System Administration Access Control PDF

Summary

This document is a presentation on System Administration Access Control. It covers various topics, such as user education, phishing, social engineering and malware.

Full Transcript

Administração de Segura de
Sistemas Informáticos
(ASSI)

System Administration
Access Control
Patrício Domingues
ESTG/IPLeiria, 2024
User Education

(c) Patricio Domingues
2
 Phishing, keyloggers
Artigo científico
– K. Thomas et al., “Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen
Credentials”, 24th ACM Conference on Computer and Communications Security, 2017.
https://research.google.com/pubs/pub46437.html

250,000 valid login-in
names per week

12 million credentials
stolen via phising

Only 3.1% of hijacked are
using two-factor
(c) Patricio Domingues
**EDUCATE USERS** authentication 3
 Users as targets…
Regular users are
targets of attacks
– Phishing
– Ransomware
Attackers often use
social
engineering to gain
access
– Human beings are Phising attempts
prone to trust… (caught by GMAIL spam filter)

(c) Patricio Domingues
4
 Phishing 101
Phishing
– Attacks to trick people into
revealing personal
information
(usernames/passwords/…)
– Phishing scams used to be
emails from “princes”
asking for money via wire-
transfer…
– Today’s attacks are often
very targeted (spear-
phishing)
 They may even seem to be
from someone we know…
 Hard to spot even for
trained/educated users (c) Patricio Domingues
5
 Need to educate users (#1)
Users need to
be educated
– Not solely
trained
Train + test…
– learnt
knowledge is
not applied 2017’s Verizon Data Breach Report
and thus is
quickly
forgotten…
(c) Patricio Domingues
6
 Need to educate users (#2)
Organizations should have strict rules
forbidding dangerous behaviors
– No use of unknown USB pen (“road apples”)
 Examples:
– Selling cheap (spyware infected) USB in the nearby of
targeted facilities
– A “lost” CD with “Vacation photos” written on it
– An USB pen found by “chance”

Usual technique in Pen Testing

http://www.zdnet.com/article/criminals-push-malware-by-losing-usb-sticks-in-parking-lots/ 7
 Need to educate users (#3)
Positive reinforcement
– Let users feel that…
 It is not the end of the world to fall victim
to an attack (phishing, ransomware etc.)…
– Punishing/shaming will only make users to hide
future potential problems
 Whenever something abnormal is spot,
users should have enough confidence to
alert IT personnel
– Better to report a false positive than to let go a
true problem
– Report of abnormality should be part of the
Incident Response procedure
– Reward users who report problems/suspicions
(c) Patricio Domingues
8
 Need to educate users (#4)
 USB thumb drives
«In 2008, according to “Dark Territory,” a history of cyberwar by
Fred Kaplan, Russian hackers accomplished a feat that Pentagon
officials considered almost impossible: breaching a classified
network that wasn’t even connected to the public Internet.
Apparently, Russian spies had supplied cheap thumb drives, stocked
with viruses, to retail kiosks near NATO headquarters in Kabul,
betting, correctly, that a U.S. serviceman or woman would buy one
and insert it into a secure computer.»
https://www.newyorker.com/magazine/2017/03/06/trump-putin-and-the-
new-cold-war

(c) Patricio Domingues
9
(some) Phishing
internet domains
for “Microsoft”

(c) Patricio Domingues
10
smishing and quishing

(social engineering attacks)

(c) Patricio Domingues
11
 Smishing (#1)
Smishing
– phishing attack that uses text messages (SMS) to deceive people into
sharing personal or financial information.
– Combination of the words "SMS" and "phishing“
 SMS has a 98% open rate, significantly higher than email marketing
(20%).
 60% of people open and read text messages within 1-5 minutes of
receiving them.
 Users are 4.5 times more likely to respond to a text than an email.

(c) Patricio Domingues 12
 Smishing (#2)
Smishing: SMS + phishing
– “The Smishing Triad network sends up to 100,000 scam texts
per day globally.”
– Example: “The United States Postal Service is trying to deliver
a parcel but needs more details, including your credit card
number. All the messages pointed to websites where the
information could be entered.”
– “In total, people entered 438,669 unique credit cards into
1,133 domains used by the scammers”
– “More than 50,000 email addresses were logged, including
hundreds of university email addresses and 20 military or
government email domains.”
https://www.wired.com/story/usps-scam-text-smishing-triad/
(c) Patricio Domingues 13
 Quishing (#1)
Quishing (Qrcodes)
– Type of phishing attack that uses QR codes to deceive victims
into visiting malicious websites or downloading harmful
content.
– Instead of clicking a malicious link in an email, users are
tricked into scanning a QR code that redirects them to a
fraudulent site.

(c) Patricio Domingues
14
 Quishing (#2)
Quishing - example

Scanning Danger: Unmasking the Threats of Quishing (trellix.com) 15
 Quishing (#3)
Quishing - example

Scanning Danger: Unmasking the Threats of Quishing (trellix.com)
16
Is that email really from the boss?

