Details
Hacking Multifactor Authentication
1. Aufl.
|
25,99 € |
|
| Verlag: | Wiley |
| Format: | |
| Veröffentl.: | 23.09.2020 |
| ISBN/EAN: | 9781119672340 |
| Sprache: | englisch |
| Anzahl Seiten: | 576 |
DRM-geschütztes eBook, Sie benötigen z.B. Adobe Digital Editions und eine Adobe ID zum Lesen.
Beschreibungen
<p><b>Protect your organization from scandalously easy-to-hack MFA security “solutions”</b> </p> <p>Multi-Factor Authentication (MFA) is spreading like wildfire across digital environments. However, hundreds of millions of dollars have been stolen from MFA-protected online accounts. How? Most people who use multifactor authentication (MFA) have been told that it is far less hackable than other types of authentication, or even that it is unhackable. You might be shocked to learn that all MFA solutions are actually <i>easy</i> to hack. That’s right: there is no perfectly safe MFA solution. In fact, most can be hacked at least five different ways. <i>Hacking Multifactor Authentication</i> will show you how MFA works behind the scenes and how poorly linked multi-step authentication steps allows MFA to be hacked and compromised. </p> <p>This book covers over two dozen ways that various MFA solutions can be hacked, including the methods (and defenses) common to all MFA solutions. You’ll learn about the various types of MFA solutions, their strengthens and weaknesses, and how to pick the best, most defensible MFA solution for your (or your customers') needs. Finally, this book reveals a simple method for quickly evaluating your existing MFA solutions. If using or developing a secure MFA solution is important to you, you need this book. </p> <ul> <li>Learn how different types of multifactor authentication work behind the scenes</li> <li>See how easy it is to hack MFA security solutions—no matter how secure they seem</li> <li>Identify the strengths and weaknesses in your (or your customers’) existing MFA security and how to mitigate</li> </ul> Author Roger Grimes is an internationally known security expert whose work on hacking MFA has generated significant buzz in the security world. Read this book to learn what decisions and preparations your organization needs to take to prevent losses from MFA hacking.
<p><b>Introduction xxv</b></p> <p>Who This Book is For xxvii</p> <p>What is Covered in This Book? xxvii</p> <p>MFA is Good xxx</p> <p>How to Contact Wiley or the Author xxxi</p> <p><b>Part I Introduction 1</b></p> <p><b>1 </b><b>Logon Problems 3</b></p> <p>It’s Bad Out There 3</p> <p>The Problem with Passwords 5</p> <p>Password Basics 9</p> <p>Identity 9</p> <p>The Password 10</p> <p>Password Registration 11</p> <p>Password Complexity 11</p> <p>Password Storage 12</p> <p>Password Authentication 13</p> <p>Password Policies 15</p> <p>Passwords Will Be with Us for a While 18</p> <p>Password Problems and Attacks 18</p> <p>Password Guessing 19</p> <p>Password Hash Cracking 23</p> <p>Password Stealing 27</p> <p>Passwords in Plain View 28</p> <p>Just Ask for It 29</p> <p>Password Hacking Defenses 30</p> <p>MFA Riding to the Rescue? 