildings   •  Error  rates   •  GPS  spoofing2   •  Cellphone  power  meter  can  be  turned  into   a  GPS3   •  PowerSpy:  Android  phone’s  geolocaFon  by   tracking  its  power  use  over  Fme   –  Unlike  GPS  or  Wi-­‐Fi  locaFon  tracking,   available  to  any  installed  app  without  user’s   permission4       1Source:  h+p://www.dathq.com/OurStrategy.aspx     2Source:  h+p://news.utexas.edu/2013/07/29/ut-­‐ausFn-­‐researchers-­‐successfully-­‐spoof-­‐an-­‐80-­‐million-­‐yacht-­‐at-­‐sea     3Source:  Dan  Boneh,  quoted  in  h+p://cacm.acm.org/magazines/2015/9/191171-­‐qa-­‐a-­‐passion-­‐for-­‐pairings/abstract       4Source:  h+p://www.wired.com/2015/02/powerspy-­‐phone-­‐tracking/    
  • 31. www.owasp.org 1Source:  h+p://www.zdnet.com/arFcle/google-­‐unveils-­‐5-­‐year-­‐roadmap-­‐for-­‐strong-­‐authenFcaFon/       Account  recovery   is  the  Achilles  heel   of  2FA               –    Eric  Sachs   Product  Management  Director,  IdenFty   at  Google    
  • 32. www.owasp.org Account  Recovery1   1Source:  h+ps://support.google.com/accounts/answer/1187538?hl=en      
  • 33. www.owasp.org What’s  Wrong  with  Mobile  Device  as  AuthenFcaFon  Device?   MetaIntelli  research:  sample  of  38,000  mobile  apps,  67%  had  M32   Source:  h+ps://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Risks     Source:   h+p://metaintelli.com/blog/2015/01/06/industry-­‐first-­‐metaintelli-­‐research-­‐discovers-­‐large-­‐number-­‐of-­‐mobile-­‐ apps-­‐affected-­‐by-­‐owasp-­‐mobile-­‐top-­‐10-­‐risks/    
  • 34. www.owasp.org MFA  Double  Standard   Consumers   •  Facial  and  voice  for   mobile  login2   Employees   •  Symantec  VIP3   1Source:  h+p://cdn.themetapicture.com/media/funny-­‐puppy-­‐poop-­‐double-­‐standards.jpg     2Source:   h+p://www.americanbanker.com/news/bank-­‐technology/biometric-­‐Fpping-­‐point-­‐usaa-­‐deploys-­‐face-­‐voice-­‐ recogniFon-­‐1072509-­‐1.html     3Source:  h+p://www.slideshare.net/ExperianBIS/70-­‐006idenFtyauthenFcaFonandcredenFalinginpracFce     1  
  • 35. www.owasp.org Perfect  Storm   •  Crowded  market   –  200+  MFA  vendors     –  ~$1.8B  market1   •  Apple,  VISA,  Samsung   –  2D  fingerprint   authenFcaFon  is  cool,   secure   •  Breaches   •  LegislaFon   •  FIDO  Alliance     1Source:   h+p://www.slideshare.net/FrostandSullivan/analysis-­‐of-­‐the-­‐strong-­‐authenFcaFon-­‐and-­‐one-­‐Fme-­‐password-­‐ otp-­‐market    
  • 36. www.owasp.org FIDO  Alliance   •  Fast  ID  Online  (FIDO)  Alliance   •  Proponent  of  interoperability   –  Universal  2nd  Factor  (U2F)   –  Universal  AuthenFcaFon  Framework  (UAF)   •  Triumph  of  markeFng  over  technology   •  Store  secrets  on  device  (Android  phone),  versus   hardened  server   •  Network-­‐resident  versus  device-­‐resident  biometrics   –  FIDO  advocates  device-­‐resident   •  Problems,  especially  with  voice1   1Source:  January  2015,  “Network  vs  Device  Resident  Biometrics,”  ValidSot  
  • 37. www.owasp.org “Legacy  thinking  subverts    the  security  of  a     well-­‐constructed  system”1            –  David  Birch,  Digital  Money  and  IdenFty  Consultant,              Author  of  IdenFty  is  the  New  Money2       1Source:  h+ps://www.ted.com/talks/david_birch_idenFty_without_a_name?language=en#t-­‐112382   2Source:  h+p://www.amazon.com/IdenFty-­‐Is-­‐New-­‐Money-­‐PerspecFves/dp/1907994122        
  • 39. www.owasp.org OWASP  IoT  Top  10   1Source:  h+p://www.slideshare.net/SebasFenGioria/clusir-­‐infonord-­‐owasp-­‐iot-­‐2014         A1:  Insecure  Web   Interface   A2:  Insufficient   AuthenFcaFon,   AuthorizaFon   A3:  Insecure   Network  Services   A4:  Lack  of   Transport   EncrypFon   A5:  Privacy   Concern   A6  :  Insecure  Cloud   Interface   A8:  Insecure   Security   Configurability   A10:    Poor  Physical   Security   A7:  Insecure   Mobile  Interface   A9:  Insecure   Sotware  /   Firmware  