CASE-STUDY: BUSINESS EMAIL
COMPROMISE (BEC)

(c) Patricio Domingues
17
 Business Email Compromise (#1)
BEC
– Scam specific individuals with
Emails asks for:
emails ordering to send money to – Pay an invoice
a given place
– Wire money
Targets individuals who pay
bills in companies, – Buy gift cards
governments, etc.
– Scammer can pose as a reliable
The demand appears to
source be legitimate
E.g., the boss, a vendor, etc. – Example
– Often, they create a sense of Boss is in a foreign country and
urgency his/her credit card has been
Person needs to act right now cancelled. He/she urgently needs
to avoid consequences for the money
organization/employees Vendor/supplier asking for the
payment of an invoice

(c) Patricio Domingues
18
 Business Email Compromise (#2)
BEC
– Business Email
Compromise (BEC) remains
the most common and
most costly threat facing
customers.
– 2020: fifth year in which
these schemes held the top
position on the annual FBI
Internet Crime Complaint
Center (IC3).
– 2016: $360 million; 2020:
$1.8 billion
– Losses per victim: $96,372
– Source: 2020’s FBI
Report (c) Patricio Domingues
19
 Business Email Compromise (#3)
Types of BEC frauds
– CEO directing the CFO to wire money
to someone
Email, “fake voice”
– Vendors or suppliers asking invoice
payment to change bank account
– Lawyers redirecting proceeds from
sales of real estate into a new
account. https://www.bbb.org/globalassets/local-bbbs/council-
– Employer appealing to the recipient 113/media/bbb-explosion-of-bec-scams.pdf
to buy gift cards on their behalf

Evaldas Rimasauskas registered a company in Latvia
with the same name as Quanta Computer, a Taiwan-
based electronics manufacturing giant.
Knowing that Facebook and Google used Quanta’s
technology in their data centers, Rimasauskas sent
emails to the firms claiming to come from Quanta
with forged invoices and fraudulent contracts.
(c) Patricio Domingues
https://tinyurl.com/y4xwb8uj 20
 BEC and deepfake audio
Deepfake Audio Scores $35M in Corporate Heist
– A combination of business email compromise and deepfake audio led a branch
manager to transfer millions to scammers.
– A group of fraudsters made off with $35 million after using forged email messages and
deepfake audio to convince an employee of a United Arab Emirates company that a
director requested the money as part of an acquisition of another organization.
– The attack targeted a branch manager with emails that appeared to be from the
director and a US-based lawyer, who the emails designated as coordinator of the
acquisition. This attack uses synthetic audio created using machine-learning
algorithms, known as neural networks, to mimic the voice of a person known to the
targeted employee.
– Yet the technical requirements are no longer a hurdle for anyone who wants to create
deepfakes. Maor estimates it takes less than five minutes of sampled audio to create a
convincing synthesized voice, but other estimates put the necessary raw audio at two
to three hours of samples. Lesser quality synthesis takes a lot less time. For
many business executives, attackers can pull the necessary audio from the Internet.
https://www.darkreading.com/attacks-breaches/deepfake-audio-scores-35-million-in-
corporate-heist

Deepfake audio 21
Interesting read
– “SilverTerrier – Nigerian Business Email Compromise”
 https://unit42.paloaltonetworks.com/silverterrier-nigerian-
business-email-compromise/

(c) Patricio Domingues
22
CASE-STUDY: PASSWORDS

(c) Patricio Domingues
23
 Common passwords
Which is the most common
passaword?
– 123456
 Case-study “passwords”
Passwords
– Used almost everywhere as authentication mechanism
– Based on “something you know”
 Single factor authentication
– Nowadays, 2-factor authentication are recommended

– For many years, passwords guidelines were broken
– NIST, 2003
 “Passwords should be forcibly changed periodically”
– Every 90 days

(c) Patricio Domingues
25
 Case-study “passwords” (#1)
Passwords
– Used almost
everywhere as
authentication
mechanism
– Based on “something
you know”
 Single factor https://twitter.com/proppersonnel/status/733196528811151361
authentication 10 most common passwords of 2021
 123456

– Data breaches have 

123456789
qwerty
 password
revealed many, many 

1234567
12345678

passwords 


12345
Iloveyou
111111
 123123
(c) Patricio Domingues 26
 Case-study “passwords” (#2)
Humans are not good
at selecting strong
passwords…
Good password
– Random with high
entropy
 But…it’s difficult to
remember…
 Example (32 chars)
2ab919e8d28bcbc74
be0598358c2183f
(c) Patricio Domingues
27
 Remember…
IHG hack
– “They accessed
the FTSE 100 firm
(…) thanks to an
easily found and
weak password,
Qwerty1234