31</p> <p>Summary 32</p> <p><b>2 </b><b>Authentication Basics 33</b></p> <p>Authentication Life Cycle 34</p> <p>Identity 35</p> <p>Authentication 46</p> <p>Authorization 54</p> <p>Accounting/Auditing 54</p> <p>Standards 56</p> <p>Laws of Identity 56</p> <p>Authentication Problems in the Real World 57</p> <p>Summary 58</p> <p><b>3 </b><b>Types of Authentication 59</b></p> <p>Personal Recognition 59</p> <p>Knowledge-Based Authentication 60</p> <p>Passwords 60</p> <p>PINS 62</p> <p>Solving Puzzles 64</p> <p>Password Managers 69</p> <p>Single Sign-Ons and Proxies 71</p> <p>Cryptography 72</p> <p>Encryption 73</p> <p>Public Key Infrastructure 76</p> <p>Hashing 79</p> <p>Hardware Tokens 81</p> <p>One-Time Password Devices 81</p> <p>Physical Connection Devices 83</p> <p>Wireless 87</p> <p>Phone-Based 89</p> <p>Voice Authentication 89</p> <p>Phone Apps 89</p> <p>SMS 92</p> <p>Biometrics 92</p> <p>FIDO 93</p> <p>Federated Identities and APIs 94</p> <p>OAuth 94</p> <p>APIs 96</p> <p>Contextual/Adaptive 96</p> <p>Less Popular Methods 97</p> <p>Voiceover Radio 97</p> <p>Paper-Based 98</p> <p>Summary 99</p> <p><b>4 </b><b>Usability vs Security 101</b></p> <p>What Does Usability Mean? 101</p> <p>We Don’t Really Want the Best Security 103</p> <p>Security Isn’t Usually Binary 105</p> <p>Too Secure 106</p> <p>Seven-Factor MFA 106</p> <p>Moving ATM Keypad Numbers 108</p> <p>Not as Worried as You Think About Hacking 109</p> <p>Unhackable Fallacy 110</p> <p>Unbreakable Oracle 113</p> <p>DJB 113</p> <p>Unhackable Quantum Cryptography 114</p> <p>We are Reactive Sheep 115</p> <p>Security Theater r 116</p> <p>Security by Obscurity 117</p> <p>MFA Will Cause Slowdowns 117</p> <p>MFA Will Cause Downtime 118</p> <p>No MFA Solution Works Everywhere 118</p> <p>Summary 119</p> <p><b>Part II Hacking MFA 121</b></p> <p><b>5 </b><b>Hacking MFA in General 123</b></p> <p>MFA Dependency Components 124</p> <p>Enrollment 125</p> <p>User 127</p> <p>Devices/Hardware 127</p> <p>Software 128</p> <p>API 129</p> <p>Authentication Factors 129</p> <p>Authentication Secrets Store 129</p> <p>Cryptography 130</p> <p>Technology 130</p> <p>Transmission/Network Channel 131</p> <p>Namespace 131</p> <p>Supporting Infrastructure 131</p> <p>Relying Party 132</p> <p>Federation/Proxies 132</p> <p>Alternate Authentication Methods/Recovery 132</p> <p>Migrations 133</p> <p>Deprovision 133</p> <p>MFA Component Conclusion 134</p> <p>Main Hacking Methods 134</p> <p>Technical Attacks 134</p> <p>Human Element 135</p> <p>Physical 137</p> <p>Two or More Hacking Methods Used 137</p> <p>“You Didn’t Hack the MFA!” 137</p> <p>How MFA Vulnerabilities are Found 138</p> <p>Threat Modeling 138</p> <p>Code Review 138</p> <p>Fuzz Testing 138</p> <p>Penetration Testing 139</p> <p>Vulnerability Scanning 139</p> <p>Human Testing 139</p> <p>Accidents 140</p> <p>Summary 140</p> <p><b>6 </b><b>Access Control Token Tricks 141</b></p> <p>Access Token Basics 141</p> <p>Access Control Token General Hacks142</p> <p>Token Reproduction/Guessing 142</p> <p>Token Theft 145</p> <p>Reproducing Token Hack Examples 146</p> <p>Network Session Hijacking Techniques and Examples 149</p> <p>Firesheep 149</p> <p>MitM Attacks 150</p> <p>Access Control Token Attack Defenses 157</p> <p>Generate Random, Unguessable Session IDs 157</p> <p>Use Industry-Accepted Cryptography and Key Sizes 158</p> <p>Developers Should Follow Secure Coding Practices 159</p> <p>Use Secure Transmission Channels 159</p> <p>Include Timeout Protections 159</p> <p>Tie the Token to Specifi c Devices or Sites 159</p> <p>Summary 161</p> <p><b>7 </b><b>Endpoint Attacks 163</b></p> <p>Endpoint Attack Risks 163</p> <p>General Endpoint Attacks 165</p> <p>Programming Attacks 165</p> <p>Physical Access Attacks 