39
Security For The People End-User Authentication Security On The Internet Mark Stanislav [email protected]

Security For The People: End-User Authentication Security on the Internet by Mark Stanislav

  • View
    64

  • Download
    0

Embed Size (px)

DESCRIPTION

Despite the continued success by attackers to brute-force accounts, phish credentials, and otherwise impact the online security of consumers, a large portion of the sites and services consumers utilize still don't take authentication security seriously enough. This presentation will review recent research into the state of end-user-facing authentication security as it relates to strong authentication, transport security, breach history, security transparency, and complementary browser security features. Through analysis of the ways organizations protect consumer authentication and deploy relevant browser security features, we can gain insight into which sites and services are most focused on ensuring consumers have the best chance defending against attackers. MARK STANISLAV DUO SECURITY Mark Stanislav is the Security Evangelist for Duo Security. With a career spanning over a decade, Mark has worked within small business, academia, startup and corporate environments, primarily focused on Linux architecture, information security, and web application development. He has presented at over 70 events internationally including RSA, ShmooCon, SOURCE Boston, and THOTCON. His security research has been featured on web sites including CSO Online, Security Ledger, and Slashdot. Mark holds a B.S. in Networking & IT Administration and an M.S. in Information Assurance, both from Eastern Michigan University. Mark is currently writing a book titled, "Two-Factor Authentication" (published by IT Governance).

Citation preview

Page 1: Security For The People: End-User Authentication Security on the Internet by Mark Stanislav

Security For The PeopleEnd-User Authentication Security On The Internet

Mark Stanislav [email protected]

Page 2: Security For The People: End-User Authentication Security on the Internet by Mark Stanislav

Security Is A Process, Not A Product.

Page 3: Security For The People: End-User Authentication Security on the Internet by Mark Stanislav

A Few Notes on Research Methodology•Worked “backwards” by establishing a list of services that provide

users with availability of two-factor authentication

•Provides us with a more security-forward data set to begin with

•Gathered additional details per service regarding not just 2FA details but also TLS usage, browser headers, and cookie security !

•Focus on data completeness and accuracy as much as reasonably possible but this is *not* a scientific study !

•Does not include software packages with two factor

Page 4: Security For The People: End-User Authentication Security on the Internet by Mark Stanislav

Primary Data Points Utilized

Two-Factor Authentication

When was it first offered to users?How do users enroll to enable it?What method(s) are available?

Browser Security Features

HTTP Strict Transport SecurityContent Security PolicyX-Frame-OptionsX-XSS-Protection

Session Cookie HttpOnlyTransport Security

Do they utilize SSL/TLS for logins?What is their SSL Labs score?

Session Cookie Secure

X-Content-Type-OptionsWhat do companies even call it?

Page 5: Security For The People: End-User Authentication Security on the Internet by Mark Stanislav

Gathering Data Can Be Really, Really Annoying

Page 6: Security For The People: End-User Authentication Security on the Internet by Mark Stanislav

Two Factor Deployments Per Year Since 2005N

umbe

r of D

eplo

ymen

ts

0

9

18

27

36

45

Year of Deployment2005 2006 2007 2008 2009 2010 2011 2012 2013 2014

30471813754332

* Note, data is only through June 2014

*

•Google Authenticator’s presence in 2011 has likely led to the mass adoption of TOTP

•Many services that support TOTP just say they use Authenticator

•Facebook also enabled 2FA for users in 2011

•Allows SMS + TOTP

Page 7: Security For The People: End-User Authentication Security on the Internet by Mark Stanislav

How Does A User Actually Enroll In Two Factor?N

umbe

r of S

ervi

ces

0

26

53

79

106

132

Method of Two Factor EnrollmentPhone Call E-Mail Mixed Self Enroll

132432

•Ease of enrollment is crucial for adoption of security controls

•Having to call, fax, or even e-mail may be enough for a user to go “this seems like too much effort…”

!

•It’s great to see such a high percent of services allowing users to self enroll (94%)

Page 8: Security For The People: End-User Authentication Security on the Internet by Mark Stanislav

Collective Method Availability Across ServicesN

umbe

r of S

ervi

ces

Offe

ring

0

14

29

43

58

72

MethodE-Mail SMS Call Card Token Yubikey TOTP HOTP Mobile Duo Authy Rublon

112625

2

74

1315714

62

14

•12 of the 74 services that support TOTP are Bitcoin related

•92% of all Bitcoin services offer TOTP, 62% only offer it to use

•73% of hardware token-enabled services are financial or gaming

Page 9: Security For The People: End-User Authentication Security on the Internet by Mark Stanislav

Companies Should Point Out Two Factor Availability

Shown upon first login… nice work, Zoho!