  • 40. www.owasp.org IoT  PredicFons   Crea,ve  Cryptography,  Uneven  Protocol  Adop,ons   •  Enhanced  Privacy  ID  (EPID®)   –   "ImplemenFng  Intel  EPID  offers  IoT  designers  …proven   security  opFons”1   •  PKI:  instead  of  one-­‐to-­‐one  mapping  public  and  private  key   pairs,  uses  one-­‐to-­‐many  mapping  of  public  to  private  keys   •  Autobahn  to  dirt  road   –  E.g.,  HTTPS  to  Constrained  ApplicaFon  Protocol  (CoAP)   with  OAuth2,  OpenID,  UMA   –  Different  implementaFon  constraints   –  “Security  of  these  …  mechanisms  is  highly  dependent  on   the  ability  of  the  programmers  creaFng  it.”2   1Source:   h+p://www.prnewswire.com/news-­‐releases/atmel-­‐collaborates-­‐with-­‐intel-­‐on-­‐epid-­‐technology-­‐to-­‐enable-­‐more-­‐secure-­‐iot-­‐ applicaFons-­‐300130062.html     2Source:  Using  OAuth  for  Access  Control  on  the  Internet  of  Things,  Windley,  2015      
  • 41. www.owasp.org Consider  Risk-­‐Based  AuthenFcaFon   (aka  Context-­‐Based  AuthenFcaFon,  AdapFve  AuthenFcaFon)   •  Device  registraFon  and  fingerprinFng     •  Source  IP  reputaFon  data     •  IdenFty  store  lookup     •  Geo-­‐locaFon,  geo-­‐fencing,  geo-­‐velocity     •  Behavioral  analysis1   •  AnalyFcs,  machine  learning,  conFnuous  authenFcaFon2     1Source:   h+p://www.darkreading.com/endpoint/authenFcaFon/moving-­‐beyond-­‐2-­‐factor-­‐authenFcaFon-­‐with-­‐ context/a/d-­‐id/1317911     2Source:  Clare  Nelson,  August  2015   Layer  mulFple  contextual  factors.    Build  a  risk  profile.  
  • 42. www.owasp.org What  You  Can  Do  (1  of  2)   •  Request  threat  models  from  MFA   vendors     •  Beware   –  2D  fingerprints   –  Already-­‐hacked  biometrics   –  QR  codes   –  SMS  OTP   –  JavaScript  requirements   –  Overreliance  on  geolocaFon   –  Weak  account  recovery   –  Lack  of  mobile  device  risk  analysis   –  EncrypFon  with  backdoors   Comic:  Greg  Larson,  h+ps://www.pinterest.com/pin/418834834066762730/      
  • 43. www.owasp.org What  You  Can  Do  (2  of  2)   •  Do  not  be  swayed  by  latest  InfoSec  fashion   trends   –  Apple  Touch  ID   •  IntegraFon  with  VISA   •  Samsung  Pay   –  FIDO  Alliance   •  Rethink  MFA  definiFon   –  Beware  of  odd  interpretaFons   •  AuthenFcaFon  as  a  conFnuous  process   –  Not  just  login  and  transacFons   –  Cross-­‐channel  risk   •  Depending  on  risk  and  use  case,  chain  or   combine   –  MFA  +  (locaFon,  Fme,  device  ID)  +  context-­‐ based  analyFcs   Photo:  h+p://northonharper.com/2014/04/wish-­‐list-­‐mini-­‐midi-­‐maxi/      
  • 44. www.owasp.org QuesFons?       Clare  Nelson,  CISSP                        clare.nelson@owasp.org                          @Safe_SaaS                        October  22,  2015                      AusFn,  TX   s  
  • 45. www.owasp.org QuesFons?   Clare  Nelson,  CISSP   @Safe_SaaS       clare.nelson@owasp.org  
  • 46. www.owasp.org AddiFonal  References  (1  of  3)   •  Stanislav,  Mark;  Two-­‐Factor  Authen9ca9on,  IT  Governance  Publishing  (2015)   •  Wouk,  Kristofer;  Flaw  in  Samsung  Galaxy  S5  Could  Give  Hackers  Access  to  Your   Fingerprints, h+p://www.digitaltrends.com/mobile/galaxy-­‐s5-­‐fingerprint-­‐scanner-­‐flaw/  (April   2015)   •  IDC  Technology  Spotlight,  sponsored  by  SecureAuth,  Dynamic  AuthenFcaFon:   Smarter  Security  to  Protect  User  AuthenFcaFon  (September  2014)   Six  technologies  that  are  taking  on  the  password.  —  UN/  HACKABLE  —  Medium     •  Barbir,  Abbie,  Ph.D;  Mul9-­‐Factor  Authen9ca9on  Methods  Taxonomy,   h+p://docslide.us/documents/mulF-­‐factor-­‐authenFcaFon-­‐methods-­‐taxonomy-­‐ abbie-­‐barbir.html  (2014)     •  Nelson,  Clare,  Mul9-­‐Factor  Authen9ca9on:  What  to  Look  For,  InformaFon  Systems   Security  AssociaFon  (ISSA)  Journal hJp://www.bluetoad.com/publica9on/?i=252353    (April  2015)    
