Julien Richard - What the F* is Phishing Resistant MFA Anyways

We got more prizes. Don't worry about it. All right. Um, so pleased to introduce our next speaker. Um, Mr. Julian, um, Rashard, your last name. Julian Rashard. I've been called much worse. Um, you got the Yep. Okay, perfect. Mic's working. Hi, thank you for uh staying here and um coming to my talk. I guess I used a um a title called beyond locking key authentication and evolving cyber lines sounds very you know but instead I kind of subtitle it what the is fishing resistant MFA anyways. So what I want everybody to take away from this presentation is really talk about traditional challenges to traditional resist u um uh MFA solutions and why we should transition to fishing

resistant MFA. Um and we'll go into the challenges of those traditional MFA and then we'll go through what fishing resistant MFA is and how it works. We'll get a bit technical so bear with me. The first little part of this is not going to be that technical but we'll don't worry we'll get into it. Um, first of all, who am I? Um, Julian, I'm uh from New Brunswick. Uh, flew here last night late um late. And I've got over 25 years experience in the IT field. Uh, my background is in pent testing, but lately I've been doing um I I work as a director at Last Wall. Um, we do a fishing resistant MFA solution, of

course. So, that's why I've become very wellversed in this technology. I'm not here to sell anything, so don't worry. Um so as director over there I run the security program run the security team make sure that um we're following all the things we should do because we're in a heavy regulated environment. Um I'm also founder of the I've got my own little consulting firm but I'm the founder of the Atlantic Cyber Security Collective that's up there. I will sell this uh if you go to that website joining the Discord server. There's a ton of people in there that are awesome cyber security folks all like-minded. No fees, no vendors. you're not going to get harassed there. Um, if you want to

join the Discord server, it's a lot of fun. Um, board member at the ICU square Atlantic chapter. I'm an advisory board member at the Canadian Cyber Security Network. And sum it all up, I'm just passionate about cyber security and talking about it to anyone and everyone who will listen to me. And believe me, I will talk your ears off about cyber security. Um, all right. So, the agenda today, first of all, we're running a little bit late. So, this MFA primer here, uh, section, I might be running through it pretty quickly. I assume that the crowd that we have here really understand what MFA is, but I'll still run through those slides. Um, just skip

the rest of it. We'll get to it. Anyways, multiffactor authentication. One thing I want to say is that this is the time if you understand this really quickly, look at your phone, just answer your emails, whatever. But I do have puppy pictures for people that like, you know, I really do have puppy pictures. That's my puppy. Um, one thing that I just want to define what MFA is. So if we talk about authentication, let's start at the end, right? Authentication um is part of the access control system. And the access control system is not just authentication. There's other parts. First part being identification, right? And we'll get into this. This is an important part of our fishing

resistant MFA. Um even though it it it's not really in the flow, but we have to consider identification. So identification is just your username, your user ID, who are you? We could all use the same password in the system. We would have access to all the right information. We've probably been in those systems before and they're not very secure. Um, star of the show is authentication. We're confirming who we are. We've identified my ourselves. I'm well, you'll see later Harry port scanner, right? And we use the password to say that that is really who we are. And then the last part is authorization. Even though you're authenticated to a system, it doesn't mean that you can do

anything on that system. It doesn't mean you can access that box. It doesn't mean you can access that shared file. You really need to have authorization, too. But at the end of all of this, we're really want to talk about authentication. More puppy pictures. Sorry, I got really excited and got really loud here. Um, so what is factor? Can somebody tell me what I mean by factors? Anybody? Oh, lots of participation today. Um, so in the context of multiffactor authentication, we're talking about a category of verification methods. So something you know, something you have, something you are, right? We've all seen this. Something you know is a password, it's a PIN, it's all kinds of stuff. Something you have

can be your phone, your authenticator app on your phone. You're not going to remember those six digits that keep going, right? So you need to have your phone to be able to put in that second factor. And then something you are. Something you are is not often used in traditional MFA mostly because and I know a lot of you are going to say, "Yeah, I use Face ID all the time. I use my fingerprint." Yep. It's not traditional MFA in a sense because that Face ID or that fingerprint is really unlocking a certificate on your phone. It really is the next generation of MFA. Something that we use something you are for would be uh in physical security.

