This was a talk on account takeover, by Nick Malcolm, a security consultant at SafeStack. He reminded me a lot of MrMoustache - mostly because he sounds a lot like him. He was a really engaging speaker, I loved listening to him. He framed the whole talk through the story of Little Red Riding Hood - since the wolf figuratively took over her grandmother's account.
What is account takeover?
This is not as simple as it sounds. For most services, it's expected that the owner of the account is the one who knows the credentials and is allowed to access it. For instance, I am the owner of my bank account, and the credentials (my bank card, or a combination of ID) allow me to access it. However, when this comes to technology accounts, that's not enough to define who is supposed to be able to access it. Nick asked for a show of hands who knows someone else's credentials for something. A lot of people raised their hands - people generally know the credentials of accounts other than ones they own. I know my mum's email account and Facebook account credentials. I know MrFodder's phone PIN. MrFodder knows mine. There are tons of legitimate reasons why you'd share credentials with another person - though it's mostly for the sake of convenience.
So what's generally meant by account takeover is when someone who you don't want to have access to your account gains access to your account.
This can happen in a bunch of ways:
- Remote
- credential stuffing and password re-use
- phishing
- Local
- malware (e.g. keyloggers)
- XSS
- man in the middle
- remote access scams
- device theft
Credential stuffing is when they take the credentials you've used on one site (typically because that site was hacked), and try that same combination on another site. Even if you think you're being clever, and you use password1 on one site and password2 on another site, they have programs that can automate password variation guessing. 81% of hacking related breaches leveraged stolen or weak passwords. The Equifax Argentina portal for employees was protected by the super secure username and password combination of admin / admin.
Phishing is when an attacker makes a fake website, e.g. www.bankweb.com instead of www.bank.com, and they copy the look of the real website. They trick people into going to their fake website and then steal those credentials when they try to log in. Usually, they'll redirect you to the real website after recording your details, so you may not even realise.
How to prevent account takeover
2-factor authentication: The security industry is a bit divided over whether SMS is a valid form of 2-factor authentication now that attackers are able to easily port your number over to another SIM, or even clone your number and receive your messages. The recommended form of 2FA is now some sort of key generator - either a physical one like an RSA token, or a software one, where you download an app for your phone. Software ones are becoming quite prominent in gaming - even Steam forces you to have an authenticator attached to your account before you can sell things on the marketplace.
Rate-limiting / throttling: Limit the number of login attempts allowed, or add an exponential login timer once you start getting too many failed attempts. This stops an attacker from just brute forcing your credentials, and helps prevent the case when someone's password 5 years ago was password1, and is now password7. The attacker will be locked out before they can iterate through that many variations.
Outsource authentication: Google, Facebook and many other populate free services allow you to integrate with them, and use them as the authentication point for your service. So let them do all the hard work.
IP whitelists: Don't allow access from certain IP addresses / ranges. This one can be a bit tricky. I used to be blocked from Alton Brown's website, as it seems I was in one of their blocked IP ranges. I couldn't even access it to find a contact point to ask to be unblocked. :(
Password policies: Only if they're done right! Too many websites force stupidly complex password rules, which just results in people using some kind of password pattern, or writing down their passwords. Nick recommends just enforcing a minimum password length, and checking the password against a known database of common passwords.
Prevention by early detection.
How to detect account takeover
The pattern of attack seems to be harvesting credentials, and then after a certain period of time, testing them, gaining access, and doing bad stuff - with the last three things happening in a short period of time. (This is one of the benefits of changing your passwords often - even if the site gets breached, by the time your credentials are used, you may have already changed your password.)
What kind of patterns of behaviour do your users have?
For Nick, it's common for him to be using Chrome, in Auckland, between 8am and 6pm. It's abnormal for him to be using Safari in Nigeria at 2am.
Also look at the typical actions your users tend to do. Suddenly downloading all of their emails is a bit unusual - though they could be migrating to another account, so that alone isn't strange.
AuthTables (github.com/magoo/AuthTables) uses a BloomFilter to rate certain actions: is this in the set? Possibly in the set? Definitely not in the set? to try and decide whether an action is normal. You can set up rules for pass / fail. However, a downside is that it trusts on first use - so if you use it in an internet café and it doesn't get flagged, it's forever on the trusted list, and you can't remove it.
Multi-modal: look at a combination of things, like IP address, location, velocity, touch pressure, swipe movement, typing speed, etc. Google I/O's project Abacus found that multi-modal systems were 10 times more reliable than a fingerprint alone.
There are also a heap of machine learning frameworks coming out to work on these kinds of things. As I mentioned in an earlier post on AI / ML, machine learning can pick up anomalies that we haven't even though of. The tough issue is having the data to train it up - it's hard to have labelled dataset of normal vs malicious behaviour. One cool thing he showed us was One Class Support Vector Machine, which doesn't need malicious activity to be trained, it just trains itself on learning what your normal behaviour is, and flags anything too far out of those bounds as malicious.
How do you detect anomalies for new users? Typically this is done through cohorts - grouping people based on certain features, like work department, or geography. You can do this in generally, just to reduce the amount of data you need to store.
How to respond to an account takeover
Allow them to login, but alert the user in another way. Google sends you an email if it thinks your account has been accessed in a suspicious way - except I think that's silly, because if someone is in my Gmail account, they can probably delete that email! Google does let you link an account so that they'll get an email about suspicious activity, too.
Allow them to login, but give them another test - this is essentially what 2FA is, but there are also tests such as asking you to also enter your phone number or credit card (which they'll usually display the last 4 digits, and get you to enter the rest, or something like that) .
Distributed alerting - Dropbox released a securitybot for Slack (https://github.com/dropbox/securitybot) that displays alerts in a channel, and requires someone to respond to them.
Get tougher as the actions get riskier. A lot of bank apps will happily let you see your balance without logging in (no thank you, not a feature I need -_-), and will only require you to present credentials when you want to do something like transfer money or look at transactions.
-----------------
What I got from this talk is to enable 2FA where I can, and how important password managers are. I'll write up a blog post on how to use a password manager later. I need to get through 2 more talks, and my photos are nearly a week old!
No comments:
Post a Comment