(c) Patricio Domingues
28
Password / xkcd

https://xkcd.com/936/
29
 Case-study “passwords” (#3)
NIST, 2003 – password
guidelines
(Bill Blurr –NIST 800-63B)
– Force users to periodically (e.g., every 90
days) change their passwords
 Force that the new password is
different from the old one
– Force users to have long passwords with
mixed cases (e.g. wOr342TA-Hdf12)
 Note
– At the time, there were pratically no data
on passwords of real users
 Guidelines were based on “common sense”
– Nowadays, due to the many password
data breaches, there are huge lists with
real passwords
30
 haveibeenpwned.com
Passwords breach?
– Site to test whether an email address has been found in
a data breach
 https://haveibeenpwned.com

(c) Patricio Domingues
DO NOT reuse passwords across websites/email accounts, etc. 31
 haveibeenpwned.com/passwords

Service of haveibeenpwned.com
– Number of times a given input was detected as a
password in
data breaches

https://haveibeenpwned.com/Passwords 32
ENTROPY

(c) Patricio Domingues
33
 Entropy of a password (#1)
Robustness is measured through entropy
– This password has n bits of entropy
– To guess a n-bit entropy password, one needs on
average 2n-1 attempts, and at most 2n attempts
Entropy grows with the
How to compute the entropy? log2 of R (diversity)

E = log2(RL) E = L * log2(R)
where: Entropy grows linearly with L

– R: Size of the pool of unique characters from which we build
the password;
– L: Password length, i.e., the number of characters in the
password.
(c) Patricio Domingues
34
 Entropy of a password (#2 )
E = log2(RL) E = L * log2(R)
 Example
– 123456
 R=6
 L=6
E = 6 * log2(6) = 15.51 bits =~ 16 bits
– 288fc59a22c99621d8dba83650de964b
 R=15
 L=32
E = 32 * log2(15) = 125 bits

(c) Patricio Domingues
35
 Entropy of a password (#3)
 Simple Python 3 script to compute entropy

https://pastebin.com/d3NvGTU8
(c) Patricio Domingues
36
 Entropy of a file (#1)
There is several definitions of entropy
– Entropy per byte
 A high value (e.g., 7.9 bits/byte) means that the file has
practically high entropy/randomness/unstructured and thus
will not compress significantly
– Compressed files, encrypted files have high entropy
 A low value (e.g., 4.5 bits/byte) means that the file has a high
redundancy/structure and will compress significantly
– Text file

Tools that computes the entropy of a file
– Linux: ent (needs to be installed)
– Windows: Detect It Easy (GUI application)
(c) Patricio Domingues
37
 Entropy of a file (#2)
ent (@Linux)

 Detect It Easy (@Windows)

NTInfo |.:NTInfo:. (horsicq.github.io)
(c) Patricio Domingues
38
 Time for
random brute
force attack
– Worst-case
 Test with 12
RTX 4090 /
bcrypt
 bcrypt is a
good
algorithm,
although
Argon2 and
Scrypt are
more robust
 Long
passwords are
safer
(c) Patricio Domingues
39
 NIST SP 800-63-4
Password rules by NIST – 2024
– Password should have at least 8 characters, and ideally
15 or plus characters, up to 64 characters
– ASCII and Unicode should be permitted in passwords
– Rules should NOT require periodic password changes
 Users do not invest in a strong password if the password is
solely valid for 60 to 90 days…
 Obviously if there are evidences of data breach/credential
stuffing, passwords need to be changed

+info: https://pages.nist.gov/800-63-4/sp800-63b.html
(c) Patricio Domingues
40
 7 steps to password perfection
1. Use a password manager (this avoids password reuse)
- keepass, BitWarden, 1Password, LastPass,…
2. Go long: long passwords are more secure
- >= 15 characters or higher
3. Keep special characters separated
- Don’t put all special characters at the beginning or at the end
4. Don’t periodically change your password
- This makes remembering passwords more difficult
5. Single-serve only
- Don’t use same password on different sites
6. Don’t trust the browser!
7. Add two-factors whenever possible
 https://www.wired.com/story/7-steps-to-password-perfection/
(c) Patricio Domingues
41
 Password reuse?
“Credential stuffing”
– Try to take advantage of password reuse

(c) Patricio Domingues
42
 Passwords and users
Educate users
– “Don’t leave written passwords where they
can be seen”
 This is valid with other documents: CLEAN DESK

– “Don’t share passwords with anyone”
 If someone asks a user for his/her password,
user should report as soon as possible to the IT
Team
 Some companies might have a (legitimate)
password share policy among a set of
colleagues
(c) Patricio Domingues
43
 Passwords on photos…(#1)
2017.07
– “Hawaii Emergency
Management Agency’” leader
gave an interview
 A photo of him was taken
capturing a post-it with the
word password and what
appear a password…