Scan your card, put your hand down, and then you go, right? Um, but we're talking about multi. Multi means more than one. I mean, I don't have to define I don't have a slide for multi, of course, but you need more than one. If I tell you, give me your password and then give me the answer to your security question, that's not multiffactor. It's multi-step. It's one factor. It's two of something, you know. So, it's important to understand it isn't MFA without the MF, right?

Okay. Um, let's talk about the challenges of of each factor. And I'll I'll run through this really quickly. Um, something, you know, the sticky notes, right? People write down their passwords, they put it under their keyboards, people find them. Breaches. Passwords are in breaches. If you got your password hijacked for Twitter, and it's probably the same one you use for Facebook for most people, unfortunately. Social engineering and fishing. Brute force attacks. If you just try over and over again. Key logging. Somebody puts something on your computer catches all the keys that you write. Eventually, they're going to find a password. Shoulder surfing. People behind you looking at you. Attacker in the middle. Something you have. You can get your device

stolen, right? You can have your u if every anybody remembers those RSA keys that keep going like probably there's still people using them, but people can steal those. Sim swapping is an important one. people pretending to be you stealing your phone number so that when the SMS goes to your phone all of a sudden it goes to their phone and not yours. Um, social engineering, fishing, malware cloning um, physical security, little flipper device. My hotel car is on this. Um, attacker in the middle again. Or yeah, attack in the middle. Something you are spoofing. They can't spoof you, but I mean maybe, but they can spoof your fingerprint, right? We've all seen those James Bond movies. Pretty

far-fetched, but hey, breaches. This is an important one. Just because you're scanning your fingerprint, what's gets sent over the wire is a digital representation of your fingerprint. So if the other side has a a database of all these digital representations of fingerprints, you can intercept that and send take the digital representation of mine and then send the one for the person I'm trying to impersonate. Very interesting. Replay attacks. They kind of work with all of these, right? Just intercept the request and you replay it later. Social engineering and fishing. Again, they can get you to do stuff. Quality attacks. Remember the iPhone when it first came out in Face ID? People were sleeping and you could

unlock people's phone cuz like they weren't checking if the eyes were open, right? And deface. There's a I'll talk about a breach later on where this is not really multiffactor, but I know a lot of banks in the US will use your voice recognition as a factor to authenticate you to make sure who you are. Deep fake is great, right? It's fun. And again, attacker in the middle. Notice something here like defense and depth is great. If the sticky note factor is there, then you go to the next one. It's not going to work. But notice how social engineering fishing and attacker in the middle is on every one of those. That's not defense and depth.

That's being vulnerable to the same attack on those three factors. Right? Trying to talk not too fast. I'm going to take my pointer here just to go through a flow. Let's go through a quick flow of what a uh access control system looks like when you're authenticating. Bob and Alice are traditional characters whenever we try to do something in IT security. So Bob here is trying to log into an app. Uh the app says give me your login and password. You give the login and password and then they go like yeah I trust you but I'm bit paranoid. So I'm going to ask you for more. Choose a second authentication method. Choose a push notification. You get the push

notification. You hit the push notification and you go through. You're logged in. So, username and password, it's pretty easy, right? You find a breach, you take the username, password, you put it in, you get logged in. But what do you do as an attacker when you have this push, this second factor, right? Well, we solved that. Us attackers um send an email to the victim. Somebody's going to click. You click the email, goes to a fishing website, steal the credentials, you log in. That's pretty simple. But in a in a medddler in the middle or an attacker in the middle um situation, what you do is you you seriously intercept the stuff you present. We've saw a couple of

presentations today and I was pretty happy to see that because they were showing this already where it looks just like the AWS login form, just like it. But if you look at the domain name, it's different. But what's happening is that you're putting in your credential. You're forwarding and and let's say that I'm in the middle here. I'm I'm the attacker, right? I actually forward those credentials over to the target web server. Target web server goes, "Hey, that's a good username and password. How about you send me your 2FA code?" They off um like through another channel, they actually send the 2FA code to the user. I don't answer it. I actually send it back to

