Video thumbnail (Frame 0) Video thumbnail (Frame 3442) Video thumbnail (Frame 6071) Video thumbnail (Frame 8949) Video thumbnail (Frame 10778) Video thumbnail (Frame 11949) Video thumbnail (Frame 14937) Video thumbnail (Frame 16359) Video thumbnail (Frame 17705) Video thumbnail (Frame 19572) Video thumbnail (Frame 21075) Video thumbnail (Frame 23978) Video thumbnail (Frame 28431) Video thumbnail (Frame 31764) Video thumbnail (Frame 32975) Video thumbnail (Frame 34029) Video thumbnail (Frame 35947) Video thumbnail (Frame 37613) Video thumbnail (Frame 38674) Video thumbnail (Frame 42278) Video thumbnail (Frame 43704) Video thumbnail (Frame 45424) Video thumbnail (Frame 47085) Video thumbnail (Frame 48069) Video thumbnail (Frame 49236) Video thumbnail (Frame 50450) Video thumbnail (Frame 51455) Video thumbnail (Frame 57513) Video thumbnail (Frame 59619) Video thumbnail (Frame 62155) Video thumbnail (Frame 63352) Video thumbnail (Frame 67824) Video thumbnail (Frame 68846) Video thumbnail (Frame 70369)
Video in TIB AV-Portal: CRYPTO AND PRIVACY VILLAGE - Two Steps to Owning MFA

Formal Metadata

Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Goodness of fit Software Different (Kate Ryan album) Multiplication sign Right angle Endliche Modelltheorie Software industry Computer programming Spacetime Neuroinformatik Social engineering (security)
Software engineering Presentation of a group Open source Cybersex Workstation <Musikinstrument> Computer programming Hacker (term) Computer hardware Finitary relation Software testing Information Information security Hydraulic jump Identity management Authentication Call centre Software engineering Theory of relativity Mathematical analysis Data management Computer hardware System programming Software testing Information security Identity management Task (computing) Force
Authentication Presentation of a group Presentation of a group Implementation Email Link (knot theory) View (database) Code Computer-generated imagery Biostatistics Message passing Computer configuration Password Internet service provider Representation (politics) Information security Row (database)
Authentication Information Multiplication sign Authentication Token ring National Institute of Standards and Technology Planning Form (programming)
Point (geometry) Mobile app Game controller Code Cellular automaton Exploit (computer security) Login Number Charge carrier String (computer science) Tower Selectivity (electronic) Service-oriented architecture Information Message passing Algorithm Data recovery Plastikkarte Cartesian coordinate system System call Social engineering (security) Pseudozufallszahlen Type theory Number Message passing Software Ring (mathematics) Personal digital assistant Password Charge carrier Website Right angle Service-oriented architecture
Web page Point (geometry) Domain name Game controller Web page Token ring Advanced Boolean Expression Language Type theory Phishing Blog Password Formal verification Website
Mobile Web Data management Message passing Software
Laptop Point (geometry) Mobile app Proxy server Divisor Link (knot theory) Division (mathematics) 2 (number) Wave packet Number Malware Strategy game Charge carrier Authorization Message passing Information security Vulnerability (computing) Dependent and independent variables Code Cartesian coordinate system System call Wave packet Vector potential Cross-site scripting Web application Message passing Malware Phishing Internet service provider Strategy game Charge carrier Authorization HTTP cookie Information security
Standard deviation Mobile app Link (knot theory) Numerical digit Code Multiplication sign Password Set (mathematics) Perturbation theory Parameter (computer programming) Field (computer science) Twitter 2 (number) Number Goodness of fit Googol System identification Vulnerability (computing) Identity management Authentication Graphics tablet Game controller Standard deviation Algorithm Forcing (mathematics) Digitizing Code Bit Mereology Incidence algebra Control flow Cartesian coordinate system Mathematics Type theory Googol Logic Personal digital assistant Password Right angle Service-oriented architecture Spacetime
Authentication Algorithm Standard deviation Key (cryptography) Code Decimal Multiplication sign Digitizing Decimal Mereology Cartesian coordinate system Demoscene Graphical user interface Googol Hexagon Hash function Personal digital assistant Calculation Single-precision floating-point format QR code Symmetric-key algorithm Right angle Aerodynamics Series (mathematics)
Game controller Mobile app Algorithm Demo (music) Key (cryptography) Code Digitizing Multiplication sign Ordinary differential equation Database Cartesian coordinate system Login Web application Shared memory Website Right angle Figurate number Vulnerability (computing)
Authentication Digital electronics Divisor Virtual machine 2 (number) Data management Infinite conjugacy class property Shared memory Formal verification Website Right angle Information security Window
Authentication Injektivität Mobile app Key (cryptography) Sequel Password Set (mathematics) Database Entire function Password Order (biology) Website Right angle Maximum likelihood Traffic reporting Vulnerability (computing)
Algorithm Mobile app Hacker (term) Code Digitizing
Mobile app Proxy server Sequel Divisor System administrator Calculation 1 (number) Exploit (computer security) Sign (mathematics) Shared memory Core dump Information security Physical system Vulnerability (computing) Identity management Authentication Injektivität Key (cryptography) Shared memory Database Cartesian coordinate system Cross-site scripting Social engineering (security) Web application Uniform resource locator Malware Password Order (biology) Website Right angle Encryption Information security
Graphics tablet Service (economics) Dependent and independent variables Touchscreen Service (economics) Key (cryptography) Code Token ring Multiplication sign Token ring Cartesian coordinate system 2 (number) Vector potential Software Password Internet service provider Right angle Service-oriented architecture Information security Proxy server Hydraulic jump Writing
Injektivität Mathematics Message passing Mathematics Sequel Token ring Database Parameter (computer programming) Object (grammar) Cartesian coordinate system Vulnerability (computing)
Mathematics Message passing Touchscreen Computer configuration Maxima and minima Login Login
Key (cryptography) Token ring Parameter (computer programming)
Information QR code Right angle