Page 10: Security For The People: End-User Authentication Security on the Internet by Mark Stanislav

2%4%

11%

33%

51%

1 2 3 4 5+

•Of services that offer only a single method, 51% provide TOTP and 14% provide SMS !

•62% of services that offer two methods pair TOTP with SMS !

•MailChimp and OneLogin offer five methods for users to leverage

Number Of Methods Per Service By Percentage

Page 11: Security For The People: End-User Authentication Security on the Internet by Mark Stanislav

Two Factor Moniker Usage Since 2005D

eplo

ymen

t Yea

r

2005

2006

2007

2008

2009

2010

2011

2012

2013

2014

Moniker Usage Per Year0 9 19 28 38 47

34

34

21

1

1

510

52

2

12

11

11

2033

126

22322

2FAMFA2SVOther

* Note, data is only through July 2014

*

Google Deploys 2SV

•2-Step Verification as a moniker seems to be going away…

•2011: 15%

•2012: 28%

•2013: 21%

•2014: 17%

•“Other” is usually for custom branding of the service’s feature

Page 12: Security For The People: End-User Authentication Security on the Internet by Mark Stanislav

Built-In Two Factor Bypass? Recovery Gone Wrong.

Can’t 2FA? No Problem! Just replace it with more 1-factor :)

Page 13: Security For The People: End-User Authentication Security on the Internet by Mark Stanislav

A Bit Of A GlossaryHTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents are to interact with it using only secure HTTPS connections.Content Security Policy (CSP) provides a header that allows websites to declare approved sources of content that browsers should be allowed to load on that page.X-Frame-Options can prevent any framing, prevent framing by external sites, or allow framing only by the specified site.X-XSS-Protection enables the XSS filter built into most web browsers — IE8, for instance, already has this on by default.X-Content-Type-Options reduces exposure to drive-by download attacks and sites serving user uploaded content that, by clever naming, could be treated by MSIE as executable/dynamic HTML.

Mostly a copy/paste from Wikipedia and OWASP <3

‘Secure’ Cookie makes supported browsers only send cookies with the secure flag when the request is going to a HTTPS page.

‘HttpOnly’ Cookie mitigates cross-site scripting (XSS) attacks by not allowing supported browsers to access cookies client-side

Page 14: Security For The People: End-User Authentication Security on the Internet by Mark Stanislav

Browser Security Features For Service Logins

Total Sites HSTS CSP X-FRAME X-XSS X-Content Cookie!

SecureCookie!

HttpOnlyAll Sectors 141 38% 7% 56% 22% 22% 75% 78%Technology 83 40% 10% 49% 20% 20% 73% 78%

Financial 36 33% 8% 50% 14% 8% 69% 64%Gaming 12 17% 0% 25% 8% 0% 58% 67%Retail 4 50% 0% 75% 50% 50% 75% 100%Social 6 50% 17% 83% 17% 33% 100% 83%

•Gaming is far behind versus other sectors for browser security

•Likely because most users spend little time in the browser

•Social media organizations have more of a focus on browser security due to the common nature of client-side attacks against

Page 15: Security For The People: End-User Authentication Security on the Internet by Mark Stanislav

Browser Security All-Stars

4 of 141 services utilized all of tested browser security features

12 more had all security features except Content Security Policy

Page 16: Security For The People: End-User Authentication Security on the Internet by Mark Stanislav

Unexpected Headers During Research

If you're reading this, you should visit automattic.com/jobs and apply to join the fun, mention this header.

WordPress.com: x-hacker

REKEYED: 2014-04-08; see http://heartbleedheader.comApp.net: heartbleed

We’re hiring! Apply at [email protected], use this header in your subjectDirectnic: X-Hackers

Page 17: Security For The People: End-User Authentication Security on the Internet by Mark Stanislav

SSL/TLS Implementation for Service LoginsTo

tal O

ccur

renc

es

0

7

14

21

28

35

ScoreA+ A A- B C F

17

3

343432

21

•14 of the ‘F’ ratings were because of the OpenSSL CCS vulnerability (CVE-2014-0224)

•Star Wars: The Old Republic actually supported SSL v2! !