165</p> <p>What Can an Endpoint Attacker Do? 166</p> <p>Specifi c Endpoint Attack Examples 169</p> <p>Bancos Trojans 169</p> <p>Transaction Attacks 171</p> <p>Mobile Attacks 172</p> <p>Compromised MFA Keys 173</p> <p>Endpoint Attack Defenses 174</p> <p>MFA Developer Defenses 174</p> <p>End-User Defenses 177</p> <p>Summary 179</p> <p><b>8 </b><b>SMS Attacks 181</b></p> <p>Introduction to SMS 181</p> <p>SS7 184</p> <p>Biggest SMS Weaknesses 186</p> <p>Example SMS Attacks 187</p> <p>SIM Swap Attacks 187</p> <p>SMS Impersonation 191</p> <p>SMS Buffer Overflow 194</p> <p>Cell Phone User Account Hijacking 195</p> <p>Attacks Against the Underlying Supporting Infrastructure 196</p> <p>Other SMS-Based Attacks 196</p> <p>SIM/SMS Attack Method Summary 197</p> <p>NIST Digital Identity Guidelines Warning 198</p> <p>Defenses to SMS-Based MFA Attacks 199</p> <p>Developer Defenses 199</p> <p>User Defenses 201</p> <p>Is RCS Here to Save Mobile Messaging? 202</p> <p>Is SMS-Based MFA Still Better than Passwords? 202</p> <p>Summary 203</p> <p><b>9 </b><b>One-Time Password Attacks 205</b></p> <p>Introduction to OTP 205</p> <p>Seed Value-Based OTPs 208</p> <p>HMAC-Based OTP 209</p> <p>Event-Based OTP 211</p> <p>TOTP 212</p> <p>Example OTP Attacks 217</p> <p>Phishing OTP Codes 217</p> <p>Poor OTP Creation 219</p> <p>OTP Theft, Re-Creation, and Reuse 219</p> <p>Stolen Seed Database 220</p> <p>Defenses to OTP Attacks 222</p> <p>Developer Defenses 222</p> <p>Use Reliable and Trusted and Tested OTP Algorithms 223</p> <p>OTP Setup Code Must Expire 223</p> <p>OTP Result Code Must Expire 223</p> <p>Prevent OTP Replay 224</p> <p>Make Sure Your RNG is NIST-Certified or Quantum 224</p> <p>Increase Security by Requiring Additional Entry Beyond OTP Code 224</p> <p>Stop Brute-Forcing Attacks224</p> <p>Secure Seed Value Database 225</p> <p>User Defenses 225</p> <p>Summary 226</p> <p><b>10 </b><b>Subject Hijack Attacks 227</b></p> <p>Introduction 227</p> <p>Example Attacks 228</p> <p>Active Directory and Smartcards 228</p> <p>Simulated Demo Environment 231</p> <p>Subject Hijack Demo Attack 234</p> <p>The Broader Issue 240</p> <p>Dynamic Access Control Example 240</p> <p>ADFS MFA Bypass 241</p> <p>Defenses to Component Attacks 242</p> <p>Threat Model Dependency Abuse Scenarios 242</p> <p>Secure Critical Dependencies 242</p> <p>Educate About Dependency Abuses 243</p> <p>Prevent One to Many Mappings 244</p> <p>Monitor Critical Dependencies 244</p> <p>Summary 244</p> <p><b>11 </b><b>Fake Authentication Attacks 245</b></p> <p>Learning About Fake Authentication Through UAC 245</p> <p>Example Fake Authentication Attacks 251</p> <p>Look-Alike Websites 251</p> <p>Fake Office 365 Logons 252</p> <p>Using an MFA-Incompatible Service or Protocol 253</p> <p>Defenses to Fake Authentication Attacks 254</p> <p>Developer Defenses 254</p> <p>User Defenses 256</p> <p>Summary 257</p> <p><b>12 </b><b>Social Engineering Attacks 259</b></p> <p>Introduction 259</p> <p>Social Engineering Commonalities 261</p> <p>Unauthenticated Communication 261</p> <p>Nonphysical 262</p> <p>Usually Involves Well-Known Brands 263</p> <p>Often Based on Notable Current Events and Interests 264</p> <p>Uses Stressors 264</p> <p>Advanced: Pretexting 265</p> <p>Third-Party Reliances 266</p> <p>Example Social Engineering Attacks on MFA 266</p> <p>Fake Bank Alert 267</p> <p>Crying Babies 267</p> <p>Hacking Building Access Cards 268</p> <p>Defenses