Secrets of the Second Factor: Threat Hunting with Multi-Factor Authentication

uh again i'm perf the founder of passwordscon uh really nice to have so many people in the room i'm back here um whenever i do passwords con and i've been doing this since 2010 in europe and in here in the states um i always look for new talks new speakers new content but i also i am also very interested in having new perspectives on old stuff and also repeating old stuff i don't care if your presentation has been done many times before because with this audience there is always something new to learn both for speakers and for the audience so if you uh if you have something that you think could be a great idea for a talk uh feel free to

reach out to me i really love helping people trying to come up with good talks good content and most probably you are working or you're studying something that i take a keen interest in and i would like to love to hear more about it so please reach out and also when it comes to passwords uh one of the most common uh feedback i get from people whenever they attend is that they never had an any idea that the topic of passwords which sounds so incredibly narrow can actually be so incredibly wide i've had psychologists at passwords.com talking about how your brain works in terms of short-term mid-term and long-term memory i've had linguists talk about well how

languages are constructed and how they work i've had yuan darman the inventor of aes encryption and the sha-3 algorithm explain how that stuff works and i still have absolutely no clue how that works i've had the author of hashcat introduce hashcat and how he optimized the sha-1 function and lots more content but now i will introduce base 16 from twitter talk about secrets of the second factor and i you know no uh not a scary offer but this is one of those topics that to me is new and that i've been waiting for somebody to submit and i'm looking forward to this one so take it away all right [Applause] all right thank you this is secrets of

the second factor i originally wrote this talk in november 2019 and i'm like hey i'm gonna go take it everywhere in 2020. this is going to be a great year for me and then stuff i did do it a couple of times virtually in 2020 it's kind of smaller conferences i did do it at the diana initiative i have updated the content since then so you're not getting a totally totally recycled talk here but you might have seen it before i'm gonna level set and give you some expectations sometimes when you read an abstract you don't quite get the full idea of what you're about to get into so first off this is not about installing it this is

not saying like hey you should really have a two-factor system i'm kind of already assuming that you've done it already so it's not going to be about that there's plenty of other talks that will explain to you why you need a two-factor system uh this is gonna be about organizational security it's not gonna be about your personal security it's going to be like are you defending an organization or a large company and then the last piece of those two things aren't super interesting to you it will be about threat modeling and threat hunting so there might be some tidbits and some techniques that you can pick up there uh who am i um kind of

already mentioned i go by base 16 on on twitter and my day job is a threat hunter and incident response investigator so that's where a lot of these stories come from uh some of my other stories come from my nights and weekends as a hack coordinator i work on b-sides rdu i work on kakalakicon and i work on defcon 9-1-9 all of that is out in the north carolina area really big in the community there and then i say that i'm the expert only in one room so i'm the expert at my company and i always try to go out into a bigger room so i can meet other experts and teach other people so that we have more

than one expert in the room and then i am a certified do it administrator and then i just want to call out that there's no commission i do kind of heavily rely on duo in this talk is the mfa system i have dabbled a little bit into octa and microsoft and some of the other ones but not as heavily as duo so a lot of my examples are um with that system and i just use it because it's convenient because that's what i'm able to use on a day-to-day basis so a little bit more about what this talk is about i'm going to very quickly go over mfa 101 like what is it if you

don't know the details of it i'm going to go over what they tell you like when you first get an mfa system or what most of the mfa talks are about or like what sales people will tell you i'm going to get into what they don't tell you and then we're going to go through hunting and that's the really great part and then i'll give you some conclusions and some actions that you can do if you are with a corporation and if you do have um an mfa system like what you can do on on monday or whenever it is you get back to work and what you can action so just really briefly mfa 101 for the

purpose of this talk we're talking about it after the password is correct so you've entered your username and password and then you're presented with a second factor or the multi-factor there are some systems that will allow you to like enter a code in line with a password but that's not in the scope of this and then for the scope of this we're also dealing with phone call sms messages and phone apps we're not dealing with sending an email to a user and giving them a code that way i'm not going to be talking about digi keys or like ub keys or one time passwords very much they do come up but it's not the bulk of

this talk and then i'm gonna give you a minute to look at this diagram while i take a drink kind of the basic flow the first factor and then doing content checks and things like that so diving into what they tell you they for the mfa threat model uh most of what they tell you is that it's gonna be for prevention and mitigation uh prevention uh getting into an account this is a nice chart from from google it's all pretty about all the different ways that like hey mfa will prevent an account from getting taken over based on the different factors and things that you can have and then they also talk about the problems that are mitigated things like