•Amazingly enough, SSLTrust of all people received a ‘C’ rating for their allowance of both 40-bit and 56-bit cipher suites

Page 18: Security For The People: End-User Authentication Security on the Internet by Mark Stanislav

We Take Security Seriously, Erm…

Page 19: Security For The People: End-User Authentication Security on the Internet by Mark Stanislav

Browser Security + SSL Security All-Stars2 of 141 services utilized all of tested browser security features and managed to receive an ‘A+’ SSL implementation rating

Page 20: Security For The People: End-User Authentication Security on the Internet by Mark Stanislav

The Weirdest Thing I Saw During Research

They don’t use SSL at all and do JS crypto for logins

Page 21: Security For The People: End-User Authentication Security on the Internet by Mark Stanislav

Security Pages — Yes, Really :)Many companies dedicate an entire page (or at least a big section of a page) to how they protect you and how you can protect yourself

…and others definitely do not…

Seems legit.

Example #1

Example #2

Example #3

Page 22: Security For The People: End-User Authentication Security on the Internet by Mark Stanislav

Security Pages Across Two Factor-enabled ServicesC

ount

0

18

36

54

72

90

Security PageYes No

51

90 •15 of 51 sites (29%) that do not have a security page are in the domain registration/DNS space

•…including GoDaddy, NameCheap, and Hover

!

•Some of these pages even have a bug bounty and/or responsible disclosure section which is fantastic for further helping to protect users

•…including Google, Facebook, and Coinkite !

•These pages show real concern for security

Page 23: Security For The People: End-User Authentication Security on the Internet by Mark Stanislav

So What Does This All Mean?

•Consider the data points we now have:

•Browser security (HTTP headers and cookie security)

•Transport security (SSL/TLS implementation)

•Strong authentication (two factor deployments)

•Corporate security focus (company security page) !

•What if we could assign a point-scale to those data points and create a composite value of authentication security per service?

•…and what if you had no idea what the hell you were doing?

Page 24: Security For The People: End-User Authentication Security on the Internet by Mark Stanislav

Mark’s Authentication Security Scoring Algorithm — Crudely Realized Edition

MASSACRE

Page 25: Security For The People: End-User Authentication Security on the Internet by Mark Stanislav

How Do We Get a Composite MASSACRE Score?SSL Implementation

Score PointsA+, A, A-!B+, B, B- 15

C+, C, C-!D+, D, D- 10

F!No SSL/TLS 0

Security PageExists? Points

Yes 5

Browser Security FeaturesFeature Points

HTTP Strict Transport Security 10Content Security Policy 15

X-Frame-Options 10X-XSS-Protection 5

X-Content-Type-Options 5Secure Session Cookie 10

HttpOnly Session Cookie 10

100 point scale… add up values to get a score!

Two FactorEnabled? Points

Yes 15

Page 26: Security For The People: End-User Authentication Security on the Internet by Mark Stanislav

Professional MASSACRE Scale

81-100

61-80

41-60

21-40

0-20 5

Score Count

27

53

41

15

Keep in mind, everyone “starts” with 15 points

Page 27: Security For The People: End-User Authentication Security on the Internet by Mark Stanislav

MASSACRE Scoring Outcomes — Best and Worst!

Company ScoreGitHub 100Kraken 100

LastPass 100FastMail 95

Facebook 90

Best Scores

Company ScoreeasyDNS 15Frostbox 15Sendloop 15Fabulous 20

Pobox 20

Worst Scores

Sector Company ScoreTechnology Github, LastPass 100

Financial Kraken 100Gaming Elder Scrolls Online 65Retail Etsy 85Social Facebook 90

Best Per Sector

Worst Per SectorSector Company Score

Technology easyDNS, Frostbox, Sendloop 15Financial WeMineLTC 30Gaming Guild Wars 2, Star Wars: Old Republic, Wildstar 35Retail Humble Bundle 50Social HootSuite 45

Page 28: Security For The People: End-User Authentication Security on the Internet by Mark Stanislav

Further Parsing MASSACRE Scores

Mean Median Mode

57 55 55

Mean Median Mode

57 55 75

TechnologyMean Median Mode

57 55 55

Financial

Overall Values

Mean Median Mode

47 48 N/A

Gaming

Mean Median Mode

68 68 N/A

RetailMean Median Mode

72 73 N/A

Social

Page 29: Security For The People: End-User Authentication Security on the Internet by Mark Stanislav

How Do Security Features Increase MASSACRE Scores?