to Social Engineering Attacks on MFA 270</p> <p>Developer Defenses to MFA 270</p> <p>User Defenses to Social Engineering Attacks 271</p> <p>Summary 273</p> <p><b>13 </b><b>Downgrade/Recovery Attacks 275</b></p> <p>Introduction 275</p> <p>Example Downgrade/Recovery Attacks 276</p> <p>Alternate Email Address Recovery 276</p> <p>Abusing Master Codes 280</p> <p>Guessing Personal-Knowledge Questions 281</p> <p>Defenses to Downgrade/Recovery Attacks 287</p> <p>Developer Defenses to Downgrade/Recovery Attacks 287</p> <p>User Defenses to Downgrade/Recovery Attacks 292</p> <p>Summary 294</p> <p><b>14 </b><b>Brute-Force Attacks 295</b></p> <p>Introduction 295</p> <p>Birthday Attack Method 296</p> <p>Brute-Force Attack Methods 297</p> <p>Example of Brute-Force Attacks 298</p> <p>OTP Bypass Brute-Force Test 298</p> <p>Instagram MFA Brute-Force 299</p> <p>Slack MFA Brute-Force Bypass 299</p> <p>UAA MFA Brute-Force Bug 300</p> <p>Grab Android MFA Brute-Force 300</p> <p>Unlimited Biometric Brute-Forcing 300</p> <p>Defenses Against Brute-Force Attacks 301</p> <p>Developer Defenses Against Brute-Force Attacks 301</p> <p>User Defenses Against Brute-Force Attacks 305</p> <p>Summary 306</p> <p><b>15 </b><b>Buggy Software 307</b></p> <p>Introduction 307</p> <p>Common Types of Vulnerabilities 308</p> <p>Vulnerability Outcomes 316</p> <p>Examples of Vulnerability Attacks 317</p> <p>Uber MFA Vulnerability 317</p> <p>Google Authenticator Vulnerability 318</p> <p>YubiKey Vulnerability 318</p> <p>Multiple RSA Vulnerabilities 318</p> <p>SafeNet Vulnerability 319</p> <p>Login gov 319</p> <p>ROCA Vulnerability 320</p> <p>Defenses to Vulnerability Attacks 321</p> <p>Developer Defenses Against Vulnerability Attacks 321</p> <p>User Defenses Against Vulnerability Attacks 322</p> <p>Summary 323</p> <p><b>16 </b><b>Attacks Against Biometrics 325</b></p> <p>Introduction 325</p> <p>Biometrics 326</p> <p>Common Biometric Authentication Factors 327</p> <p>How Biometrics Work 337</p> <p>Problems with Biometric Authentication 339</p> <p>High False Error Rates 340</p> <p>Privacy Issues 344</p> <p>Disease Transmission 345</p> <p>Example Biometric Attacks 345</p> <p>Fingerprint Attacks345</p> <p>Hand Vein Attack 348</p> <p>Eye Biometric Spoof Attacks 348</p> <p>Facial Recognition Attacks 349</p> <p>Defenses Against Biometric Attacks 352</p> <p>Developer Defenses Against Biometric Attacks 352</p> <p>User/Admin Defenses Against Biometric Attacks 354</p> <p>Summary 355</p> <p><b>17 </b><b>Physical Attacks 357</b></p> <p>Introduction 357</p> <p>Types of Physical Attacks 357</p> <p>Example Physical Attacks 362</p> <p>Smartcard Side-Channel Attack 362</p> <p>Electron Microscope Attack 364</p> <p>Cold-Boot Attacks 365</p> <p>Snooping On RFID-Enabled Credit Cards 367</p> <p>EMV Credit Card Tricks 370</p> <p>Defenses Against Physical Attacks 370</p> <p>Developer Defenses Against Physical Attacks 371</p> <p>User Defenses Against Physical Attacks 372</p> <p>Summary 375</p> <p><b>18 </b><b>DNS Hijacking 377</b></p> <p>Introduction 377</p> <p>DNS 378</p> <p>DNS Record Types 382</p> <p>Common DNS Hacks 382</p> <p>Example Namespace Hijacking Attacks 388</p> <p>DNS Hijacking Attacks 388</p> <p>MX Record Hijacks 388</p> <p>Dangling CDN Hijack 389</p> <p>Registrar Takeover 390</p> <p>DNS Character Set Tricks 390</p> <p>ASN 1 Tricks 392</p> <p>BGP Hijacks 392</p> <p>Defenses Against Namespace Hijacking