Slide rule Game controller Presentation of a group Mobile app Functional (mathematics) Implementation Proxy server Observational study Divisor State of matter Token ring Code Spyware Social engineering (security) Roundness (object) Strategy game Semiconductor memory Program slicing Encryption Software testing Information security Physical system Execution unit Email Multiplication Dependent and independent variables Spyware Validity (statistics) Cartesian coordinate system Wave packet Social engineering (security) Message passing Malware Phishing Internet service provider Strategy game Website Game theory Information security Window
Authentication Game controller Key (cryptography) Code Cartesian coordinate system Type theory Message passing Googol Phishing Different (Kate Ryan album) Computer configuration Password Self-organization Key (cryptography) Information security Hacker (term) Information security Thumbnail
Keyboard shortcut Game controller Token ring Bound state Hacker (term) Automation Software testing Information security Identity management Key (cryptography) Token ring Data storage device Bit Database Cartesian coordinate system Public-key cryptography Sign (mathematics) Message passing Process (computing) Phishing Internet service provider Key (cryptography) Information security Writing Cloning
Point (geometry) Domain name Complex (psychology) Keyboard shortcut Server (computing) Token ring Real number Spyware Open set Web 2.0 Mathematics Different (Kate Ryan album) Software testing Information security Metropolitan area network Vulnerability (computing) Computer architecture Physical system Area Key (cryptography) Spyware Keyboard shortcut Token ring Connected space Web application Message passing Phishing Software Order (biology) Self-organization Right angle
Complex (psychology) Vulnerability (computing) Backup Key (cryptography) Database Database Image registration Entire function Open set Social engineering (security) Social engineering (security) Type theory Message passing Computer configuration Password Encryption Right angle Message passing Information security Backup Physical system Vulnerability (computing)
Authentication Injektivität Complex (psychology) Game controller Proxy server Key (cryptography) Sequel Patch (Unix) Patch (Unix) Multiplication sign Authentication Database Database Wave packet Social engineering (security) Twitter Message passing Malware Malware Information security Resultant Physical system Vulnerability (computing)
please welcome our next speaker Cheri Kelly and Dennis Taggart on two steps to owning mfa all right well you guys having a good time at Def Con so far all right so this is our first time at Def Con like my first time even being here which and I've worked in this space for for quite a long time so it's surprising this is my first time in fact the last time I was here in Vegas at a computer conference was Comdex I don't know Yesi there's a couple few people oh yeah I remember the Comdex computer conferences it was just a little little while back but and so I started programming at a really young age I started hacking things at a young age that was like highschool for me so once I finished high school I started off with a company that travelled me around to a lot of different computer conferences but the first time I actually saw some girls at a computer conference was Vegas and I was really excited cuz I came into the conference and there's all these girls at the software booths I thought this is fantastic I'm gonna have women that I can talk to about technology you know some role models in this space so it's starting there's a few people smiling because you know where I'm going with this thinking this is gonna be great we're gonna geek out technology and programming now so most of them were dancers here in Vegas or models and they were just hired to pretend that they worked for these software companies so they could draw a guys in and pretend that they had women working for them so we've definitely come a long ways since that right I see a few girls here which I'm really excited about walking yeah so walk the halls here I see so many women and these women we're all excited about technology we're excited about cryptography and about programming about biohacking and social engineering right this is exciting to us so it's great to be here and just a little bit about
myself so I I told you I started off programming at a pretty young age hacking at a young age I've worked in software engineering manage software engineering for the last six years I've been a manager in Identity and Access Management and security and that's where I thought you know breaking multi-factor authentication sounded like a lot of fun so hopefully you guys enjoy this topic because we've had a lot of fun putting this together and I've asked Dennis to
present with me because first of all Dennis is one of the most brilliant pen testers that I know he also recently won net Wars which that's pretty cool way to go Dennis need to have some valuable insights into this topic as well and so we're gonna tag-team so I'm gonna have Dennis start us off with the first method and then I'm gonna jump in we're just gonna go back and forth so hopefully you guys learned a lot thanks sherry so as sherry asked me hey Dennis we're gonna present we're gonna submit to DEFCON like DEFCON I've never been there and those people know a lot more than me and but with sherry I trust her and I've been so excited present preparing for his presentation so there's a little about me just I was kind of a liberal arts guy through college so studied a lot of international relations and political science so I like analysis and it kind of to pay for that I needed to do some kind of work so I was in a call center and I got really interested in in tech I love hands-on work like a small mount diode is really fun if probably a lot of you went over to the hardware hacking I don't know what that village is called here but I saw like the chip removal stations and stuff it was fun I mean a pen tester for a couple years just we're
just trying to give an educational presentation here so just standard disclaimer we're not sponsored by anybody or endorsed or any thing and want everybody to be ethical and use good professional and legal judgment you know be smart with what we talked about so with mfa we're gonna just go over