(c) Patricio Domingues
Sanitize your environment! 44
 Passwords on photos (#2)
Greek Alternate Minister of Public Order and
Citizen Protection
– Fotografia oficial do sítio web
 user: ypourgos (greek word for minister)
 pass: 123456

(c) Patricio Domingues
45
Passwords on videos…

(c) Patricio Domingues
46
 The same goes on for physical keys

 https://www.wired.com/2015/09/lockpickers-
3-d-print-tsa-luggage-keys-leaked-photos/
 Ficheiros CAD da chave mestre TSA:
https://github.com/Xyl2k/TSA-Travel-Sentry-
master-keys
https://www.tiktok.com/@thatpropertyguy/video/6
941801344059591941

(c) Patricio Domingues
47
 Passwords publicly available (#1)
Some authentication credentials are left publicly
available by mistake
These credentials can be found through Google
queries (“Google Dorks”)
– Google Hacking Database
 https://www.exploit-db.com/google-hacking-database

(c) Patricio Domingues
48
 Passwords publicly available (#2)
 Saving passwords in publicly accessible web pages

 Finding these were as easy as typing into Google things
like:
inurl:https://trello.com AND intext:ssh AND intext:password
inurl:https://trello.com AND intext:@gmail.com AND
intext:password
Source: https://medium.freecodecamp.org/discovering-the-hidden-
mine-of-credentials-and-sensitive-information-8e5ccfef2724

(c) Patricio Domingues
49
 #2 #3 #5 #0
 Can we guess the entry
code?
 Source
 https://twitter.com/thorsh
eim/status/269381568022
339584

(c) Patricio Domingues
50
 4-digit PIN

(c) Patricio Domingues
51
 Leaked passwords…
 Danger of leaked passwords

 Bitcoin address
– 1JsACYBoRCYkz7DSgyKurMyibbmHwcHbPd

2021.10.09
4257.210 BTC are worth $230,811,433.47

(c) Patricio Domingues
52
 Password managers (#1)
We have so many passwords…
– How can we (securely) manage passwords?
 Password managers
– Online (cloud-based)
» Lastpass (www.lastpass.com), …
» See:
https://www.pcmag.com/article2/0,2817,2407168,00.asp#

– Local
» Keepass (www.keepass.info) and derivatives
(c) Patricio Domingues
53
 Password managers (#2)
– Cloud-based (online)
 Passwords are kept online, at the remote site
 User only needs to know the master
password
 Can be configured to automatically fill
authentication forms (login + passwords)
– Avoids to fall for “fake similar URLs”
» mail.google.com vs. mail.g0ogle.com
– Local
 Passwords are (securely) kept locally
 Vulnerable to copy-paste hijacking
 Can be further protected with a key file or an
hardware device
(c) Patricio Domingues
54
 Copy-paste hijacking
What’s copy-paste hijacking?
– Malware that intercepts copy-paste operations
 It can change the content when pasting is done

http://bit.ly/2yzT6Z8

13BTC in june 2017 = 36.000 US dollars 55
 Keepass
 Keepass
– Open source (GPL v2 or later)
– Available for Windows, Linux, Android, iOS
– Passwords are kept in a local database
 Encrypted with AES/Rijndael and Twofish
algorithms
– Master key can be:
 Password
 Key file
 Password + key file
– The application supports plugins

(c) Patricio Domingues
56
 Google Password Manager
Available for any Google
account
– https://passwords.google.com/
– It has the following
functionalities
 Save passwords
– Chrome, Android
 Auto sign-in
 Export passwords
 On-device encryption

(c) Patricio Domingues
57
 Contingency plan for passwords
Organizations need to have a contingency
plan regarding passwords
– What if an employee disappears and he/she
working in an important project?
Example - Financial company “Cantor Fitzgerald”
 Policy
– Each employee had to share his/her password with four
nearby colleagues
 But…Company headquarters were at Twin Towers
– Destroyed in september 11, 2001
– Company had to resort to brute-force, social engineering and
Microsoft to restore access
Cantor Fitzgerald company >>
58
 Cantor Fitzgerald company
 “Not long after the planes struck the twin towers, killing 658 of his co-
workers/friends, one of the first things on Lutnick’s mind was passwords.
This may seem callous, but it was not.”
 “Lutnick, who had taken the morning off to escort his son, Kyle, to his first
day of kindergarten, was in shock. The biggest threat to that survival
became apparent almost immediately: No one knew the passwords for
hundreds of accounts and files that were needed to get back online in
time for the reopening of the bond markets.”
 “Cantor Fitzgerald did have extensive contingency plans in place, including a
requirement that all employees tell their work passwords to four nearby
colleagues. But now a large majority of the firm’s 960 New York employees
were dead.“

 Source: “The secret life of passwords”
(http://nyti.ms/2xd0PuI)
(c) Patricio Domingues
book 59
 Default passwords
Many devices have default Example
access credentials
– “default passwords”
Routers, switches, printers,
many IoT devices, etc.
It is important to change or
deactivate default access
credentials
TP-Link-defaults - Python Script
For Trying Default Passwords For
Some TP-Link Hotspots
– https://www.kitploit.com/2018/07/t
p-link-defaults-python-script-for.html