Attacks 393</p> <p>Developer Defenses 394</p> <p>User Defenses 395</p> <p>Summary 397</p> <p><b>19 </b><b>API Abuses 399</b></p> <p>Introduction 399</p> <p>Common Authentication Standards and Protocols Involving APIs 402</p> <p>Other Common API Standards and Components 411</p> <p>Examples of API Abuse 414</p> <p>Compromised API Keys 414</p> <p>Bypassing PayPal 2FA Using an API 415</p> <p>AuthO MFA Bypass 416</p> <p>Authy API Format Injection 417</p> <p>Duo API As-Designed MFA Bypass 417</p> <p>Microsoft OAuth Attack 419</p> <p>Sign In with Apple MFA Bypass 419</p> <p>Token TOTP BLOB Future Attack 420</p> <p>Defenses Against API Abuses 420</p> <p>Developer Defenses Against API Abuses 420</p> <p>User Defenses Against API Abuses 422</p> <p>Summary 423</p> <p><b>20 </b><b>Miscellaneous MFA Hacks 425</b></p> <p>Amazon Mystery Device MFA Bypass 425</p> <p>Obtaining Old Phone Numbers 426</p> <p>Auto-Logon MFA Bypass 427</p> <p>Password Reset MFA Bypass 427</p> <p>Hidden Cameras 427</p> <p>Keyboard Acoustic Eavesdropping 428</p> <p>Password Hints 428</p> <p>HP MFA DoS 429</p> <p>Trojan TOTP 429</p> <p>Hackers Turn MFA to Defeat You 430</p> <p>Summary 430</p> <p><b>21 </b><b>Test: Can You Spot the Vulnerabilities? 431</b></p> <p>Threat Modeling MFA Solutions 431</p> <p>Document and Diagram the Components 432</p> <p>Brainstorm Potential Attacks 432</p> <p>Estimate Risk and Potential Losses 434</p> <p>Create and Test Mitigations 436</p> <p>Do Security Reviews 436</p> <p>Introducing the Bloomberg MFA Device 436</p> <p>Bloomberg, L P and the Bloomberg Terminal 437</p> <p>New User B-Unit Registration and Use 438</p> <p>Threat-Modeling the Bloomberg MFA Device 439</p> <p>Threat-Modeling the B-Unit in a General Example 440</p> <p>Specific Possible Attacks 441</p> <p>Multi-Factor Authentication Security Assessment Tool 450</p> <p>Summary 451</p> <p><b>Part III Looking Forward 453</b></p> <p><b>22 </b><b>Designing a Secure Solution 455</b></p> <p>Introduction 455</p> <p>Exercise: Secure Remote Online Electronic Voting 457</p> <p>Use Case Scenario 457</p> <p>Threat Modeling 458</p> <p>SDL Design 460</p> <p>Physical Design and Defenses 461</p> <p>Cryptography 462</p> <p>Provisioning/Registration 463</p> <p>Authentication and Operations 464</p> <p>Verifiable/Auditable Vote 466</p> <p>Communications 467</p> <p>Backend Blockchain Ledger 467</p> <p>Migration and Deprovisioning 470</p> <p>API 470</p> <p>Operational Training 470</p> <p>Security Awareness Training 470</p> <p>Miscellaneous 471</p> <p>Summary 471</p> <p><b>23 </b><b>Selecting the Right MFA Solution 473</b></p> <p>Introduction 473</p> <p>The Process for Selecting the Right MFA Solution 476</p> <p>Create a Project Team 477</p> <p>Create a Project Plan 478</p> <p>Educate 479</p> <p>Determine What Needs to Be Protected 479</p> <p>Choose Required and Desired Features 480</p> <p>Research/Select Vendor Solutions 488</p> <p>Conduct a Pilot Project 490</p> <p>Select a Winner 491</p> <p>Deploy to Production 491</p> <p>Summary 491</p> <p><b>24 </b><b>The Future of Authentication 493</b></p> <p>Cyber Crime is Here to Stay 493</p> <p>Future Attacks 494</p> <p>Increasing Sophisticated Automation 495</p> <p>Increased Nation-State Attacks 496</p> <p>Cloud-Based Threats 497</p> <p>Automated Attacks Against MFA 497</p> <p>What is Likely Staying 498</p> <p>Passwords 498</p> <p>Proactive Alerts 498</p> <p>Preregistration of Sites and