Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Managing Identity Threats May 2010. 2 Where are the threats ? Customer Web/App Server Vulnerabilities: Trojan sniffers Soliciting Email to enter credentials.

Published byErick Norton Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Managing Identity Threats May 2010. 2 Where are the threats ? Customer Web/App Server Vulnerabilities: Trojan sniffers Soliciting Email to enter credentials."— Presentation transcript:

1 1 Managing Identity Threats May 2010

2 2 Where are the threats ? Customer Web/App Server Vulnerabilities: Trojan sniffers Soliciting Email to enter credentials Fake Phishing website Vulnerabilities: Session hijacking Man-in-the-Middle / Man-in-Browser attack Vulnerabilities: Replay attack Offline dictionary attack Password sniffed in transit Vulnerabilities: Masquerading as customer Masquerading as tech support Masquerading as organization Helpdesk Session

3 3 Threats at the Customer (1/5) Attack Objective: Collecting ID & Password of end-user to impersonate as customer Types of attacks Trojan Horse / Virus Keyboard sniffer Soliciting Email (Pharming) Fake Phishing Website

4 4 Threats at the Customer (2/5) Trojan Horse / Virus Keyboard sniffer What happens: Malicious program that capture the end-user’s ID & password while it is entered by the user and send it to the hacker. More complex sniffers may target knowledge-based authentication (KBA) to capture the questions-answer pairs or target visual-based authentication (VBA) to capture visual-pattern+password pairs.

5 5 Threats at the Customer (3/5) Soliciting Email (Pharming) What happens: User receives an email (or message) prompting them to enter their ID & password in some hacker website in order to “win” some prizes, “re-check” their account, etc. Hacker website will collate captured IDs and Passwords and send it to hacker

6 6 Threats at the Customer (4/5) Fake Phishing Website What happens: User is redirected to a fake website through a compromised DNS, or invalid Wireless Gateway, or similar-looking URL (e.g. www.citi6ank.com) Fake website will have a similar look-and-feel to the actual website, and may fool user to entering the ID and password Fake website will collate captured IDs and Passwords and send it to hacker

7 7 Threats at the Customer (5/5) Best Practice: Use 2-factor authentication at login to render the captured ID and passwords and other KBA, VBA information useless in the hands of the hacker. Customer Web/App Server Vulnerabilities: Trojan sniffers Soliciting Email to enter credentials Fake Phishing website Session DS3 Authentication Server SMS Best Practice: Strong 2-factor authentication using tokens or SMS OTP

8 8 Threats in the Session (1/7) Attack Objective: To fool the application server to believe that the incoming connection is a previously validated session Types of attacks Session Hijacking Man-in-the-Middle / Man-in-Browser attacks

9 9 Threats in the Session (2/7) Session Hijacking What happens: Users unknowingly rely on a malicious or compromised gateway to access the application. After the user has logged in, the malicious gateway may transfer the authenticated session to the hacker’s browser

10 10 Threats in the Session (3/7) Man-in-the-Middle / Man-in-Browser attack What happens: The user’s web session is directed via a malicious reverse proxy which masquerades as the application server in real-time, while connecting to the actual server to maintain a valid SSL user session. The proxy will re-enact the exact sequence of inputs from the user to the application, and render the same output back to the user. Such an attack can render 2-factor authentication (using OTP tokens) useless To attack applications using PKI tokens, the malicious reverse proxy is run within the end-user’s PC to gain similar access to the PKI token. This attack is also known as Man-in-Browser attack.

11 11 Threats in the Session (4/7) Man-in-the-Middle / Man-in-Browser attack The Man-in-the-middle is able to defeat 2-factor authentication And potentially compromise the transaction The Man-in-Browser can be carried out similarly to attack PKI tokens User: Alice, Pwd: XXX OTP is 123456 Welcome What’s your OTP ? User: Alice, Pwd: XXX OTP is 123456 Welcome Alice What’s your OTP ? Pay $X to Mr XYZ Pay $X to Mr ABC OK for $X to Mr XYZ OK for $X to Mr ABC Alice MITM Application Server

12 12 Threats in the Session (5/7) Best Practice: In session-based attacks, the hacker may have already bypassed the authentication process. It is therefore important to implement proper security to ensure the integrity of the transaction as well There are 3 areas where security technologies can be applied: Protecting the session Re-validating the transaction through Out-of-band authentication Requiring the user to provide OTP authorization code for non- repudiation

13 13 Threats in the Session (6/7) Best Practice: Protecting the session The IBM ZTIC is a USB-attached device that can verify the integrity of the SSL web session on behalf of the end-user. Hello Please login Alice MITM ZTIC SSL certificate is flagged as invalid by ZTIC

14 14 Threats in the Session (7/7) Best Practice: Protecting the transaction Use Out-of-band authentication to verify the transaction and use a OTP authorization code for non-repudiation …. Welcome Alice Pay $X to Mr XYZ …. Welcome Alice Pay $X to Mr ABC Please Confirm Transaction ID:9999 to Pay $X to Mr XYZ Auth Code: 123456 SMS Transaction is sent to user in SMS via OOB channel, and modification is detected by user MITM DS3 Authentication server

15 15 Threats at the Server (1/6) Attack Objective: Rogue administrator has elevated rights to the system, and will abuse the rights to get the end- user credentials Types of attacks Replay attacks Offline dictionary attacks Password sniffed in transit

16 16 Threats at the Server (2/6) Replay Attack What happens: Rogue administrator turns on verbose logs in the web server. All users’ login credentials are captured in the web server logs. The administrator copies the login credentials from the logs (even if they were already hashed at the browser) and does a replay of the web session to gain access as the user.