the victim. The victim enters the 2FA code, sends it back over. I send it back over to the target web server and is very important to understand in today's world or in the HTTP world since the beginning. I shouldn't say today is that there's no concept of session in a web server. I'm probably saying something that a lot of you understand, but still there's no concept of session in the HTTP protocol. you need to I if if you didn't have a way to say, "Hey, I'm already logged in." Every time you click on something, you would have to put in your username and password and that would not be fun. So, we've solved this by using a session token that we give

and then you present every time that you send a request. So, if you have that session token, it's just like you're logged in, right? It you don't have to have the username and password. So, if I steal that session token, it means that I can just go on the website and act just like the user. And once I'm there, I can add more authentication methods. I can add more users. I can change my password. I can do all kinds of these things. Right? So, in this case, we're stealing the session cookie now. You're gonna say, "Hey, I don't really get it." Well, I'm going to show you. Right? Here's a great little tool called Evil Gen X, which is

a reverse proxy fishing framework that bypasses traditional MFA. So, what I'm doing here, I've set this all up. I created my own DNS server. I've created my own DNS entry and this thing actually gives me the certificates, the TLS certificates. It does everything. So, let's see how it works. I hope this is going to play. Oh, no. It's because I have my pointer. There you go. All right. So, this is GitHub repo where you can get this. This is all free. Anybody can do it. So, I'm going to start up. I don't have enough rights. So, of course, I'm going to have to pseudo. Um, and do a bit of housekeeping here so it doesn't really pollute the

terminal. And I'm going to show you that the fishlets that I've used, there's an Amazon template. I enabled the Amazon template. I created a lure, which is it takes the template, puts in its own directory, gives me a URL. I go to that URL or or I try to fish the user with that URL. And we'll see. So, right now, I'm in that web server. It's out in the cloud somewhere. Um, and I'm going to go back to my own machine on a browser and visit this site. Again, you may not trust me, so I'm just going to show you first that I am not logged into AWS. You're going to see some alt tabbing stuff. It's virtual. So, I

thought I could alt tab here and stuff's just going to show up. So, this is actual um Amazon site. You can see I was not logged in. I take that site. You're going to love this because my domain that I own is called final report.zip. Here's the final report. Log into your I don't know why you would log into your AWS account to get the final report, but hey. Um final report.zip. You can see same site, exact same look as the Amazon site. Here's my alt tabbing stuff. This it was pretty late, so bear with me. uh username, like I said, it's called harryport scanner and I'm going to put in my password. And in this case, it's going

to ask me for my multiffactor authentication. If you look at the domain name, it's still final report.zip. It's still my my um my attacker machine that's in the middle. Forgot to open up my phone, so I'm unlocking. Forgot my password. There you go. Finally. Come on, Julia. Got it in. Submitted in a perfect world. And This was not a perfect world. In a perfect world, this would forward you, log you in, get you to Amazon. They changed something while I was building this and it actually doesn't bring me in. But as you can see now, I'm on the actual Amazon website. And the user would probably just go, "Hey, I'm not logged. I'll try again." And it's going

to work. It's going to log them in. But let's see what happens on my little attacker machine here. Well, you know what? I'm logged in. I got the username. I got the password. I got the session token. Yes, the password is Dumbledore sucks. And I'm going to show the sessions and grab the cookie. This is my session token. Gave my session token. Go back to

Amazon. First, I save it as a JSON file.

If only I could type, we could go faster. Come on. Jeez. All right, saved it. I just used a add-on to add some cookies and uh cookie editor. I'm going to import my JSON file [Music] and go back to Amazon services and I will because I have the right session token. Remember, I don't have to put my username every time. Boom. I'm logged in at as Mr. Hair report scanner. Um, and it logs me in. And if you like attackers are doing this, they're 100% doing this. Um, people are going to click on links. You can intercept these things. So, how do we make it so that we can't intercept this? How do we make their