  • 47. www.owasp.org AddiFonal  References  (2  of  3)   •  Keenan,  Thomas;  Hidden  Risks  of  Biometric  Iden9fiers  and  How  to  Avoid  Them,   University  of  Calgary,  Black  Hat  USA,   h+ps://www.blackhat.com/docs/us-­‐15/materials/us-­‐15-­‐Keenan-­‐Hidden-­‐Risks-­‐Of-­‐ Biometric-­‐IdenFfiers-­‐And-­‐How-­‐To-­‐Avoid-­‐Them-­‐wp.pdf  (August  2015)   •  Pagliery,  Jose;  OPM’s  hack’s  unprecedented  haul:  1.1  million  fingerprints:   h+p://money.cnn.com/2015/07/10/technology/opm-­‐hack-­‐fingerprints/index.html     (July  2015)   •  Bonneau,  Joseph,  et  al,  Passwords  and  the  Evolu9on  of  Imperfect  Authen9ca9on,   CommunicaFons  of  the  ACM,  Vol.  58,  No.  7  (July  2015)   •  White,  Conor;  CTO  Doan,  Biometrics  and  Cybersecurity,   h+p://www.slideshare.net/karthihaa/biometrics-­‐and-­‐cyber-­‐security  (2009,   published  2013)   •  Gloria,  SébasFen,  OWASP  IoT  Top  10,  the  life  and  the  universe,   h+p://www.slideshare.net/SebasFenGioria/clusir-­‐infonord-­‐owasp-­‐iot-­‐2014   (December  2014)  
  • 48. www.owasp.org AddiFonal  References  (3  of  3)   •  Steves,  Michelle,  et  al,  NISTIR,  Report:  Authen9ca9on  Diary  Study,     h+p://nvlpubs.nist.gov/nistpubs/ir/2014/NIST.IR.7983.pdf    (February  2014)   •  Andres,  Joachim;  blog,  Smarter  Security  with  Device  Fingerprints,   h+ps://forgerock.org/2015/09/smarter-­‐security-­‐with-­‐device-­‐fingerprints/? mkt_tok=3RkMMJWWfF9wsRonv6TIeu%2FhmjTEU5z16u8kWaSyhokz2EFye %2BLIHETpodcMTcFnM7DYDBceEJhqyQJxPr3GKtYNysBvRhXlDQ%3D%3D   (September  2015)   •  Perrot,  Didier;  There’s  No  Ideal  Authen9ca9on  Solu9on,   h+p://www.inwebo.com/blog/theres-­‐no-­‐ideal-­‐authenFcaFon-­‐soluFon/  (August   2015)  
  • 49. www.owasp.org "A  rose  by  any  other  name  would  smell  as  sweet”1   •  AdapFve  authenFcaFon   •  MulF-­‐modal  authenFcaFon   •  ConFnuous  authenFcaFon   •  2FA,  TFA,  Two-­‐factor  authenFcaFon   •  MulF-­‐factor  authenFcaFon   •  Strong  authenFcaFon   –  United  States:  Many  interpretaFons,  depends  on  context   –  European  Central  Bank  (ECB):  strong  authenFcaFon,  or  strong   customer  authenFcaFon,  set  of  specific  recommendaFons2   •  Apple:  Two-­‐step  authenFcaFon   •  MulF-­‐step  authenFcaFon   •  SecureAuth:  AdapFve,  risk-­‐based,  context-­‐based   authenFcaFon     •  IDC:  advanced  authenFcaFon,  dynamic  user  authenFcaFon,   mulFform  authenFcaFon,  mulFframe  authenFcaFon,   standard  authenFcaFon,  tradiFonal  authenFcaFon   –  TradiFonal  authenFcaFon:  authenFcate  at  beginning  of  session   –  Dynamic  authenFcaFon:  users  may  be  asked  to  authenFcate  at   “various  points  during  a  session,  for  various  reasons”3   •  Step-­‐up  authenFcaFon   •  Re-­‐AuthenFcaFon   •  Out-­‐of-­‐Band  AuthenFcaFons   1Source:  Shakespeare,  Romeo  and  Juliet,  h+p://shakespeare.mit.edu/romeo_juliet/romeo_juliet.2.2.html     1Source:  IDC  Technology  Spotlight,  sponsored  by  SecureAuth,  Dynamic  AuthenFcaFon:  Smarter  Security  to  Protect  User   AuthenFcaFon  (September  2014)       2Source:  h+ps://www.ecb.europa.eu/press/pr/date/2013/html/pr130131_1.en.html      
  • 50. www.owasp.org Advice  for  Startups   •  For  startup  internal  employees:   –  www.gluu.org,  100%  open  source  and  open  standards   –  Many  offer  free  service  for  a  small  team   •  Apersona  free  up  to  5  users:  h+p://www.apersona.com/#!pricing/c1c8c     •  Duo  free  up  to  10  users:  h+ps://www.duosecurity.com/     •  Build  authenFcaFon  into  your  products   –  Originally  cars  did  not  have  seat  belts.  In  the  future,  authenFcaFon  will  be  designed  in.