if you have a password policy that isn't great or you have users that maybe do some malicious compliance i was at another conference one time and one of the speakers was talking about they had a policy where you couldn't use the previous 15 passwords every time they changed it so they changed it exactly 16 times to put it back to their original password malicious compliance so two factor might help with that um and then things like fishing and credential harvesters and i throw some caveats on there to a certain degree an mfa system will mitigate those problems now let's dive into some of the things that they don't tell you and some of the things that you might not have heard of

before problems persist things like brute force brute force is still a thing in an mfa system you have the brute force against the password then after you have that continuously sending pushes or continuously attempting uh like the six digit code that would be sent over sms in order to try to brute force uh into an account you still have things like social engineering uh calling somebody up and then with whatever pretext you have requesting that code in order to bypass the mfa and get in that way and then you still have man in the middle and like credential harvesting still like spoofing websites or spoofing permissions and then some of the credential harvesters now are getting a lot better

where they're actually requesting that second factor code as well and then turning around and using it and then one of the other problems that a lot of people don't think about is account recovery so you have a password reset flow what is now your mfa flow if your user loses their phone if they lose their phone number how do you get them back into account recovery um and setting that up another thing is with more factors you also get more problems there's a lot of like false sense of security where hey we have an mfa system we should be fine that lovely chart by google that i showed earlier said that we're cool so you kind of get lulled into

maybe more sense of security than you should have uh it can also be used if a attacker gets a password dump and they get a whole bunch of passwords it can be used for password validation so they enter in the password they get the prompt for the multi-factor now they see that hey that password was correct and if that password was correct is the rest of the dump correct and then they see that that screen for the mfa system they can now go do more recon on that mfa system and try to find bypasses around it build their pretexts better another thing is application implementation passwords have been around a lot longer than mfa so hopefully your application

people know how to tie into those systems and have the code and everything to do and set that up correctly some of the mfa systems are a little bit newer and if you don't have very specific code to give to your application developers in order to hook into everything the way that they should be there's always misconfigurations and applications that can uh kind of bypass or have workarounds in the mfa system so that they can bypass it that way and then i bring up the the human factor and you know humans are bad at passwords um entire conference track dedicated to that but also it's amazing um what i've seen in my research how humans are not

good with multi-factor the oh my gosh i have to get this code and punch it in that's so much extra work that that psychological acceptability where they will do things maybe not maliciously but just like get their job done and find bypasses and ways around multi-factor i'm going to get into some of the configuration threats uh when i first started looking into mfa systems and mfa logs i'm a blue teamer i asked some red teamers like hey what what do you do if you're on an engagement and you find an mfa system is set up and they were telling me that they love the engagements where they're just very first rolling out a brand new

mfa system and they have enrollment after the password is correct so you've never used mfa before you enter your username password and it prompts you hey give me your phone so i can set up mfa for you if the red teamer has gone out and gotten the password already they then add their red team phone to that account find the person on vacation who hasn't set it up yet or is a little bit behind they now have their red team phone on that account and just go all the way through the mfa system the other thing with that is open self service device enrollment this is just allowing your users to add any device to

their account like they can free add a one-time password device or they can add another phone or add another phone number to their account instead of going through something like it that can prove you can also kind of see how that would create problems if you're able to get a push the first time as a red teamer or an attacker and then being able to add your attack phone or your red team phone after the fact without having to go through any sort of checks or balances with it so one of the other things that they don't tell you about an mfa system is basic baselining things so we've talked about how you probably have a very

explicit password policy that says you have to rotate it you know every so many days you have to have so many special characters numbers length and all that do you have an explicit established proc uh policy about your mfa system how are you limiting how many phones they can add what type of phones they can add are you doing byod uh can it only be corporate phones who's issuing that and things of that nature um another thing you want to think about is like implicit best practices uh best practices for a password best practices for an mfa system um the other thing that you kind of want to baseline with is your application teams that are going to be helping you set

this up and then your i.t team any sort of tech support that is going to have to go along with a rollout or day-to-day operations of helping users that that are running and using the mfa system and then the other thing that you want to baseline is going out and doing test scenarios in a lab just running through the mfa system yourself through any sort of weird scenarios that you can think of and then taking a look at those logs and establishing those baselines take a minute to drink here real quick

okay so is that is that better okay sorry i wasn't close enough there um so one of the biggest things that they don't tell you is that there are logs these systems log quite a bit of information um and then the other thing that they don't tell you is that you want to bring along more data when you go look at these logs and i love vlogs i love getting into it and why do i the logs tell me things i am like the log lady give me all of the logs upgrade the logs just bring them all to me because the logs tell me so much um they've told me lots of things and

now i'm going to tell you what they told me so that now you can go throughout hunt and take a look in your logs so i'm going to break all of this down the first thing that we're going to take a look at is the access device this gives us some interesting information like the client os and the browser that your users are using to log into your system on some of these systems they will also have an endpoint client so you can get some additional endpoint details so here we can see that you know they have firewall enabled hey they don't have java that's great or flash that's also great that they don't have

that installed and they're running windows defender and things like that uh some of the stuff that you want to bring along to these logs are things like your asset inventory because you have an asset inventory everybody has an asset inventory um those are hard um you you want to bring a list of your approved software you know do you allow users to run firefox do you allow them to run like brave or other different uh browsers like that uh and then one of the other things like add caveats to this is remember that there is agent string spoofing if they're logging into web apps they can be spoofing those agent strings depending on how the system gathers that

data and then you also have browser-based apps so if you have a user and you're questioning their login they might not understand what it is they were even logging into depending on on how it displays in these logs so the thing that we're going to threat hunt in this is we're going to take a look at non-issued or approved operating systems so you're in an all windows shop and you start to see macintosh logins or you start to see linux logins you might want to take a closer look at those also taking a look at old or end of life uh os versions uh it was very surprising to me when i went hunting in my own

environment seeing a lot of windows 7 computers i thought we had gotten rid of all of those but they're still logging in and like where are they and what are they doing um and then you want to take a look for like restricted software here we see windows defender but maybe you are maybe you have a corporate license from mcafee or another vendor why are they running windows defender instead of what you rolled out to the whole fleet so take a look at those uh the next thing we're going to look at is the access device ip address like where where are they logging in from so uh ip address of the accessing device the location is based on ip address

lookups and then some of the logs will actually give you a dns lookup or the asn so you kind of know what company uh like what isp they're using to log in some of the additional information you want to bring along with that is your known corporate subnets uh are you taking a look at users that are on site or have vpned into your system and then are going out to the web in order to get their mfa call um should they be going through that should it be split tunneling you know where are they allowed to come in through um you want a list of acceptable access locations depending on your industry or your uh

or your company there might be certain locations where you don't want anybody logging in from and then you might also want to have an employee directory employee asset asset inventory again yes you have asset inventory um employee location data so you can kind of have an idea of where people should be and then a big caveat here is ip locations can be wrong um and it also varies by config and application like i was saying before vpn or coming through like your corporate network and bouncing out um the ip locations can be wrong i used to work for an isp i was doing a a packet capture on a firewall that i knew was in new york city for a customer

they were complaining that one of the partners that they were trying to set up a vpn tunnel with was saying that their ips were located in puerto rico a packet captured on a new york city firewall i knew that it wasn't in puerto rico but the ip location service that their third party was was using had some stale data in it they had to go through and like use a different service in order to realize like hey the ip locations uh they can be wrong so you want to cross cross reference if you see scary location go just double check it before you start chasing it too hard so let's go hunting in this and what

we're going to take a look at is tour ips or unapproved vpn ips it's amazing how many people will like go watch go use a personal vpn maybe watch some netflix for a different country or something and then try to log into your corporate network totally forgetting that they're in a country that you don't allow um kind of interesting when you see the tour nodes trying to connect into your corporate stuff um and then any sort of asn that you might have on a list and then here's also where you can use your threat until ioc ips and asns if you're getting any sort of threat until feeds um and if other people have seen

malicious activity from ip addresses go hunt for those ips if they're trying to log into your system and then you can also hunt the ip locations with just that caveat that i mentioned before it has a little bit higher rate of false positives or benigns where just know that you have to do a lot of extra or a couple of extra cross checks there before you go chasing that too far uh the next part here is the application logs so we're taking a look at the application name and the application id uh the other thing you want to bring along is application inventory i'm very big on inventory inventory micro management um end game of everything so

you also want to bring along the application logs just because a user was able to log in you know first factor second factor did the application kick them out or do they even have permissions to log into that application uh you want to have those logs to follow up on that and then a lot of these some of the vendors will have integrations with other major vendors and can like auto detect like oh you're using that application uh other times it's your it or whoever is configuring your mfa system is labeling those so hey you labeled this application website thank you i know exactly what the user got into there to follow up on that um

you know or application level config i think i mentioned that before that applications can be configured wrong or they're not actually allowing the user in so just take a look at those what we're going to threat hunt in this data we're going to be taking a look at absence over time keeping an eye on reports how often do people log into certain applications and has that uh number started to drop off recently or dropped off completely you know is there an application configuration where maybe it's not hitting the mfa system like it should and then uh you also want to do application log follow-up i've mentioned that before it's getting a inventory of application logs and being

able to follow up on those is really really important uh and then the next piece here is going to be the the factor that's used what kind of factor results of that factor and the reasons for that factor so here we see that there's a push that's sending out to a application on your phone the result was a success and it's a success because the user approved it you also want to bring along your first factor logs if you see a bunch of failures like you're seeing a brute force was the password brute forced first and now they're brute forcing the mfa system you also want to bring along help desk tickets a lot of times you'll see weird

going on and then you look up help desk tickets for that user and it's like hey they were just having a bad day um they couldn't get their phone to work they couldn't get the push to work or whatever uh and then just remember defense and depth success here does not always mean success in the application and we're actually going to deep dive a little bit further into these i have some good examples here so brute force we'll dive into this we're going to verify this was a benign hit because if you kind of take a look at this a little bit interesting when we break down those five individual hits the logins appear to have completely

random timing there's no real pattern there we have a successful login after the failures we're going to talk to ivan's manager and we're taking a look specifically at um we have that asset inventory so we know that ivan has a mobile phone we know ivan has a work phone and those approved numbers looking at that authentication device that's kind of weird um he has a 9-1 which is the country code for india where 919 is the local area code for rtp so that's kind of odd that he added a phone number for india there to his account because we have open uh uh open self-service adding devices turned on so we're gonna talk to his

manager and it turns out hey he typoed his desk phone number he thought he had to press 91 to get out of the system and ended up coding that into uh his authentication methods um so we're just going to [Music] uh and then also his his mobile phone was on silent and that's why the the push messages were on fail we're we're um we're failing and not being answered so we're going to go in and we're gonna fix that for him and get rid of that that phone for him and that was pretty benign the next one here we're gonna investigate a little bit further oh we don't have asset inventory we have no idea what faith's phone number should be

that's very sad we also have no idea where she should be located so are those logins weird or not we have no idea is that phone number weird we have no idea um we see that we have a high count of failed logins so we have 27. let's take a look at those a little bit closer it turns out those login attempts are exactly five minutes apart to the second so that's a bit odd um we do have an asset inventory for the laptop though and we see that faith was issued a mac os at this company we have a windows system logging in so again that's odd so let's go ahead and talk to

faith's manager she's on vacation this is great so we're just going to go ahead and disable face account until she returns and then we're going to reissue her a new password so that the attempts against the second factor are gonna stop disable the account just in case uh she decides to click accept on one of those pushes that keep coming through in that route for us and then we're gonna go ahead and follow up and do further investigation on those login attempts we had a correct password how did that correct password get leaked out and do further investigation on that see if there were any users or anything the next one i'm going to talk about is

suspicious login reporting a lot of people that i've talked to actually didn't know that this was a thing um where you can have users actually report in if they see a suspicious or fraudulent login you get a push you can say hey that was weird i deny that and then i'm reporting that as fraud same thing with a phone call factor calling in you can press one number to accept it and a different number to report it as fraud i love this because it allows users to actively uh report weird things that they see in the environment setting up another detection method for you um this happens with the push or the phone call options can't really do it with an

sms or anything like that and then you have to educate the users they have to know that it exists they have to know that it's there in order for them to be able to push that button and let you know also want to give them some information maybe to your incident response team like after you push the button could you please email us and tell us if you saw anything else weird going on or just how to get in contact with that so we're going to take a look at some uh suspicious login reports some logs here um we're gonna verify benign again here with with ivan uh the first thing that you'll notice is

that his auth device matches his mobile on file and this is pretty much always gonna happen it's going to be the original user's phone that is reporting fraud if you're a red teamer or an attacker why are you reporting the authentication as fraud um probably not going to happen that's a bad attack if it does i'm going to take a look here and the access ip matches the authentication ip so that means that both the phone that we're sending the the push out to is in the same location enough that it's at least going out through the same router getting the same ip address and everything as the access device which could be a laptop or could be a

different device so we're taking a look here a little bit more into ivan himself and his outlook status says that he's traveling that's interesting let's talk to ivan's manager why did he report fraud since he's out we can't really talk to him directly um so it turns out that ivan saw this really cool talk at b-sides las vegas and got all excited about fraud reports and decided to sit around the bar and take some bets and it turns out he was showing off how fast his incident response team will respond to a fraud report so my company is faster than yours so we we're gonna verify that benign and like please don't do that i'm going to take another care

yes yes the ir team gets a percentage of the winnings for responding so quickly um so so this next one we're gonna investigate a little bit more faith is back um and the asset inventory shows again that faith was issued to mac os and we have a windows device logging in um we learned our lesson from the the brute force and now have her phone number on file so we can take a look at that uh it turns out uh we talked to faith's manager uh turns out faith is on vacation again and we're gonna go ahead and disable her her account and wait until she comes back to reissue her password and when we

do further investigation you can see the login attempts are from the same subnet as before we talked to faith about her password and hey what did you do when you changed it she incremented it by one that's a different password so pretty easy to guess again and get back into the system in order to start sending pushes but we taught her how to report fraud this time so instead of getting just hammered she was able to report fraud and get the incident response team on on it right away so the next piece that we're going to take a look at are phones themselves um yeah so phone number or the or the token that you're using um if you're getting a

push and again the ip address is based or yeah the ip address of the authentication device and then it's a location based on an ip lookup service again you want to bring your employee phone book again that inventory mobile device asset inventory if you're issuing cell phones out to users or are you allowing them byod with some level of registration or mobile device management and then you want to have a kind of a basic understanding of phone number country codes and locations and things like that and then the caveat here is bring your own device or open enrollment if you're not keeping track of that at all you're going to have no idea what what's coming in here is normal or not

and then remember that pushes and codes don't require cellular you can get a push over wi-fi and if you're getting authentication codes out of the application itself that doesn't require cellular so you're not gonna get an ip sometimes you might not even get a phone number just that they use the app to do that so we're gonna go uh hunting in the authentication device data and we're going to take a look at a mismatched the access so here in this log we see that the authentication device was located in california but that access device or that laptop that was trying to log in is saying that it was in moscow so we're going to take a look at that one a

little bit more uh the other thing that you want to take a look at is multiples and i'm going to get into that we'll do deep dive into that here with multiple users on one phone number so we're going to dig into these a little bit more here we have uh six users that are all using one phone number and one extension and we're gonna take a look at those users a little bit more those help desk agents they all have the same manager and the same hire date and we're going to go ahead and call that number because that's kind of interesting that they're using an extension and it turns out that it plays a tone

and when we look up that tone it's pressing the number one so the outgoing voicemail message on that extension it goes straight to voicemail and then just plays the number one to accept our mfa so we have six people just automatically accepting mfa uh so we're going to have some emails with a manager and what's going on oh turns out it's a secure building they can't use mobile they can't use any sort of other devices but you know what we're going to issue them some hard tokens so that they aren't just using the same extension and bypassing mfa completely so next one we're going to investigate a little bit more uh we're taking a look at grace's

landline she's named it for us so that's nice we have three people here and they all have three different job titles which is kind of interesting we're going to look into this a little bit more and it turns out that grace is with laptop support and she's doing some shadow i.t to to do her job here um so instead of going about uh calling up trudy or frank she's actually adding her phone to their systems and knowing their their uh passwords so that she can go in and make changes to their account and set up laptops and stuff for them while they aren't there while they're out on lunch she can log in and set up those laptops

turns out the time stamps on those login match the time frames of her support tickets so again having your support ticket system so you can go back and cross-reference that uh and we're going to confirm that there's a password change on all of those users and we're going to remove grace's landline from those other users because that shouldn't be happening and then we're gonna have a conversation with her management and make the support process more secure make sure that they shouldn't be doing things like that um it is kind of nice and you do notice that that people can know in some of these systems people can label their their phone numbers so one of the things that i did when i first

started digging around in the logs was i threw in an easter egg and anybody that that goes in and tries to look at my logs they're going to see that i always log in from a banana phone so good luck looking at that the next example here is one user multiple phones and again i wrote this talk in november 2019 you might remember something that happened in december 2020 where fireeye was able to detect an attacker in their in their system when they noticed a second phone on an employee's mfa um so it was added to that um but if you aren't keeping track of new devices that are being added or you have a history we're going to go into how do

you hunt for that after the fact if you're not getting those alerts real time so we're going to dig into this a little bit and we're going to do this one as benign we see that we have the mobile inventory um and we have her work phone number and if you take a look at those a little bit closer we do have three phones there but one of them has been named so where else previously had an unlabeled cell phone uh ellis got a new iphone so cool congratulations um the mfa system had a code update so when she added that phone it decided to tag on iphone for us to try to be helpful

uh so she installed mfa on the new phone which caused the mfa system to relabel it so that's benign all those uh phones are accounted for we're gonna investigate this one a little bit more because this is indirect interesting uh we see that we have a mobile number and a um work number on file for him and then we have these five other phones and bob's logging phones don't match the company records so this is starting to look weird uh the logins happen at all hours of the day he's logging in at 1am he's logging in at 1pm he's logging in just all different hours of the day we're gonna contact bob's manager about this and try to see what's going on and

oh it turns out he was outsourcing his work to other contractors and they had his password and added all their phones to his account bob's doing the work of five people because he is five people so now i'm going to kind of get into like some gray areas and beyond the technology you have restricted areas and skiffs and like how do you compensate and work around that the whole thing of like oh they're going to an extension have a plan to like issue ub keys or one-time passwords uh password tokens if those are acceptable in those areas the other thing is contractors a lot of times contractors are given expectations of employees but they aren't given the

permissions and abilities to do things that employees are able to do so make sure that you level set those so that contractors aren't trying to use credentials of employees in order to just do their job and then the last one is assistance and what i mean by this is is for the call for papers for this conference even they understand the concept that people have administrative assistants or people that help them out with different things there are lots of applications that don't understand this concept so if you have somebody that has an assistant how do they log in as that person in order to assist that person with their job it's amazing how many people don't understand delegation in

applications and are logging into the higher level person that they are assisting so be on the lookout for that and then i'm going to get into the actions that you can take back with you is go out and respond to findings um limit self-enrollment i've kind of made that clear where it's like hey if you let people uh add other devices they will if you don't explain to them how backups work you might see things like oh yeah i added my spouse's phone to my account because if i lose my phone i can use my spouse's phone what is that allowed maybe think about limiting self-enrollment you might want to limit um or just not have phone call

authentication it's one of those things where you don't have to unlock the phone so if somebody loses their their laptop and their phone is also in their backpack they now have access to the second factor with a phone call without having to um having to do anything else to get into that if you do have the phone call you might want to um you might want to change the default number on that the the group there that was able to play the tone in the voicemail they knew that it was always going to be like the number one to accept that push just change that up every so often so you have to actually listen to the message

in order to push the right number and then be sure that you uh be sure that you fix what you find you find a lot of weird stuff um just don't let it slide like oh yeah this is how it's done it for 10 years just logging in as other people to do their job like actually um dig in and get through and do that you want to be sure that you educate your users beyond the password policy educate them about reporting fraud educate them about um not adding other phones and things like that um [Music] well let them make sure that they understand to report those suspicious mfa requests and fraud and let them know that it's okay to

report user requests for sharing credentials i had a situation where a contractor was being pressured by their management to share their credentials for the company in order to get their paycheck uh because the the manager who is not part of the who's part of the contracting company not part of the company um wanted to log in and basically scrape company data uh in order to do recruiting and things like that but um make sure that it that users can report things um or you know hey like this this admins away on vacation share the password share the credentials and stuff like that make sure that that can be reported and resolved and then include contractors uh i used to be a

contractor uh kind of treated like second class citizens at some companies and stuff like that you just want to be sure that you bring them along on on security and making sure that they're following it correctly and then some of the other mfa takeaways do not set it and forget it go back read your logs always read your logs all systems read logs search for the unusual figure out what normal is and then find out what's not normal investigate the logs i'm just going to keep hammering that i love logs go out and just read them some of my future research that i want to do i haven't done a whole lot on password lists but i want to get into that i want

to do client-based authentication more about token duplication um i want to take a look and see if people are sharing ub keys or tokens and stuff between users not something i've really gotten into and then just to thank thanks to my employer for on the job research and training the other security professionals that shared their stories with me and i kind of mixed into some of these things co-workers for my logging obsession and uh investigation and stuff and then duo has some pretty good documentation if you want references i'll leave the slide up for a minute and uh that's it if there are any questions

[Applause] even better than i expected and that that means a lot so really really good um questions

uh for hunting through your logs and stuff do you use any automated tools is it just kind of whatever the vendors provided for that or are you did you write some scripts or something to flag like some of these interesting cases that might happen frequently yeah so i've written um and set up uh like plays like if you have a playbook and stuff like writing up a bunch of um splunk queries or some queries that will go through and find certain things

ah thanks for a great talk when uh when the ffa that you have is not for the organ employees of the organization but of your customers like uh financial companies and stuff like that do you think any of these analysis can be applicable to this situation yeah i think they could um if you were to like have those logs um it might be interesting to see if there are any customers sharing information if you do have i would think maybe like with a financial uh situation there um if there's any sort of fraud going on like maybe you have multiple uh like one phone on multiple users accounts there could be a situation of fraud going on

there with customers thank you thanks for your talk uh so many of your examples um were that uh showed that if we weren't using telephone pstn as a second factor authenticator these these examples just wouldn't exist and they're sure there's a cost associated with issuing a uh an authenticator that's sure there's an uh cost associated with issuing a heart authenticator but it seems like your time or you know the time of the the it people and the risk of loss uh would largely be subsumed by you know would would subsume the cost of of those authenticators why can't we get away from that that that is a fantastic question i don't know like why why are the vendors still producing

those sort of things and i i guess i was supposed to ask you who you are as well yeah jim you need to say who you are i am jim fenton i'm i'm uh one of the people i'm a contractor i work with nist on uh user authentication guidelines okay cool yeah yes please update the guidelines get rid of phones

jim has talked to pastor scrum before and he's one of those with his name on the sp 863d yeah so uh yeah more questions

what kind of training do we give users to educate them without getting too nitty-gritty or like revealing uh security flaws in an existing system how do we make that practical yeah some of the vendors do have some education like when you first roll it out and i think they are getting better at like education packages that you can use to like mail campaigns um and things like that um probably just being like a little bit transparent without making them like too curious yeah you had several uh examples in here some of them crazier than others what's the sort of craziest thing you've ever found war stories from a reality yeah some of those were not reality at

all and then some of them were and i'm just going to like leave that up to the imagination which was ruined which ones weren't uh protect the innocent maybe um i i think it's soft time for me to to do one of my stories which is for real i've told this one i've included this in talks before but there might be new people here as well and this story is something that i did as a pen tesla doing password cracking many years ago in a galaxy far far away and it's also very interesting to see how social and cultural differences play a role when i tell a story because um together with a friend of mine we

did a penetration test and we cracked the passwords of a lot of people and there's a vista for you here susan all right so uh we had a really lovely this one yep can you hear me yeah we had a really lovely uh speaker request uh for all of the staff and volunteers at b-sides to be excellent to each other so that we could be excellent to all the other participants so with that in mind i actually it really touched us we'd like to present you with something as a result

cool

thank you demon yeah

so to continue my story we were able to crack the passwords of approximately 5 000 people that easy windows long time ago and then we also found a windows directory where we found pictures of all these people like headshots being used for physical access cards and this wasn't part of our assignment but we had an evening where we you know we were drinking beer and i i can't remember today who came up with the idea but the idea was pretty simple do you think men or women have the best passwords so we had 5 000 pictures and we had 5000 passwords we put everything into your database and then we spent a couple of days

two guys analyzing pictures and we looked at gender which is i should say fairly easy to identify from pictures we also identified if the person in the picture were using glasses and used that as a thing we could check for we also looked at hair color including no hair or gray or brown or black and also facial hair and when we had done that to 5000 pictures we could do queries into the database and what did we find number one we found that women prefer length

some people doesn't dare laugh and mainly it is men laughing there might be a few women as well but this is about passwords so we found that women on average had longer passwords than men we also found that men prefers a wider selection in characters they used more different letters from the alphabet than special characters and so on and in norway at least in our culture it's the thing that and i'm sure to say this but blonde women are supposed to be just a little bit more stupid than everybody else but blonde women didn't have the worst passwords the worst passwords belongs to males that goes into the category of unix guru and that is a category we had to create

based on hairstyle and beard style so you can imagine the rest they had the absolute worst passwords and now the end of the joke the person type with the best passwords were women with red hair and that is something i just cannot understand due to my ex-wife being a redhead and with that thank you and our next talk will be at three o'clock so be back then thank you