basically there's something you have portion we're not going to talk much about any biometrics or passwords per se but really focus on something you have and the real heart of what we want to get at here it's funny how much when you start a presentation how many opportunities you have to find weird problems with implementations out there while I was preparing I had to get some receipt from a big health provider out where I live and so I'm calling the helpdesk hey I need this receipt for this medical record and they authenticate me you know with birthday and whatever else okay we're gonna email you this record now with your pH I thanks hang up with the representative get a meal email and inside of that is this link so okay I have to click this leap so I open it and it's got this it says this is an encrypted message do you want to sign in with your Microsoft account your personal one or your professional Microsoft account I'm like you don't have either of those from you I don't want authenticate with either of those things what's another option send me a link send me a code okay click this and like where are they gonna send me a code to do my email the same emails just in got my code like pH I super secure right and so it just really goes to show that security for the sake of security doesn't really get us so many places I think that's really the heart of what we're trying to talk about today do looking as many places good anyway it'll get us somewhere but SMS CFC P and talk
about push notification and finish up u2f is this kind of our plan for today
so another just amazing I was really sad for reddit I think it was nice that they were so open with what happened it's not a roast on them but what timing like the week before we present on this SMS is used its bypassed to get into their information on their users one of the things they said was we learned this I must based authentication is not as strong as we hoped so they're urging companies and users to move away from SMS based to another form with multi-factor authentication and then I was interested also to find that NIST even in 2016 referred to SMS as a deprecated form of two-factor and I they ended up kind of softening that back in 2017 is to say it's restricted so basically there's risky only we wouldn't recommend it kind of a thing but interesting cuz I feel like I'm just getting I'm seeing most of the places I am on online now finally accepting SMS as a form of MFA so now we're already meeting to kind of move past it how it's
working you've got this application that's just working with an SMS broker so when this user logs in the the app is gonna send it's gonna communicate with some API like Twilio or somebody to say hey send a message out over the publicly switched telephone network PSTN is how nist refers to it to the phone and they'll get you'll get this code it doesn't have to be even any specific algorithm it could be just a pseudo-random code they can just dump whatever they want across there and then you have to as the user now type that into the app and then you get authenticated or not you have a lot of entry points as an attacker if you can get on the phone or before the network you tap this broker you know you have you have quite a few places
bypassing this is becoming ah this is becoming a big them seeing this I don't know if this selection bias or what like almost every article I'm seeing that Krebs just published something like on the 7th of August a big ring of people stealing SIM cards calling pretending to be employees or working with employees for carriers and getting SIM cards sent to to the attacker so they plug it into their device and now the target loses my phone's not working meanwhile all their two-factor messages are going across to the attacker control device now another you can also just there's another one online I've read about social engineering so basically this scam involves calling around calling this Marc's number so you get their username and password already now you just need to get their to factor so you call him up he is Bob they're know you've got the wrong number oh wait wait wait before you hang up my fat fingered you I was I was trying to call my mom I'm getting booked into jail or something like my you gotta get my son just call call this number so that he's give some big story right call this number so so that my son's not waiting there and you decide to do it for some reason because you're a nice person and what happens is you hang up you dial this string of numbers he gave you but all you've done is it's uninitiated call forwarding is something like star seven nine or whatever now phone number phone calls coming in or going to this attack you can trade the phone where this gets real crazy I mean a lot of in case that's SMS broker goes down there's a lot of sites that'll let you use another you know get a phone call or something because they don't want to get they don't want to das you if if the SMS preferred party broker is down so you just get is the attacker if you got the username password and now you've got the phone calls just like to get a like to get a call instead of a text message and you've gotten in oh and fishing here and this is one of
those things where you can kind of feel like fishing doesn't affect me anymore I've got to factor in Abel here but really if an attacker can get a user to put in a username and a password they can also trick the user to enter in whatever they're getting on their cell phone so really phishing is a very relevant attack here as well here's just an
example of how much it can look real um in this this could be an attacker control page we've got this kind of type of squatting type domain name and if you're not paying attention as user you can get says truly easily and that's really one of the main points that's important here is just being vigilant with where we're going I think with this crowd but probably pretty good about that but really educating others on you need you can't trust what's being presented to you so I was interested to find that
fishing with my SMS has its own name smishing I thought was humorous I thought it was kind of lonely guys sounding so I don't know I just love that meme and I thought we've got fishing smishing I thought spear fishing could be called sping probably and that would be cool and then if we were to call whaling whale fishing which would be Biola you know that's not correct but fishing I thought would be cool reference or something but I just like to call it fishing so I don't confuse myself another thing similar to fishing
really if you can get somebody to click a link and install the mobile device management software or something now you're just reviewing this user's messages remotely because they signed up to be monitored by you there's an example there the text coming in and can view the targets messages easily finally
how many places do we get SMS messages you can get them on your laptop so you can get them on web applications you can they can be popping up on little alerts on your mobile on your laptops and really if you're at work and you're leaving your desktop unlocked or something and it your coworker that's decided they want to get into your account for some reason they could just look over there and get right in another example is there's a lot of providers that actually provide them have a second messaging app that you can install or sign up for so like messages plus or whatever is one and if you do this you can view all of your mobile messages you will view all of your messages on the provider like Verizon's website so basically if you don't have two factors set up on your carrier account like to get into Verizon comm but you have this messages app set up you can just log in and view your messages on the web application and if an attacker can get in there they can get your two-factor as well so really as we know we're only as strong as the weakest link is so if we're getting SMS messages to places that are not protected by factor offs it's a potential attack point for an attacker to get in and target us prevent this
really using something besides SMS is a really good idea if at all possible using some form of multi-factor but using something else if possible requesting authorization can be a good way to to have this so that the providers don't just so easily let you pour your number somewhere else so if attacker were to call say hey I'm getting a new phone number we transfer this number over to this one if the carrier needs to contact you first it'll make it harder for the attacker to do that also application security must not be neglected here if you do all this work for two factor and then once you get in there's some persistent cross-site scripting vulnerability I think your cookies somewhere else the attacker doesn't need to SM that's a new multi-factor once there you're already authenticated so I'm just a training on fishing Treena malware document strategy for response
and then handling these unsolicited and notifications if they come so was it really unsolicited as something if you have to ask sometimes might freak yourself out maybe it'll come a little bit late or you started doing something else you know make sure it really is unsolicited if you're working for somebody else or protecting somebody else's account how is this person a big target and changing the password as soon as possible because that's if you verified you're getting unsolicited requests somebody's got the password out there identify all the attacker activity because what would be really bad is if you'd go through all the work you've run the incident you change the password and then the guy there's some vulnerability out there still getting the account we compromised so identifying how the initial compromised is happening also helps and continue to monitor yes so how do you deal with the timing for how long the tokens good for a great it's great questions so there's a couple of parameters you've got but how long is it little four then there's also how many times going to be used because we hope that it's only allowed to be used once and we hope usually it's something like with the SMS one so you'd have to have some application logic to really rock that down because it's not necessarily a woman a time-based one-time password which we're gonna get a little bit of a talk on here in a little bit you hope that you're only getting a maybe five minutes or something or less but you have to leave some lead time for you know how long does it take to go through the broker and get through but great question I hope if there's more at the end let us know but Sherry's going to talk about time-based one-time password which will speak more to what you're asking I think chance let's see at the end well makes your question sure
sweet alright so I'm just gonna add to that - so it kind of depends on the application so it could be five minutes or twenty minutes it's common for an SMS code to to live and typically there's going to be brute force protection you would hope if you're creating an application you're gonna want to have brute force protections so you're only allowing maybe a few three five times to enter the code in case you know grandma fat fingers or or whoever that fingers that that number and you give them a couple of tries but usually you want to keep that condensed so people can just brute force that right and figure out your six digit code without having the code on the phone I'll talk to you afterwards so if you want yeah yeah in fact if we run out of time because we do have a lot of material so if we run out of time I've I'm gonna show you my Twitter handle you're welcome to reach out to me or we can talk afterwards because yeah this is a field that I love to talk about your granny so you know you're good so the next one we're gonna talk about is totp so this is really similar to the question we just got so this is a time-based one-time password so you guys are probably more familiar with this with google authenticator alright so google authenticator Microsoft off Medicaid or Aussie duo all those things that you probably use for your company hopefully your bank in school right these these things run off of what's called TOTP so it's a time based algorithm so it's a one-time password and typically it generates every 30 seconds right if you looked at your Google Authenticator app you're gonna see every 30 seconds you get and get a code usually have about a minute and a half padding around that tooth so it lasts typically about a min and a half maybe two minutes is really the link that that code will last and this is based off of the oath standards the only reason I mentioned that just kind of nice to know where things come from but also just because this gets confused a lot with oauth2 so many people who are familiar with identity if that's your space ooofff to is Federation authentication so that's totally different and I'm gonna talk a little bit about that later in fact I'm doing some research right now on breaking off too so if anyone's interested in having that discussion I'd love to collaborate with you so this is based off of the old standard so it's a set algorithm and it's good to know that because you're going to see that there's some great vulnerabilities and the fact that it's using this common algorithm everywhere and oh and just so you know there's different types this one's time-based there's also a counter based which is H OTP and that just means that the one time you use the password it then creates a new one or at the give a new code and it does that every time you create every time you use it so that's h OT p okay so this is
probably what you're used to seeing when you set up google authenticator you're gonna see a QR code and you're gonna see if you scanned that or if you went to can't scan it that's typically you're gonna see something like can't scan it or copy code manually if you click on that then you're gonna see the shared key and I'm gonna explain to you why that's important why we want to know what that shared key is because that right there that's like the valuable piece with TOTP you get that you're golden right so this is usually what you're gonna see now what's happening
behind the scenes so we got this shared key and all we do is hash that with the time and this is looking at the Cisco time crisis our server time so if you were to take this into a calculator right now you would see that it would be today at 11 o'clock right so we take the time of right now and add that with a shared key and then we just get a hash okay and I know when we see algorithms we get a little nervous but I'm just gonna break this down and it's actually really simple so you see how this works all right so we've got this hash and now all I do is I look at the last character or the last four bits but we're just gonna say the last character which is f in this case and the decimal value of F is 15 so I'm gonna offset this by 15 all right and then you see I have it broken up in pairs so if I just count that starting with zero you get to 15 that's where 4b is let's highlight it in red so we take the next four bytes after we offset it by 15 pull that and then convert it from hex to decimal right and then you mod that by a million because all you're trying to do is just get six digits that's typical usually you only have six digits that you type in so they mod that by a million which all that is is you divide it by a million and you take the remainder which is six digits in this case and that's your totp code that is the standard algorithm that's used every single time and it's nice to know that because if I get your share key I mean I could be you know for fun I could calculate this myself or of course I could just use an application to do that but the important part of this is
the fact that there's a shared key right all I have to do is give us all of that that's your golden ticket and the fact that that's available now I just have to think about okay well where did they store the shared key well it's stored on their phone because Google Authenticator knows it so it's going to be stored in the phones database the apps database so if I get full control of their phone I could extract that key and now I can generate my own six digit code for them or if I get ahold of the application or figure out how to compromise the application I can also get that shared key and I'm going to show you just a quick demo here of how you could do that and nothing like demos when you're being recorded and presenting your first time at Def Con right
all right so I created a really simple web application and this intentionally has lots of vulnerabilities on it just for demo purposes and for fun but you know what it's actually pretty realistic with a lot of sites out there so we're gonna sign in and we kind of have this ode to the women of technology going on so I'm gonna sign in as Ada Lovelace if you don't know who Ada Lovelace is you should look it up 18 hundredths she helped came up with algorithms that we use today in programming all right so
this site it's pretty awesome because it has 2-step verification right or multi-factor authentication on it so this is just makes you feel nice and warm and fuzzy because we know that they
take security seriously oops we get to
so I have a teepee manager installed online this is a Windows machine if you're using a Mac you can use J off so you can install your own desktop the totp manager as well which is convenient because in this circuit circumstance I don't have to go to a phone so I'm just gonna copy data's second factor paste
that in here right now I signed in it's a really simple app all it's doing is showing my account settings scroll down so you guys can see that a little better for Ada and so this is I I brought this up because we obviously this is a pretty insecure app usually you're not gonna show your password in plain text right there right but some apps will still give you access to that shared key it may allow you to go into Google Authenticator or Authenticator app or whatever they call it do or whatever in order to edit your sheriff here add another device if it lets you do that all you have to do is they're signed in you just come across access their account settings and you're able to grab that shared key now let's imagine the
that I don't have access to this website and I'm just gonna do basic happy in 101 right I'm just gonna put it here detected in so I'm just gonna put in some basic sequel injection right or one equals one right old-school but what's funny about that is that Verizon data breach report just showed last year that this is still the second most common way the data breaches happen is through sec the sequel injection so we put it in some sequel injection it doesn't know who to give us so it gives us the entire database isn't that convenient and this unfortunately is vulnerability that's like I said it's pretty common so since they've stored the shared key right along with the username and the password I now have the username I have the password and have the shared key that I can just now generate my own totp so if we wanted to sign in as hedy lamarr who you should also look up Hedy was a famous Hollywood actress and yeah she
also invented spread-spectrum which is used in Wi-Fi Bluetooth and that's pretty cool so if I wanted to in fact let's go over here oops so if I wanted
to sign in as Hedy all I have to do I could just go through that algorithm myself right do the offset or I can be lazy cuz hackers are typically lazy so I'm just gonna save this here and now we just generated it went through that same algorithm I showed you and it just generated that six digit code this app is there you go what should see you but so now all I have to do go back to here
put in since I have headies password because I got that as well I now sign-in put this in here and and
it signs in so if you imagine if this was like the administrator right I got into that database I now just elevated my privileges by logging in now as the administrator of the system so what this teaches us is that application security
is still important no matter what right
if I can get into the database I can get
access to the database where that shared key is stored if I can find some vulnerability on your web application I might be able to get it extract that shared key and still be able to get past that second factor so just because you have multi-factor authentication in place it doesn't mean that your sites can automatically be insecure and if you just look at it I mean here two steps in order to get in I exploit either the user my social engineering is always a great target to tear a great Avenue to take I can exploit the application like I just did my sequel injection cross-site scripting cores trying to find some vulnerability in the application and see if I can get into that database or take advantage of the phone if I can control the phone I can get the share of key from there as well and then obviously get into the targets account so how do we prevent this so first of all you want to make sure you're diligent about application security you can't take applications security lightly so you need to make sure you're securing your site so you got to think about the fact that I mean how many if you have multiple apps of your company make sure that all of them are protected that no one's allowing you to get into your identity database and where you store that shared key is important if you're storing it right alongside the username and password right if someone can get your username and password they're gonna be able to get that so you know all the same things that that all the same ways that people can get the access to the database they're gonna just do that same thing and get access to the shared key so you want to make sure that either you store it in a separate location you encrypt it you're pretty monitoring in place you're protecting that you're treating that just like a password because that's what it is and then of course totp can also be fished and then you you want to protect against all other vulnerabilities that are out there all
right so the next thing we're gonna jump into is push notification and then we'll dive into you to have security keys Thanks so as y'all notice when sherry she used that one-time password and you saw that bar kind of getting close to where it was gonna reset I was like oh no it's not gonna work but sherry taught me something I think you'd all think this is interesting - I mean there's usually a pad of 30 seconds or so on either side on either side so just one of those things to keep in mind that they gotta have account for you know network lag x server times whatever problems in between it so that's why that code still looked even though if we had looked at the screen right before she'd answer that would have been another code there and I just think that's cool so so push notifications there's an example do you want to sign in yes no kind of thing how does it work what's cool is you're kind of getting
away from the PSTN side of things that we're talking about earlier that can you've got this potential trust issue where you're writing over a network and you've got all these other pieces in between that you don't know if you trust so much well here we still obviously are talking communicating over a network but you basically when you log in the application instead of talking to an SMS broker is gonna talk to some service provider talking Google or Apple a lot of times most popular and you're sent there the application is going to include an application I mean a device token and the query because after the service provider who's going to also forward that along but using the device token looking up the device sending it to the actual users device when you respond it goes back to the same channels and the response based on that allows access into the application what's what's really unique here and important to remember so this device token is the same across we got it on the application you got it on this service provider and you've got it on the device so how are we gonna bypass
that well getting access to try to change that token it's really what you want to do in a few if you can find as an attacker if you know what your device token is and you can impose that target user's device then the message is destined for them are going to come to your device so ways to do that I mean sherry gave that great example with no sequel injection if you can get in and through that kind of weakness and inject your device token over other users then that's that will get you what you're trying to do also if you can just log into the database potentially bad passwords if you've got some maybe indirect object references or insecure direct object references and some API this is totally out there or maybe as you're logged in you can make a change to instead of just updating your account maybe you can change another users account through some parameter tampering or something and update also the device token those are all some examples we'll
give let's let's kind of show what that would look like right so go back to that same application
same user here login is ADA and we're
gonna try to change will change heddes device token to aid us so we'll get the message is destined for heading
too much trackpad sorry okay so here we
got familiar screen we're gonna look at our push notification option safe though
for this user wait
let's view device token for we try to change it huh okay so here's the device token you can see here we've got 64 characters so it's a little longer it's mostly random but at the end we've got a little homage to Def Con let's remember that too because this is too long remember all of these things but we're gonna change Eddy's to be this key this device token so let's update how are we
gonna do it I can't mess with this let's look at the URL there's some parameter
tampering potential right here sorry that's small and I can't make that
bigger right now what the ID says one two three eight four ada let's just change that to one two three nine because that's what you see we've got
headies so now we've got this this this QR code here this is the kind of thing we've just got an end point where if you usually these things just when you scan them all it's doing is sending whatever informations needed to update that token so you know we sat here scan this and what would happen here let's go look at
hers we've got the same state now we have Anita's token in place of where Eddie's was and that would be a really bad but I believe you two have right nobody has that but no they do and that really that really exists out there where these values they're not totally obvious maybe what they're used for - maybe the user but if you can if an attacker can get a control get control of them its end game for the security of that MFA token let's go to the next slide here let's go to the presentation to
so defending against that just like with Sheree was saying application security is really important here as well it kind of goes back to that first example we talked about to where I got that email that hey it's an encrypted document pH is so encrypted and send me a token to my email you know and I just walked through the MFE it all comes down to implementation that wasn't the providers fault that's just the way it was implemented and same thing if you if you go through all this work to set up MFA you've got this pool I know I sent messes maybe not as secure so I'm gonna do push notifications on my app but then you've got some roundabout way of just walking in it the whole thing falls apart so phishing and social engineering here as well if you can get the user to click YES on your bad site you can capture these tokens as well understanding how to respond to unsolicited push notifications everything's always worse when the world's on fire and you don't is my account compromised he found to make more mistakes that way for example trying to get some kind of downgrade attack to happen if let's say the user is seeing a lot of push notifications coming across and they're just sick of it and they just go and log in and turn off push notifications that would be a really dumb thing to do that could totally happen they're sick they're bothered the work is interrupted they need to get back to work so I'm done with this broken technology that doesn't work right having a strategy proud of respond to prevent silly things like that from defeating the multi-factor us social engineering calling up if if some if an attacker were to call up to the helpdesk and okay I lost my I don't know I don't have my phone I mean you just got to do something else about this I can't get in can you turn off my factor for the day if the attacker can successfully imitate the user and get them to just turn it off for maybe even just eight hours just the workday that's a huge window I'm session hijacking still very much applicable here as well once the session has been once you've got that session need all the two-factor multi all that stuff is done so that means this session senior protected that's pretty good on this one Oh accidental approval no you talk about for a second so statistically if this could go in system more social engineering to so you could just as an attacker just login hopefully the attacker knew especially if you're a big corporation you don't want to blow maybe your app suck or something if you're a pen tester but hopefully you knew if they had MFA on or not but even if you did it and the pop-up goes up and users clicks yes without really kind of thinking maybe just muscle memory or something that could get you in it can be that simple or more social engineering instead of going against the helpdesk going against the user themselves hey we're gonna we're testing out some functionality we had some complaints so will you just click one of the buttons when it comes up you're gonna get a notification there are studies out there statistically the user will select yes more than no and so that sounds dumb but that's true and you can that it can be that simple so all of this work all this architectural design all this engineering can all be foiled by kind of one silly thing so it's important to consider when we're implementing oh one more thing I thought one other thing arbitrary code and the target devices so you're getting you've got this push notification popping up if the attacker can control what's gonna be sent in the message to the user you can try to run maybe cross slice you can try to on JavaScript or something in that target user device and depending on the device you might have you might have some success there and depending on how much validation is going on client-side and what's you're actually able to submit through the user device and with that I think that rounds out push pretty
well finale all right so we're gonna end on u2f security keys and this one is definitely my favorite there's a lot of incredible controls here for we're going to show you still some ways to get around this and one thing that as Dennis was mentioned the arbitrary code with push notification that's intriguing to me because you think that push if you gain control of that you could send whatever messages whatever code whatever anything you wanted to to someone's phone if you owned that application that's sending those messages that's just kind of interesting to think about but alright so you to have security keys the way this works so a security key if you haven't used one it's kind of like a thumb drive goes into your USB or USB C port you just type in your password press the button and then it locks you in and security keys especially while there's many different types of security keys first of all so there's some that do just like Google Authenticator does generates just a code you can get past that in the same ways you can get past Google Authenticator or similar you could still fish but with u2f it has additional controls that are in place so just know that not all security keys are the same so u2f was created by the phyto alliance and they you know multiple organizations mostly yubico and quite a few other impressive organizations came together to try and make authentication stronger so what they came up with you
know has so many controls and this is Dennis mentioned that it was just recently in the news about their data breach reddit is now looking at using that they've mentioned using security keys I don't know if they are yet but this is if I were to talk to them I would tell them to make sure they're using you to have security keys don't use Google Authenticator or one of the other options I just go straight here and that's what Google is using today to Google as advertised that this is their way to get past fishy is using you to have security keys so some of the
benefits and the reason why there's some great controls here it uses public private key on the initial handshake so it's gonna pass a key first of all and then it's also gonna pass origin ID and I'll dive into that a little bit more that helps you avoid phishing and it's also going to use token binding which will dive into as well because that's kind of that's pretty exciting and interesting you can't write security key it's white blocked so like a phone a phone I can get control of this right you're you're browsing the internet with your phone so there's multiple ways to get control of someone's phone but a security key you can't write to it so I can't get remote access to your security key I also they use a nonce thing as a counter so I can do a replay attack on it if I get the messages it's transferring across I can't use it more then it can only be used once all right so I can't replay if I grab a message and it requires human interaction so that means for QA testing it's kind of a pain because you have to have a human actually push the button but for hackers it's even more of a pain because you can't automate that all right so some really cool things that
you to F offers so origin bound oh this just shows kind of that process the initial setup so you're gonna see and this is good to know because there's always a message or some data that's gonna be stored on both sides right so the security key is get a store that public private key the origin ID the TLS channel ID or token finding you're also gonna have that same theme stored on the application so if you can get access to that right swap out your message with someone else's then you can just use your security key so know that there's some storage that takes place really similar to push notification you still could take advantage of this we'd have to get access to the identity provider database all right so just a little bit
more about origin binding so this binds against the domain name and so like with phishing I'm gonna pretend you know Google right you may not notice you think you're on the real side but with origin bound it's gonna look at the URI so it's not gonna allow me to fish the the web application
touken binding now this is a little more complex but how Tolkien binding works so this is at the TLS layer so at the transport layer so three TLS you're doing a handshake right that takes place and tell us if you just picture like a tunnel right or straw right so that whole tunnel is protected but you don't know if it's going from point A to point B if someone got in the middle of that and interacted with that message you actually with TLS it doesn't protect you against that but TLS token binding does and this is something you're going to hear about this more and more with a lot of different technologies because it does allow us to protect against man in the middle and session hijacking now if you used but you'd have to use token binding to protect your access token or your ID token if you're using Open ID Connect if you protect protect those tokens with token binding then you would be able to protect against session hijacking now the interesting thing here right so there's all these complexities that go with token binding which is really really cool but it's also complex and it's fairly new still so there's a lot of servers so web servers network systems that may not be able to support this yet so if you look at the u2f suspects you're gonna see that this is listed as optional so token binding even though it's super cool and it protects against man-in-the-middle and protects against session hijacking it's optional which means that not all companies have probably taken advantage of this yet so you have to have a web server Apache does support it but there's some web servers that don't so you'd have to have a web server that supports token binding in order to be able to use it you'd have to use this throughout your network right if you think about and all the hops that are taking place if not using token binding at one spot then that area is still going to be vulnerable to man-in-the-middle attacks so there's still even though I mean we hear about this and it sounds super cool there's still ways around it and if they're not using you know token binding with all their access or refresh tokens with oauth2 or open ID connect then you still would probably be able to use well you would be able to use session hijacking so if I was a pen tester of a large organization and we just announced the real switch over to you to eff security keys this is one thing I'd want to test to see okay yeah it advertises it can do this but as our company actually doing this because this is an architecture change you actually have to think about the architecture throughout your network in order to make sure you've implemented this correctly and so even though it's awesome right it opens you up some system vulnerabilities right
there all right well I'm gonna try and speed through the rest of this but you know so know that u2f is still not totally foolproof obviously physical attack would be probably your easiest method right just get access to the security key and then now you just get the password like you always did before and you can get in you can manipulate the database like we talked about switch out the message it's usually a JSON message you can switch that out with your own and you can get in social engineer the support team try a backup method that security key is so small it's easy to leave at home or to lose they've set up a backup method like SMS which would obviously be a lot easier to get past so as we were looking to this
we kind of kind of reminded us of that comic I think you guys probably seen this before you know how can we get past this complex encryption system kind of same thing with security key and how can we get past u2f we could create phishing you know crying create some type of expensive solution or I could buy a 5 wrench hit somebody on the head and ask him to give me their security key right and that's probably your easiest solution there's just get access to the security key social engineer the support team that's probably the simplest way to get past it but then there's also still some vulnerabilities
all right to protect we want to protect the authentication database make sure that someone can't get access to that if I was able to do a sequel injection still on the database and do an update I might be able to just swap out my security key message with yours and now I'm using my security key and nobody you know patch monitor all of your systems obviously protect against malware so all
the basics so end result you know it's multi-factor a silver bullet it's gonna protect you against everything no I mean obviously it's an incredible layer you know security is all about complexities and we want to have as much complexity as we can to deter people from getting into our systems to add more controls that people have to get past but with those complexities there's always gonna be some vulnerabilities that people can get get by and hopefully we're able to show you some of those vulnerabilities I know we're running out of time so I apologize we don't get a chance to ask any questions but Dennis that'll be on the hall you can talk to us or feel free to send us a message on Twitter I'm pretty easy to find you Cherie Callie and Dennis feel free to add us and ask us any questions and we'd love to collaborate so thank you very much