Mean Median Mode

57 55 55

Overall Values

Mean Median Mode

87 93 100

CSP EnabledMean Median Mode

63 65 55

Security Page?Mean Median Mode

75 75 75

HSTS Enabled

Mean Median Mode

60 55 55

SSL ~(A|B)Mean Median Mode

40 40 N/A

SSL ~(C|D)Mean Median Mode

37 35 N/A

SSL ~(F/None)

Page 30: Security For The People: End-User Authentication Security on the Internet by Mark Stanislav

MASSACRE FAQ, #1

Page 31: Security For The People: End-User Authentication Security on the Internet by Mark Stanislav

MASSACRE FAQ, #2

Page 32: Security For The People: End-User Authentication Security on the Internet by Mark Stanislav

MASSACRE FAQ, #3

Page 33: Security For The People: End-User Authentication Security on the Internet by Mark Stanislav

Have A Crappy Algorithm? Make A Crappy Extension!

Page 34: Security For The People: End-User Authentication Security on the Internet by Mark Stanislav

Breaches Of Service Security (Data Loss, Especially)

•A breach does not include DDoS attacks, direct phishing against customers, dumb users, etc.

•28% of services had a public corporate breach

•Breached services had an average MASSACRE score of 64 while unbreached had a worse, 54

•So, moot point. Everyone can get hacked :)

Cou

nt

0

18

36

54

72

90

Corporate BreachYes No

102

39Sector Total # Breached % Breached

Technology 83 19 23%Financial 36 11 31%Gaming 12 3 25%Retail 4 2 50%Social 6 4 67%

Page 35: Security For The People: End-User Authentication Security on the Internet by Mark Stanislav

Two Factor Deployments After A Breach

•Of 37 services that had a deployment date and a breach data, 54% already offered some form of two-factor authentication !

•Of the 19 services that added 2FA after a breach, it took an average of 255 days to deploy with a median of 128 days

•It took Linode, Dropbox, MaxCDN, and Buffer < 1 month to deploy

•74% offer TOTP (52% offer it across all services)

Page 36: Security For The People: End-User Authentication Security on the Internet by Mark Stanislav

SaaS 2FA Service Provider Shoot-Out!

•Includes 2FA providers with a customer login on their web site

•Sorry if I missed your company, it was definitely not on purpose!

Company HSTS CSP X-Frame X-XSS X-Content Cookie Secure

Cookie!HttpOnly

SSL Score

Security Page MASSACRE

Authy ✓ ✗ ✓ ✓ ✓ ✗ ✓ F ✓ 60Duo Security ✓ ✓ ✓ ✗ ✗ ✓ ✓ A+ ✓ 90LaunchKey ✓ ✗ ✓ ✓ ✓ ✓ ✓ A+ ✓ 85

MePIN ✗ ✗ ✗ ✗ ✗ ✗ ✓ B ✗ 40Rublon ✗ ✗ ✗ ✗ ✗ ✓ ✓ A- ✓ 55

SAASPASS ✗ ✗ ✗ ✗ ✗ ✓ ✓ A ✗ 50TeleSign ✗ ✗ ✗ ✗ ✗ ✗ ✗ A- ✗ 30

TextPower ✗ ✗ ✗ ✗ ✗ ✓ ✗ F ✗ 25

*phew* glad Duo didn’t lose :P

Page 37: Security For The People: End-User Authentication Security on the Internet by Mark Stanislav

Random Thoughts On Lessons Learned

•Scouring the Internet to find release dates and documentation for service features is way harder than it should be

•Authentication security still ultimately comes down to the security of your operations and your codebase

•Bug in your authentication code? None of this other stuff really matters

Data research is tiring, let’s just break stuff.

Page 38: Security For The People: End-User Authentication Security on the Internet by Mark Stanislav

Thanks Go Out To…

•Vikas Kumar and Domenic Rizzolo, two of the amazing interns at Duo Security for doing a ton of data gathering and organization !

•http://twofactorauth.org for being a hugely helpful resource for trying to aggregate 2FA-enabled sites/services to get started with

•https://www.ssllabs.com/ssltest/ from Qualys for SSL Scoring

•Steve Werby did similar research on a grander scale last year — http://www.slideshare.net/stevewerby/crunching-the-

Page 39: Security For The People: End-User Authentication Security on the Internet by Mark Stanislav

All Done! Questions?

E-Mail:[email protected] !

Twitter: @markstanislav Presentations:speakerdeck.com/mstanislav