Always check new equipment for possible default credentials
(c) Patricio Domingues
Periodically check equipment for possible default access credentials 60
 https://www.bbc.com/news/technology-45757528

https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180SB327
61
 Shoulder surfing
shoulder surfing Prevention
– Technique to obtain – Password manager
information such as – Two factor authentication
personal identification – Blanket of security
numbers (PINs), (extreme)
passwords, etc. by looking
over the victim's shoulder
– Watch keystrokes on a
device or sensitive
information being spoken
and heard
– Example: Edward Snowden

(c) Patricio Domingues
62
CASE-STUDY: SECURITY QUESTION

(c) Patricio Domingues
63
 Case-study: security question (#1)

Security questions
– Avoid them Screenshot dumped to 4chan of hack
– Answers can be publicly available
 Famous case – Sarah Palin / 2008
– Candidate for vice president in the USA
presidential election
– Email account at Yahoo was hacked
through “password recovery”
» Needed data: birthdate, ZIP code
and “where has she met her
spouse” (google search)
» Hacker was caught
» It posted screenshot on 4chan
» Sentenced to one year in
prison

64
 Case-study: security question (#2)
– What to do if a security question is mandatory?
 Answer with a random string…
 Keepass generates random strings (for password usage)
– Example: dc087c651b1cf8dd4605da8ee07c0f4f
 Save the random string (e.g., in keepass)

(c) Patricio Domingues
65
 Case-study: security question (#3)

Equifax Security questions
– Another (smaller) data breach from are dangerous

March, 9 2016
– Equifax revealed that attackers “gained
access to the accounts primarily by
successfully answering personal
questions about the affected
employees in order to reset the
employees’ pins”.
 Equifax was unable to identify how much
fraudulent access occurred, since the
logins looked legitimate for its system
(c) Patricio Domingues
66
Ficha 10 – keepass + entropy

FICHA LABORATORIAL

67
SMS, SS7 FLAWS AND SIM-JACKING

(c) Patricio Domingues
68
 Out of band devices and SMS
OOB devices and SMS
– “If the out of band verification is to be made using an SMS message on a public mobile
telephone network, the verifier SHALL verify that the pre-registered telephone number
being used is actually associated with a mobile network and not with a VoIP (or other
software-based) service. It then sends the SMS message to the pre-registered
telephone number”
 SMS are vulnerable to hijacking (e.g., individual uses a VoiP service, or the SIM has been
hijacked)

– “Changing the pre-registered telephone number SHALL NOT be possible without two-
factor authentication at the time of the change”

– “OOB [Out of band verification] using SMS is deprecated”
 Designing flaws in SS7 (Signalling System Number 7) allow an attacker to divert SMS containing a one-
time passcode (OTP) to their own devices
– Attack to gmail, twitter, facebook, …

(c) Patricio Domingues
69
 SS7 and its flaws
 SS7 is broken (SS7 = CCSS#7, US)
– SS7: set of protocols allowing phone networks to exchange data
needed for…
 passing calls and text messages between each other
 ensure correct billing
 allowing users on one network to roam on another (roaming)
 SS7 was created in 1975. Telecom companies trusted each other and saw no
need for security…
– Mainly used in 2G and 3G (4G uses the Diameter protocol, but authentication and
access control features are optional)
 Any attacker that interconnects with the SS7 network (e.g., spy agency, fake
phone company,…) can send command to a subscriber’s home network falsely
indicating that the user is roaming.
 This allows to track target location, intercept phone call and SMS, as well as two
factor authentication…

(c) Patricio Domingues
70
 SIM-jacking (#1)
 SIM-jacking
– Taking control of someone’s else phone number
– By controlling the phone, the hacker can
 redirect password-reset to his/her own phone
 Bypass SMS-based two-factor authentication
 How is it done?
– Deceiving the phone carrier
– Bribing employees of the phone carrier
– Bugs in the phone carrier web operation
 How to protect?
– 2FA based on TOTP
– PassKey
 Real cases:
– https://bit.ly/2PAgePb
– https://bit.ly/2JwskVE

(c) Patricio Domingues
71
 SIM-jacking (#2)

 «Harris has been charged with hacking, identity theft, and grand larceny, according to a
statement of facts provided by the authorities to Motherboard. Harris is accused of
stealing $14 million in cryptocurrency from Crowd Machine, a blockchain startup. On
September 21, Harris allegedly hacked the company’s CEO and stole his private keys,
which allowed him to access Crowd Machine wallets and steal the cryptocurrency.»
 «Harris is just the last in a growing list of arrests. At the end of July, REACT arrested 20-
year-old Joel Ortiz, accusing him of having stolen millions on cryptocurrency. Then Florida
authorities arrested a 25-year-old. Finally, before Harris, California cops nabbed 19-year-
old Xzavyer Narvaez, who used stolen bitcoin to buy luxury cars.»
 +info: https://motherboard.vice.com/en_us/article/7x3may/cops-arrest-sim-swapper-14-million-cryptocurrency 72
 Vishing and StingRay
SMS as a second factor
– A phone number can be maliciously
redirect
 “vishing”
– Voice phising
 Ex: https://www.youtube.com/watch?v=lc7scxvKQOo

– Cellular network can be hijacked
 StingRay
 Fake cell towers
– Intercept phone calls
– Downgrades communications to 2G or 3G
to decipher calls
TWO FACTORS AUTHENTICATION (2FA)

(c) Patricio Domingues
74
 Two-factor authentication

The list of bad practices:
Use of unsupported (or end-of-life) software
Use of known/fixed/default passwords and
credentials
Use of single-factor authentication for remote or
administrative access to systems

(c) Patricio Domingues
75
 Case-study: google 2FA (#1)
Two factor authentications (2FA)
– Regular password + second factor
– Second factor can be:
 SMS
 Voice call
 Google Authenticator (APP)
– Google Authenticator/Microsoft/…

setup usage
76
(c) Patricio Domingues
 Case-study: google 2FA (#2)
What happen if the 2FA device is lost/broken,
etc.?
– The system provides for “backup codes”
– User should keep the backup codes in a safe and secure
place

77
 TOTP protocol
 Time-based One-Time Password (TOTP)
– Algorithm to compute a one-time password (RFC 6238)
– Uses:
 Shared secret (secret key)
 Current time
– To circumvent out of sync clocks, time increments in N-second intervals
– N is typically 30 seconds
– TOTP is Hash-based Message Authentication Code (HMAC)
– Secret key needs to be shared between server and user when TOTP
is set up

http://bit.ly/2zCJZGA 78
 TOTP key generator
 Online TOTP key generator
 Keepassxc
– Password manager with TOTP
http://www.xanxys.net/totp/

(c) Patricio Domingues
https://keepassxc.org/ 79
 2FA is not bullet proof…
Phishing attempt for 2FA codes
– “DO NOT SHARE THIS CODE!” (warning)
There are service for 2FA bypass through phishing
and/or 2FA fatigue
Example
– “Three men have pleaded guilty to running OTP.Agency, an online
platform that provided social engineering help to obtain one-time
passcodes from customers of various banks and services in the
U.K”
– “OTP.Agency promised to help deliver OTPs for over 30 online
services, including Apple Pay, for weekly subscriptions that ranged
between £30, for the basic plan and £380 for the elite one.”
Source: https://www.bleepingcomputer.com/news/legal/admins-of-mfa-bypass-service-plead-guilty-to-fraud/
(c) Patricio Domingues 80
PASSKEY

(c) Patricio Domingues
81
 Passkey (#1)
Passkey With passkey, a user authenticate
him/herself with a device (e.g.,
– Type of user verification
smartphone, security key,
method to digitally
computer) which needs to be
authenticate a user
physically close to the user
– Based on the FIDO2 standards
– User must unlock the device
– FIDO2 is a set of standards that
aims to provide strong and It relies on private/public keys
passwordless authentication – Private key is kept in the
methods authentication device
WebAuthn: client API (smartphone, computer, etc.)
– Manage public key credentials – Public key is kept at the site
CTAP (Client to Authenticator which requires authentication
Protocols): authenticator API
(e.g., Google account, etc.)
(CTAP1 & CTAP2)
It is domain specific
– Google.com, github.com,…
(c) Patricio Domingues
82
 PassKey analogy
Imagine a pair of digital Loophole
key and a digital keyhole. – It can introduce a point of
– The user’s device holds the failure if the smartphone is
key stolen/accessed
– The website holds the
keyhole
There is no need to
remember complex
password (or have them
in a password manager)
or waiting for 2FA codes

(c) Patricio Domingues
83
 login with PassKey
Example (Windows)
– https://www.passkeys.io/

(c) Patricio Domingues
84
 Passkey (#2)
WebAuthn
CTAP1/CTAP2

(c) Patricio Domingues
85
 Passkey (#3)
Steps of passkey Authentication
– Registration: user sets up a – User is prompted to provide his/her
passkey on the device
passkey – The device uses the passkey along with
– This passkey is stored securely other cryptographic methods to generate
on the user's device an authentication response
– When a user is asked to sign-in to an app
– It is never transmitted over the or website, the user approves the sign-in
network with the same biometric or PIN that the
user has to unlock the device (phone,
computer or security key).
– The app or website can use this
mechanism instead of the traditional (and
insecure) username and password.

(c) Patricio Domingues
86
 Passkey (#4)
Authentication in passkey How does it work across
1. Server sends a single-use devices?
challenge – User at the computer wants to access
2. The authenticator device signs his/her Google account using the
smartphone to authenticate
the challenge with the private
(“authenticator”)
key
3. The server uses the public key – This can be done with passkey. The
to check that the signature is Google account generates a QR code. The
QR code holds a FIDO challenge
from the authenticator device
– The user scans the QR code and is asked
to provide the unlock code to the
smartphone (PIN, fingerprint, faceID, etc.)

– The smartphone communicates via
Bluetooth with the computer
Requires Bluetooth on the smartphone and on
the computer

(c) Patricio Domingues– The user is authenticated
87
 Passkey (#5)
Google has made
“PassKey” the default
authentication method
for GMAIL and YouTube in
October 2023
Others have enabled
PassKey as well
– Amazon, GitHub,
WhatsApp,…

(c) Patricio Domingues
88
 Passkeys (#6) – github.com
Signing in github.com
with passkey

Authentication at the
smartphone
(locking pattern,
fingerprint, etc.)

(c) Patricio Domingues
89
 Windows 11 - passkeys artifacts
There are two main digital LOG
forensic artifacts in – Microsoft-Windows-
Windows 11 linked to WebAuthN%4Operational.evtx
– Several event IDs save
passkeys meaningful data for digital
– Registry forensics
Computer\HKEY_USERS\S-1-5- – Two main passkey operations
20\Software\Microsoft\Cryptogra
Registration
phy\FIDO\%SID%\LinkedDevices
Authentication
It keeps model name of
smartphones linked to passkeys
authentication

(c) Patricio Domingues
90
 Windows 11 - passkeys artifacts (#2)
LOG events - main events for registration

(c) Patricio Domingues
91
 Windows 11 - passkeys artifacts (#2)
LOG events - Main events for authentication

Domingues, P., Frade, M., & Negrao, M. (2024). Digital Forensic Artifacts of FIDO2 Passkeys in Windows 11.
In Proceedings of the 19th International Conference on Availability, Reliability and Security. Association
for Computing Machinery.
92
 Passkeys
List of sites that support passkey
– https://passkeys.directory
Simple demonstration
– https://passkeys-demo.appspot.com/

– See: https://www.youtube.com/watch?v=ywQ8bFla-L8
(c) Patricio Domingues 93
Ficha 11 (2FA, PassKey)

FICHA LABORATORIAL

94
STORING PASSWORDS

(c) Patricio Domingues
95
 Safely storing users’ credentials (#1)

 Lots and lots of data
breaches revealing
passwords
 Very hard (€€) to
avoid data breaches
– Not “if”, but “when”
the organization will
be breached…
 How can we avoid
leakage of our users’
passwords?
Protect credentials >>
(c) Patricio Domingues
96
 Brute-force attack
Brute-force attack
– Try to guess the password
with multiple attempts
– Hash(attempt_password)
Is it equal to the password
representation? How sysadmin can harden
If so, bingo! hackers’ life?
Else, try new attempt
– Use strong hashing
Approaches algorithms
– Lookup/Rainbow tables Argon2, PBKDF2…
– Dictionaries – Use “salting”
Hash(password+num_salt)
(c) Patricio Domingues
97
 Rainbow tables
Can be bought
– Hard drive with the tables

https://www.osforensics.com/tools/rainbow-tables/index.html

98
 Safely storing users’ credentials (#2)
 Passwords SHALL NEVER be stored
in clear text
– MD5 is not much better…
 Use protected form (one-way
functions) to store credentials
– Generate a unique (random) salt upon
creation of each stored credential (not
just per user or system wide)
– Per credential salt…
 Prevent two identical passwords from
having the same protected form
 Invalidates “lookup tables” and “rainbow
tables”
(c) Patricio Domingues
99
 Safely storing users’ credentials (#3)

Protected form shall use a one-way function
– Select one of the following (sorted by preference)
one-way function
 Argon2
 PBKDF2
 scrypt
 brcypt
– All of them are “key stretching”
 They have a counter that can be tuned (“iteration count”)
 Functions execute very slowly
– Goal is to make brute-force attacks worthless

(c) Patricio Domingues 100
 RockYou databreach (2009)
RockYou RockYou’s dataset
– Company that developed – Available in Kali Linux
applications for social /usr/share/wordlists/rocky
network ou.txt.gz
– 2009: databreach exposing – Also available online
their database http://downloads.skullsecu
32 million *plaintext* rity.org/passwords/rockyou
passwords leaked….txt.bz2
– The company did not – Around 14,340,000
notify the breach to passwords from
users… 32,603,000 accounts

(c) Patricio Domingues
101
 case-study: LastPass (2022)
LastPass data-breach and
key stretching “LastPass suffers major
– August 2022: disclosure of data breach”
a data breach by LastPass LastPass uses the PBKDF2
“No customer data accessed; some algorithm to protect user’s login
parts of source code stolen” credentials
– November 2022: – PBKDF2 is a key stretching
Update: “Hackers have certain algorithm
elements of customers’ information” – For some (initial users),
(data vault) LastPass was using 500
iterations for PBKDF2
– December 2022: Recommendations is to use 300 000
Update: “Data accessed by iterations
hackers was used to trick a company More iterations slow brute-force
employee to hand over keys to some attack
customer credentials” (c) Patricio Domingues
102
CRACKING PASSWORDS

(c) Patricio Domingues
103
 Tools to crack passwords
 hashcat  Site
 Software for brute-force of  http://hashcat.net/oclhashcat/
passwords
 Dictionaries
 Dictionary attack,  https://wiki.skullsecurity.org/P
patterns, etc. asswords/
 Support over 100 different
types of algorithms
 Office, oracle, unix,...
 Source code
 Supports multithreading  https://github.com/hashcat/ha
shcat
 Runs on all core of the CPUs
 Optimized version for GPUs
 cudaHashcat for NVIDIA
 oclHashcat for AMD

Example >>
104
 Hashcat 101
Basic usage: four Argument #3
parameters – Filename with hashes to crack
Argument #1 Argument #4
– -m /--hashtype – Dictionary or mask
Num=0 for MD5, 1=SHA1,… – Mask: ?l?l?l
Three lowercase letters
Argument #2
? | Charset
– -a --attack-mode ===+=========
– -a 0: dictionary or word list l | abcdefghijklmnopqrstuvwxyz [a-z]
u | ABCDEFGHIJKLMNOPQRSTUVWXYZ [A-Z]
– -a 3: brute-force d | 0123456789 [0-9]
h | 0123456789abcdef [0-9a-f]
H | 0123456789ABCDEF [0-9A-F]
-m 0: MD5 s | !"#$%&'()*+,-./:;?@[\]^_`{|}~
-a 3: brute-force a | ?l?u?d?s
b | 0x00 - 0xff
-m 0: MD5
-a 3: brute-force Senha com 7
símbolos
hashcat -m 0 -a 3 -o results.txt FileWithHashesToCrack ?a?a?a?a?a?a?a 105
 Which hash is it? hashid
hashid
– Python script that aims to guess the type of a given hash
– Example

– Hashcat also allows for the hash identification
Option: --identify

Recovering the password
hashcat -a0 -m1800 hash.txt rockyou.txt --force
– Password is: hunter2

106
 Attack on credentials
 Hackers have gained access to the
authentication database…
– If passwords are in plain text
 It’s game over
– If passwords are hashed without salt or with a
system-wide salt…
 Dictionary (brute-force) attack, lookup attack
– If passwords are hashed with per credential salt
 Dictionary (brute-force) attack
– If passwords are hashed with salt + slow one-
way function
 Dictionary (brute-force) attack is painfully slow

(c) Patricio Domingues
107
(c) Patricio Domingues
108
 Be careful with illegal software!

Fonte: http://bit.ly/2h8mMbI

“…trojanised ilegal Microsoft Office key generator…”
(c) Patricio Domingues
109
 Spies spying spies spying spies…

 “Israeli intelligence looked on in real time as Russian government hackers searched
computers around the world for the code names of American intelligence
programs.”
 “What gave the Russian hacking such global reach was its improvised search tool —
antivirus software made by a Russian company, Kaspersky Lab, that is used by 400
million people worldwide.”
 The Israeli officials who had hacked into Kaspersky’s own network alerted the
United States to the broad Russian intrusion, which has not been previously
reported, leading to a decision just last month to order Kaspersky software
removed from government computers.”
 The Wall Street Journal reported last week that Russian hackers had stolen
classified N.S.A. materials from a contractor using the Kaspersky software on his
home computer.”

Source: http://nyti.ms/2xVz09Z
(c) Patricio Domingues
110
 More about passwords
 “Password Storage Cheat Sheet”, OWASP
(http://bit.ly/1gVO8Xa)
 “Cryptographic Storage Cheat Sheet”, OWASP
(http://bit.ly/2p0le4S)
 “Password security: past, present, future”,
OpenWall, 2012 (http://bit.ly/2ztxSvc)
 Let's Go in for a Closer Look: Observing Passwords in
Their Natural Habitat., Pearman, Sarah, et
al.Proceedings of the 2017 ACM SIGSAC Conference on
Computer and Communications Security.
 PassGAN: A Deep Learning Approach for Password
Guessing, Briland Hitaj, Paolo Gasti , Giuseppe
Ateniese, Fernando Perez-Cruz

(c) Patricio Domingues
111
 Bibliography
 Lee Brotherston, Amanda Berlin (2016).
Defensive Security Handbook - Best
Practices for Securing Infrastructure.
O'Reilly Media.
– “User Education” (Chapter 5)
– “Password Management and Multifactor
authentication” (Chapter 13)

(c) Patricio Domingues
112