17 17 Threats at the Server (3/6) Offline Dictionary Attack What happens: Rogue administrator gains access to the password database in the system. The administrator copies the database to an external machine, and runs a brute-force attempt to find the users’ passwords against the password records.

18 18 Threats at the Server (4/6) Password sniffed in transit What happens: Similar to the replay attack, but carried out by the network administrator Rogue network administrator turns on sniffing in the intranet. All users’ login credentials being transferred from the web server to the application server are captured in the sniffer logs. The administrator copies the login credentials from the logs (even if they were already hashed at the browser) and does a replay of the web session to gain access as the user.

19 19 Threats at the Server (5/6) Best Practice: The security risk posed by a rogue administrator is even higher than any phishing website. It is important that administrators should be prevented from even gaining access to the users’ ID and password login credentials. There are 3 areas where security technologies can be applied: Use end-to-end encryption of passwords from browser to authentication server Store passwords in a hash+encrypted manner Implement 2-factor authentication for end-user logins

20 20 Threats at the Server (6/6) Best Practice: Customer Web/App Server Vulnerabilities: Replay attack Offline dictionary attack Password sniffed in transit Session Best Practice: End-to-end encryption of passwords Password storage in hash- encrypted mode 2-factor authentication at login UserID Pwd ****** abc Login 1. In addition to SSL session encryption, Password is RSA encrypted with session nonce using Javascript or Java Applet for end-to-end encryption 3. Passwords remain RSA encrypted at web- server logs 2. Encrypted password with session nonce protects against replay attacks DS3 Authentication Server 4. Passwords are stored hash+encrypted in DS3 Authentication Server. DS3 Server will RSA decrypt the password, check the session nonce before verifying the password.

21 21 Social Engineering Threats (1/5) Attack Objective: To fool victim to carry out certain functions or reveal certain information Types of attacks Masquerading as customer Masquerading as technical support Masquerading as organization

22 22 Masquerading as customer What happens: Hacker is doing brute force attack on customer account and has locked the account. Hacker will try to convince Helpdesk to unlock the account Social Engineering Threats (2/5)

23 23 Masquerading as technical support What happens: Hacker pretends to return call from tech support company to convince administrator to reveal information about the system, and even the administrator password Social Engineering Threats (3/5)

24 24 Masquerading as organization What happens: Hacker may pose as the organization to convince the user to reveal the password; or Hacker may pose as the organization to obtain answers from user on personal questions in order to gain access to the password reset function. Social Engineering Threats (4/5)

25 25 Best Practice: Besides enforcing strong authentication for end-user logins, administrative or privileged accounts for internal systems should also be protected with 2-factor authentication. Change or re-set password self-service screens should require the 2 nd -factor credential as part of the change/reset password process. Social Engineering Threats (5/5) PAM_RADIUS UNIX UserID, Password + OTP OK Verify Administrator DS3 Authentication Server Windows GINA VPN RADIUS Authentication

26 26 Addressing the threats Customer Web/App Server Vulnerabilities: Trojan sniffers Soliciting Email to enter credentials Fake Phishing website Vulnerabilities: Session hijacking Man-in-the-Middle / Man-in-Browser attack Vulnerabilities: Replay attack Offline dictionary attack Password sniffed in transit Vulnerabilities: Masquerading as customer Masquerading as tech support Masquerading as organization Helpdesk Session Best Practice: Strong 2-factor authentication using tokens or SMS OTP Best Practice: Verify the session Use OOB to re-validate the transaction User to provide OTP auth-code for non-repudiation Best Practice: End-to-end encryption of passwords Password storage in hash- encrypted mode 2-factor authentication at login Best Practice: Require strong authentication for internal administrative accounts Require strong authentication for change / reset password

27 27 Questions ? Thank you. For enquiries, please contact: Data Security Systems Solutions Pte Ltd Website: http://www.ds3global.com info@ds3global.com

Download ppt "1 Managing Identity Threats May 2010. 2 Where are the threats ? Customer Web/App Server Vulnerabilities: Trojan sniffers Soliciting Email to enter credentials."

Similar presentations

HQ in Israel Threat research, security operations center 24/7. In-depth understanding and insight into how cyber crime works. Over 10 million online identities.

HQ in Israel Threat research, security operations center 24/7. In-depth understanding and insight into how cyber crime works. Over 10 million online identities.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug 2013 - scotthel.me.

Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug scotthel.me.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Mr C Johnston ICT Teacher

Mr C Johnston ICT Teacher
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Attacking Session Management Juliette Lessing

Attacking Session Management Juliette Lessing
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Hacking Presented By :KUMAR ANAND SINGH 04-243,ETC/2008.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
The Ecommerce Security Environment For most law-abiding citizens, the internet holds the promise of a global marketplace, providing access to people and.

The Ecommerce Security Environment For most law-abiding citizens, the internet holds the promise of a global marketplace, providing access to people and.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Online Security Tuesday April 8, 2003 Maxence Crossley.

Online Security Tuesday April 8, 2003 Maxence Crossley.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Similar presentations

Ads by Google