Apr 13, 2017
Most everyone uses some kind of Multi-factor or '2 Factor Authentication". But our guest this week (who is going by "Matt" @infosec_meme)... Wanted to discuss some gotchas with regard to 2FA or MFA, the issues that come from over-reliance on 2FA, including some who believe it's the best thing ever, and we finally discuss other methods of 2FA that don't just require a PIN from a mobile device or token.
We also discuss it's use with concepts like "beyondCorp", which is google's concept of "Software Defined Perimeter" that we talked about a few weeks ago with @jasonGarbis (http://traffic.libsyn.com/brakeingsecurity/2017-011-Software_Defined_Perimeter.mp3)
This is a great discussion for people looking to implement 2FA at their organization, or need ammunition if your boss thinks that all security is solved by using Google Auth.
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-013-Multi-factor_auth_gotchas_with_Matt.mp3
Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw
iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2
---------
Jay Beale’s Class “aikido on the command line: hardening and containment”
JULY 22-23 & JULY 24-25 AT BlackHat 2017
---------
Join our #Slack Channel! Sign up at
https://brakesec.signup.team
#RSS: http://www.brakeingsecurity.com/rss
#Google Play Store:
https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast
#iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: bds.podcast@gmail.com
Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
Show Notes:
What does MFA try to solve:
Cred theft:
Phishing:
MFA / Bad things happening with that:
Phishing/2FA/Solutions?
Internal training / is this actually working?
Australia Post didn't think so
https://www.itnews.com.au/news/why-australia-post-ransomwared-its-own-staff-454987
Counterpoints:
It's irritating and does break at times ( https://twitter.com/dguido/status/842448889697447938 )
C: I don’t like running some silly app on my phone
C: I also don’t like running around with a physical token
C: Embedding a Yubico nano in my usb slot leaves me with one usb port left
Also doesn’t solve when someone just steals that token
Does any of it matter:
Beyondcorp / "Lets make the machines state be part of the credential"
https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43231.pdf
Is there some way we (not google) can make it so a credential is worthless?
Solutions:
Duo / “There's an app on my phone and it has context about what wants to do something right now”
Probably a step in the right direction
Kind of like some Aus banks which SMS you before transferring $X to Y account
Okta - (grab links to spec)
META // Does this actually solve it?
OAUTH - (grab links to spec)
Attacking OAUTH - https://dhavalkapil.com/blogs/Attacking-the-OAuth-Protocol/
META // It’s not MFA, but it makes the cost of unrelated compromise significantly lower
META // Engineering things to short lived secrets is a better idea
I think one of the better ideas being put out was by google in 2014, the ‘beyondcorp’ project (https://research.google.com/pubs/pub43231.html), simply put:
Obviously this is a massive undertaking and would require massive overhaul of everything, but it did look like Google were able to pull it off in the end. (https://research.google.com/pubs/pub44860.html).
Tavis is banging on LastPass again… https://www.ghacks.net/2017/03/21/full-last-pass-4-1-42-exploit-discovered/
Duo Security // Beyondcorp
https://duo.com/blog/beyondcorp-for-the-rest-of-us
More info on Beyondcorp
Misc// Hey google wrote a paper on U2F a while back
http://fc16.ifca.ai/preproceedings/25_Lang.pdf
Touched on briefly / “Secure Boot Stack and Machine Identity” at Google - Servers which need to boot up into a given state (Sounds like U/EFI except ‘ Google-designed security chip’)
https://cloud.google.com/security/security-design/resources/google_infrastructure_whitepaper_fa.pdf
META // Patrick Gray (sic) interviewed Duo last week and talked about the same thing