jobs harder? They started with just passwords. Now, they're doing MFA. They're going to figure out a way at some point. And when I say they, I mean attackers or, you know, red teamers. They're going to figure out a way to bypass fishing resistant MFA, but right now it's making their job really hard. So um what is fishing resistant MFA? Well, we've got an ingredients list, right? There's some certain, um, uh, I don't like the word components, but I'm French, so whatever. Um we need strong binding between the authenticator and the user identity. Um right now if you use a username you can use the username wherever you want. You can use the sorry not the username but the

password you can use it anywhere you want. In this case you are tying the authenticator. So the you know your UB key you're tying it to a specific website and you're tying it to only you. So if I use the private key that's on here for Amazon and I try to log into Google it's not going to work. I need to also register this at Google. Um, we're trying to eliminate shared secrets. Passwords, as you can see, are easily interceptable. Um, and we only want to respond to trusted parties. And we're going to use some pretty cool technology to do this. Um, so that that trusted party, that final report.zip was not a trusted party. We only want to talk to

Amazon. And user intent is a huge one. Um, you've we've all heard the the the push fatigue, right? MFA fatigue. I mean, you're you're sitting at dinner and you just keep getting pushes, keep getting pushes, keep getting pushes, and I'll after a while, like, yeah, yeah, whatever. And then the attacker gets your machine, right? You never intended to log into this to this site. Um, with fishing resistant MFA, it's not going to work unless you want to log in. Nobody can send you any of these requests. And what kind of technologies? Public private cryptography. I'm not going to get too deep into this, but we have to remember that we get a private key that we hold

to ourselves and a public key that we give to everybody else. Anything that I encrypt with my private key can only be decrypted with my public key, which proves that I'm the one that encrypted it because nobody else has that private key. And then if you encrypt something with the public key, I'm the only one that can decrypt it because nobody else has my private key. So it's as asymmetric uh cryptography. We leverage that a lot in here. Relying party is this is more of a definition. Relying party in this world is a server. And then we need to define what the client, the user and the authenticator is. The user is me. The client is my browser

because we're going to be talking about web the web aen uh version of um fishing resistant MFA. So the user is me, the client is my browser is the application or whatever. And the authenticator is Ubi uh which is a roaming authenticator. And then if you can use Windows Hello, you can use Face ID or whatever else that's called the um it's going away from my mind for whatever reason. But anyways, platform platform authenticator. All right, let's try to get this fairly quick. I spoke earlier around identification, right? And this is something that's extremely important. that registration phase, that first phase where I say I want a account on this site, that's identification. So if it's

a open public a library or something and it's okay, they're just going to accept it. If it's a financial institution or something that's heavily regulated or whatnot, they might want to do it out of band identification. They might get you. I know at my company we get people to come in, we give them the UB key, we watch them touch the UB key to register it. So we know 100% that it's them. So the registration is not part of authentication. It really is part of identification. So you need to understand that when you register, that might be the place that you could get attacked. But um so let's just go ahead and say that I

want to register. I send my username. the web server or the relying party sends a challenge back with my username, the challenge which is a long string character or nons or or whatever else and information about the relying party, it's it's domain name, all these things, right? When I get it through my browser right here and I see the challenge, um, how do I make sure that it's actually coming from the web server? Well, it's pretty easy these days because they said it's for outlook.com. the browser looks at the HTTPS certificate and they go like, "Oh yeah, it really is outlook.com." That's how you make the link between the relying party ID in the packet and ensuring that it's actually

them that's set that it's because it's coming from that uh website with the um right certificate. So in other words, it doesn't work with HTTP. It just doesn't. um I get that through my browser goes to my authenticator user intent at testation I need to touch the key so that um yes I really want and that's an important part because I need this with me and I need to touch it I need to use face ID I need to use my fingerprint on my computer that's an important part as soon as I do that my key generates a uh a new key pair um public private keeps the private key it signs the challenge that I got from the web server with my

private key and sends a whole bunch of information over web server receives it if they can decrypt it with the public key that's as part of that public private key pair and um it's the same challenge they go like oh yeah it's really you awesome I'm registered does that make sense it's a weird flow but [Music] um all So, how do I authenticate? Now, I have my private key. They have my public key. How do I authenticate? Well, I start with a username and they send me a challenge with my credential ID because I I could have this. I could have my face ID. I could have a bunch of different things and it'll only work

with one of those. So, if I have three different devices, two or three different UB keys register with this web server, I need to understand which one to use. So, it's going to send me an ID. Um, when I get it, same thing. Credential ID, challenge, relying party ID. I check with DHTTP certifi. I look up because the the browser bar is over there. So that's why the certificate is there, right? So grab the certificate and um, make sure it matches their relying party ID that they sent. Go in my UB key, touch it again. I really do want to log in, grab that challenge, sign it with my private key, send it over, and they'll say, "Hey,

that's really you." because you're the only one that has that private key, which is important, right? And we'll look at it at this a bit later on when I lock when I talk about uh attacks because Google and Apple are doing something kind of funky uh with the private key. I'll spoil it. They're storing it in the cloud which isn't protected with fishing resistant MFA. So, if you can fish their iCloud account, grab the private key, then you can sign in, sign with anything you want, which is bizarre. Um, all right, more demo. Oh, pointer. Sorry. All right, I'm going to try to do the same thing, but I registered this exact UB key. I'm going to put it in my

pocket because I don't want anybody to steal it now. Oh, and this too because I don't want you in my hotel room. Port scanner. This is Amazon. Touch my UB key. Boom. I'm logged in. Just to show that my UB key actually worked. Um, just going to log out, clear all my cookies, do everything I need to do. Speaking of, there's cookies here if anybody's hungry. I'm going to go back to my fishing site, my final report.zip zip file uh site that I own. Do a little bit of things here. Get the URL. Oh, no. I want to show you that I don't have any saved session, which I didn't do before, but trust me. There's my URL. I'm going to go

over Oh, yeah. If you ever wonder why Dumbledore sucks when you do a Google search, well, there it was because I didn't copy the link correctly. Something 10 reasons why Dumbledore sucks. Go. Now you know my password. All right. As you can see, this is final report.zip. I touch my signin key. Nothing. Because it looks at the HTTPS request and it goes, "You're not Amazon.com. It's not going to work. But see here, password is there. So I did intercept the password. Cool. So now that I've convinced everybody to go to fishing resistant MFA, um, what are the roadblocks to get there? Well, technology doesn't support it. Got this old AS400 thing that, yeah, if you think that that's going to

support fishing resistant, MFA, it's not going to. But hey, you know what? Enable it in Office 365. Enable it in your Google. Enable it where you can, right? It's better than nothing. Um, too much too soon, people. Um, it crashes. Nobody can log in and everything else. We've solved this problem multiple times before in this industry. Start with your IT crew. Start with your system admin. Figure out what the bugs are. Use your lessons learned. And then when you start implementing it for more people, you know what can go wrong and how to fix it. Um there's perceived user friction. It's actually easier. It's actually a lot easier to touch a key than to remember 20,000 passwords. Uh

and that's something that's going to be very important. Talk to your executives, right? Your senior leaders. And if if if the messaging comes from the top like anything else, again, we solve this. I don't have to tell you this. Um IT staff training. Well, if you're not training your staff, I mean, what's the old the old joke? If um what if I train my staff and they go, they go like, "Yeah, but what if I we don't train them and they stay right in cost?" Well, I was a part of a incident response where the company was losing a million dollars a day and uh the reason it got popped was because the IT admin

had put a file called password.jpeg on his desktop and thought that if I take a photo of the password, they're not going to find it. But he called it password.j JPEG and it was the password to the password manager. A million dollars a day. Rolling out UB keys is not going to cost you a million dollars a day. It's going to cost you, but not a million dollars a day. So, why should I? Well, the Canadian Center for Cyber Security um in one of their documentation where they're talking about um um um attack uh companies a advanced persistent threat. They say multiffactor authentication where feasible implement it. The office of management and budget in the US um they're basically saying

this is a binding presidential order which means that all the agencies need to do this and they say for agencies staff contractors and partners fishing resistant MFA is required and that's a binding presidential order. We will be forced to do this. The European Union Agency for Cyber Security say if possible avoid using SMS and voice calls and consider deploying fishing resistant tokens. Uh who else? Uh CISA the cyber security and infrastructure security agencies and the no such name agency. Um given the prevalence of fishing as an attack vector, fishing resistance should be a key consideration. I can keep going. Uh NIST uh the National Institute of Standards and Technology. This is important. SP 863 which talks about identity access

and management. It's under comments right now. They're taking comments from the public. So if you want to go in read what people are saying and you want to chime in and have your words being read by the by NIST, it's a good place to go right now. They have a call for comments on this document. um national center for cyber security in uh the UK uh highly privileged access um need to involve fishing resistant and MFA everybody saying that you need this um and we're going to get regulated when you get my slides um all the links are there right before this talk I got a um it's this is a joint advisory from SISA

and a bunch of other agencies and part of the stop ransomware snatch crew actions to take enabling and enforcing fishing resistant multiffactor authentication. We're going to be forced to do this source. All right, case studies. How many times do you talk about MGM today? We don't have to talk about it again. Um, well, fishing kit is a kit just like I showed you. The only difference is that people can pay $300 a month and have full-on help desk support to run this thing. And they're saying that in the 10 months, security researchers discovered that this was used to set up 850 fishing domains that targeted credentials for more than 56,000 Microsoft 365 accounts. And they

compromised 8,000 of them using fishing resist non-fishing traditional MFA. Um, this was mostly business email compromise. So, you compromise the email of the marketing person at your company and you go, "Hey, we're just onboarding a new vendor. Can you start uh sending $10,000 a month into this account?" And it's coming from marketing atacMe.com, right? So, it's actually coming from your own company. Uh Croll. Um this is this is a fun one. Krebs Krebs on security. Um so, these guys basically do bankruptcy. Um they help companies go through bankruptcy and they help a lot of cryptocurrency company including FDX. Uh a ton of money got stolen from these people. So Krebs on security said um Croll said it was informed that somebody

targeted a T-Mobile phone number belonging to a cruel employee in a highly sophisticated SIM swapping attack. then goes on to say, Krebs on Security chronicled SIM swapping attacks claimed by these groups against T-Mobile employees in more than 100 separate incidents in the second half of 2022. Very sophisticated. They were able to do this a 100 times in six months. Um, Twilio got popped. Um this was I believe yeah they were using octa um to yeah they they stole credentials belonging to nearly 10,000 individuals. We're not doing well, guys. Many more. Um, me packing JBS, that was um a fish stole stuff. Dropbox, CircleCI was a fake login page. CircleCI, Door Dash, um, Activision, United United

Nations, uh, Reddit was, um, somebody who was able to compromise an employee account using SMSS two factor. And my favorite one is Retool. um 27 cloud customers, not cloud accounts, like actual customers. 27 cloud customers were compromised. The way that they did this was they fished a employees credentials, personal credentials and like I said earlier, the private pass key that you use to sign the challenge that's being sent over the wire um was stored in the cloud. Um, you know, we have TPMs. UBI has a little thing where it never leaves the device, right? If we put it in the cloud, it leaves the device and that's a problem. All right, I'm getting depressed. We're not doing good. Um, key

takeaways. Okay, am I at risk? Listen, um, traditional MFA is not perfect. Way better than nothing at all. Um, what I would advise is if you already have SMS and you have TOTP and you have all these things already in your environment, it's very important to start looking at what accounts are important and try to start rolling out MFA. If you don't have MFA at all, let's skip these ones. Let's just go straight to fishing resistant. There's no reason. And I think this presentation should have shown you why. Um, my favorite uh cyber security personality is the GR the Gruck. Uh he's I forget where he's from. Teddius Grock. Anyways, if you Google the Gro quotes,

there's a full GitHub repo full of them. Don't attribute the exploit so it can adequately be explained by password theft and effective fishing is more important than zero day. He's got some more funny ones, but they're usually not very um okay for a place where people are respectable people are. He's pretty funny. Thank you. Uh any questions? Uh socials are there. Please connect. I didn't know what the blue sky logo is. Turns out there's no logo. So, I put in a sky. So, I rushed through that trying to gain some more time. Any questions? Good crew. [Applause]