Devices 499</p> <p>Phones as MFA Devices 500</p> <p>Wireless 501</p> <p>Changing/Morphing Standards 501</p> <p>The Future 501</p> <p>Zero Trust 502</p> <p>Continuous, Adaptive, Risk-Based 503</p> <p>Quantum-Resistant Cryptography 506</p> <p>Interesting Newer Authentication Ideas 506</p> <p>Summary 507</p> <p><b>25 </b><b>Takeaway Lessons 509</b></p> <p>Broader Lessons 509</p> <p>MFA Works 509</p> <p>MFA is Not Unhackable 510</p> <p>Education is Key 510</p> <p>Security Isn’t Everything 511</p> <p>Every MFA Solution Has Trade-Offs 511</p> <p>Authentication Does Not Exist in a Vacuum 512</p> <p>There is No Single Best MFA Solution for Everyone 515</p> <p>There are Better MFA Solutions 515</p> <p>MFA Defensive Recap 516</p> <p>Developer Defense Summary 516</p> <p>User Defense Summary 518</p> <p>Appendix: List of MFA Vendors 521</p> <p>Index 527</p>
<p><b>ROGER A. GRIMES</b> is a computer security professional and penetration tester with over three decades of experience. He's an internationally renowned consultant and was the IDG/InfoWorld/CSO magazine weekly columnist for fifteen years. He's a sought-after speaker who has given talks at major security industry events, including RSA, Black Hat, and TechMentor.
<p><i><b>"A thoughtful demonstration that, like all security technologies, MFA is not a panacea."</b></i><br> <b>—BRUCE SCHNEIER</b> <p><i><b>"Roger provides example after example that there is no silver bullet computer security defense. MFA alone will not protect you against sophisticated adversaries. The real problems behind computer security involve people and making the appropriate risk decisions."</b></i><br/> <b>— KEVIN MITNICK</b> <p><b>DISCOVER THE STRENGTHS AND WEAKNESSES OF MULTI-FACTOR AUTHENTICATION</b> <p>So-called "experts" point to multifactor authentication (MFA) as the solution to most hacks and breaches. But, far from being the unhackable, off- the-shelf panacea they're widely touted to be, MFA systems require careful planning and design in order to be properly secured and not fall prey to the dozens of real-world MFA vulnerabilities Roger A. Grimes details in <i>Hacking Multifactor Authentication</i>. <p>Administrators and users of multifactor authentication systems will learn that all MFA systems can be hacked, most in at least five different ways. Anyone telling you MFA can't be hacked is either trying to sell you something or naïve. Either way, you'll want to avoid their advice. <p>You'll learn how to mitigate the most common MFA security loopholes to prevent bad actors from accessing your systems. Readers will learn to quickly and comprehensively evaluate their own MFA solutions to assess their vulnerability to the known hacking methods. <p>This book provides real-world example MFA hacks and the practical strategies to prevent them. Perfect for CISSPs, CIOs, CISOs, and penetration testers, <i>Hacking Multifactor Authentication</i> also belongs on the bookshelves of any information security professional interested in creating or improving their MFA security infrastructure. Learn: <ul> <b><li>How MFA works behind the scenes and how to hack it</b></li> <b><li>The strengths and weaknesses of different MFA types</b></li> <b><li>How to develop or pick a more secure MFA solution</b></li> <b><li>How to select the best MFA for your environment out of the hundreds available</b></li> </ul>
Diese Produkte könnten Sie auch interessieren:
