Security For The People End-User Authentication Security On The Internet. Mark Stanislav

Transcription

1 Security For The People End-User Authentication Security On The Internet Mark Stanislav

2 A Few Notes on Research Methodology Worked backwards by establishing a list of services that provide users with availability of two-factor authentication Provides us with a more security-forward data set to begin with Gathered additional details per service regarding not just 2FA details but also TLS usage, browser headers, and cookie security! Focus on data completeness and accuracy as much as reasonably possible but this is *not* a scientific study! Does not include software packages with two factor

3 Primary Data Points Utilized Two-Factor Authentication Browser Security Features When was it first offered to users? How do users enroll to enable it? What method(s) are available? What do companies even call it? HTTP Strict Transport Security Content Security Policy X-Frame-Options X-XSS-Protection X-Content-Type-Options Transport Security Session Cookie HttpOnly Session Cookie Secure Do they utilize SSL/TLS for logins? What is their SSL Labs score?

4 Two Factor Deployments Per Year Since Google Authenticator s presence in 2011 has likely led to the mass Number of Deployments adoption of TOTP Many services that support TOTP just say they use Authenticator Facebook also enabled 2FA for users in * Year of Deployment Allows SMS + TOTP * Note, data is only through July 2014

5 How Does A User Actually Enroll In Two Factor? 132 Ease of enrollment is crucial for adoption of security controls Number of Services Having to call, fax, or even may be enough for a user to go! this seems like too much effort It s great to see such a high percent of services allowing users to self enroll (94%) Phone Call Mixed Self Enroll Method of Two Factor Enrollment But what about ease of use?

6 Collective Method Availability Across Services Number of Services Offering SMS Call Card Token Yubikey TOTP HOTP Mobile Duo Authy Rublon Method 12 of the 74 services that support TOTP are Bitcoin related 92% of all Bitcoin services offer TOTP, 62% only offer it to use 73% of hardware token-enabled services are financial or gaming

7 Number Of Methods Per Service By Percentage 11% 4% 2% Of services that offer only a single method, 51% provide TOTP and 14% provide SMS! 51% 62% of services that offer two methods pair TOTP with SMS 33%! MailChimp and OneLogin offer five methods for users to leverage Clavid offers six methods!

8 Two Factor Moniker Usage Since FA MFA 2-Step Verification as a moniker seems to be SV Other going away Deployment Year Google Deploys 2SV 2011: 15% 2012: 28% 2013: 21% : 17% 2013 * Other is usually for custom branding of Moniker Usage Per Year the service s feature * Note, data is only through July 2014

9 A Bit Of A Glossary HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents are to interact with it using only secure HTTPS connections. Content Security Policy (CSP) provides a header that allows websites to declare approved sources of content that browsers should be allowed to load on that page. X-Frame-Options can prevent any framing, prevent framing by external sites, or allow framing only by the specified site. X-XSS-Protection enables the XSS filter built into most web browsers IE8, for instance, already has this on by default. X-Content-Type-Options reduces exposure to drive-by download attacks and sites serving user uploaded content that, by clever naming, could be treated by MSIE as executable/dynamic HTML. Secure Cookie makes supported browsers only send cookies with the secure flag when the request is going to a HTTPS page. HttpOnly Cookie mitigates cross-site scripting (XSS) attacks by not allowing supported browsers to access cookies client-side Mostly a copy/paste from Wikipedia and OWASP <3

10 Browser Security Features For Service Logins Total Cookie! Cookie! HSTS CSP X-FRAME X-XSS X-Content Sites Secure HttpOnly All Sectors % 7% 56% 22% 22% 75% 78% Technology 83 40% 10% 49% 20% 20% 73% 78% Financial 36 33% 8% 50% 14% 8% 69% 64% Gaming 12 17% 0% 25% 8% 0% 58% 67% Retail 4 50% 0% 75% 50% 50% 75% 100% Social 6 50% 17% 83% 17% 33% 100% 83% Gaming is far behind versus other sectors for browser security Likely because most users spend little time in the browser Social media organizations have more of a focus on browser security due to the common nature of client-side attacks against users

11 SSL/TLS Implementation for Service Logins of the F ratings were because of the OpenSSL CCS 28 vulnerability (CVE ) Total Occurrences Star Wars: The Old Republic actually supported SSL v2!! 7 Amazingly enough, SSLTrust of all people received a C rating 0 A+ A A- B C F Score 3 for their allowance of both 40- bit and 56-bit cipher suites

12 Browser Security + SSL Security All-Stars 2 of 141 services utilized all of tested browser security features and managed to receive an A+ SSL implementation rating

13 Security Pages Yes, Really :) Many companies dedicate an entire page (or at least a big section of a page) to how they protect you and how you can protect yourself Example #1 and others definitely do not Example #2 Example #3 Seems legit.

14 Security Pages Across Two Factor-enabled Services of 51 sites (29%) that do not have a security page are in the domain registration/dns space 72 including GoDaddy, NameCheap, and Hover 54! Count Some of these pages even have a bug bounty and/or responsible disclosure section which is fantastic for further helping to protect users 18 including Google, Facebook, and Coinkite 0 Yes No! Security Page These pages show real concern for security and transparency we could use more!

15 So What Does This All Mean? Consider the data points we now have: Browser security (HTTP headers and cookie security) Transport security (SSL/TLS implementation) Strong authentication (two factor deployments) Corporate security focus (company security page)! What if we could assign a point-scale to those data points and create a composite value of authentication security per service? and what if you had no idea what the hell you were doing?

16 Mark s Authentication Security Scoring Algorithm Crudely Realized Edition MASSACRE

17 How Do We Get a Composite MASSACRE Score? SSL Implementation Browser Security Features Score Points Feature Points A+, A, A-! B+, B, B- C+, C, C-! D+, D, D- F! No SSL/TLS HTTP Strict Transport Security 10 Content Security Policy 15 X-Frame-Options 10 X-XSS-Protection 5 X-Content-Type-Options 5 Secure Session Cookie 10 Security Page Exists? Points Yes 5 HttpOnly Session Cookie 10 Two Factor Enabled? Points Yes point scale add up values to get a score!

18 Professional MASSACRE Scale Score Count Keep in mind, everyone starts with 15 points

19 MASSACRE Scoring Outcomes Best and Worst! Best Scores Company Score GitHub 100 Kraken 100 LastPass 100 FastMail 95 Facebook 90 Best Per Sector Sector Company Score Technology Github, LastPass 100 Financial Kraken 100 Gaming Elder Scrolls Online 65 Retail Etsy 85 Social Facebook 90 Worst Scores Company Score easydns 15 Frostbox 15 Sendloop 15 Fabulous 20 Pobox 20 Worst Per Sector Sector Company Score Technology easydns, Frostbox, Sendloop 15 Financial WeMineLTC 30 Gaming Guild Wars 2, Star Wars: Old Republic, Wildstar 35 Retail Humble Bundle 50 Social HootSuite 45

20 Further Parsing MASSACRE Scores Overall Values Technology Financial Gaming N/A Retail N/A Social N/A

21 How Do Security Features Increase MASSACRE Scores? Overall Values CSP Enabled Security Page? HSTS Enabled SSL ~(A B) SSL ~(C D) SSL ~(F/None) N/A N/A

22 Breaches Of Service Security (Data Loss, Especially) A breach does not include DDoS attacks, direct phishing against customers, dumb users, etc. 28% of services had a public corporate breach Count 54 Breached services had an average MASSACRE score of 64 while unbreached had a worse, So, moot point. Everyone can get hacked :) Sector Total # Breached % Breached 18 Technology % Financial % 0 Yes No Gaming % Retail % Corporate Breach Social %

23 Two Factor Deployments After A Breach Of 37 services that had a deployment date and a breach data, 54% already offered some form of two-factor authentication! Of the 19 services that added 2FA after a breach, it took an average of 255 days to deploy with a median of 128 days It took Linode, Dropbox, MaxCDN, and Buffer < 1 month to deploy 74% offer TOTP (52% offer it across all services) 63% provide 2+ methods (49% across all services)

24 Thanks Go Out To Vikas Kumar and Domenic Rizzolo, two of the amazing interns at Duo Security for doing a ton of data gathering and organization! for being a hugely helpful resource for trying to aggregate 2FA-enabled sites/services to get started with from Qualys for SSL Scoring Steve Werby did similar research on a grander scale last year top websites-password-policies-and-controls- presented-by-steve-werby-at-rich-sec-2013

25 All Done! Questions? Presentations: speakerdeck.com/mstanislav