SlideShare a Scribd company logo

Google-Jacking: A Review of Google 2-Factor Authentication

nCircle - a Tripwire Company
nCircle - a Tripwire Company

nCircle's Craig Young presented his research on the Google 2-step verification system at BSides San Francisco 2013. More information: http://community.ncircle.com/t5/VERT-Security-Research-Blog/Google-Jacking-A-Review-of-Google-s-2-Step-Verification-BSides/ba-p/7876

TechnologyBusiness
1 of 24
Download to read offline
A Review of Google 2-Factor Authentication Google-Jacking CraigYoung Security B Sides San Francisco, USA 2013
Look Who’sTalking
• Defining 2-Factor Authentication (2FA) • Defining 2-Step Verification (2SV) • diff -Burp 2FA 2SV # Compare & Contrast • Attacking Application-Specific Passwords • DEMO: Do androids dream of übertokens? • TODO: Making 2SV Better Talk Overview
Define: 2-Factor Authentication
• 2SV is Google’s 2FA branding • Phone becomes the ‘something you have’ - STEP 1 – Login to with account password - STEP 2 – Enter code from phone • Application-Specific Passwords (ASPs) - Used for 3rd party & legacy support - 16 lowercase letters - Limited by application (in theory anyway) man 2SV
Authentication Credentials 2FA 2SV Something you have + Something you know ♦ ♦ Something you know ♦ Something you have ♦ $ diff –Burp 2FA 2SV Bottom Line? 2FA enhances security by compromising convenience 2SV enhances security but only when it is convenient
• Are ASPs the Achilles heal of 2SV? 1. ASPs are all powerful 2. ASP revocation is broken 3. ASPs increase the risk of token attacks 4. Google recommends saving ASPs Attacking Application-Specific Passwords
Google attempts to restrict browser-based ASP use: Android browser auto sign-in bypasses this restriction: ASPs Provide Full Account Access
HOWTO: punting the intruder Recovery MeasureTested Result Revoke application-specific passwords No effect on logged in intruder ‘Sign out all other sessions’ from Gmail No effect on logged in intruder Revoke ‘Android Login Service’ Androids must re-authenticate Change account password Androids must re-authenticate Recommended Procedure: STEP 1 : Revoke allASPs STEP 2: Change account password STEP 3:Verify account settings
• Pay attention to permissions! • Apps with root can directly access acounts.db • ASPs are backdoors by design AndroidApps Can Generate ASPs
• Privacy advisors don’t look at token related permissions • Far too many apps have the ability to request tokens There’s An App ForThat
Auditing the ASP Auditing ASPs added and removed in the same activity period are not reported!
Check “Remember Password”
• Saving passwords gives attackers an edge - OS X Keychain can be dumped • Pidgin (chat) doesn’t bother to use crypto - Most applications provide limited protection What could go wrong?
DEMO!
• Ideal Solution: - ASPs are no longer part of 2SV - Use account password + time-based code • Quick Fix: - Force authentication when generating ASPs - Allow users to disable ASP creation TODO: Ditch ASPs
• Ideal Solution: - Tokens should be revoked along with the ASP - Requires tokens & ASPs to be related • Quick Fix: - Treat ASP removal like a password change - All sessions are forced to authenticate again TODO: Fix ASP Revocation
NO MORE ANDROID LOGIN WITH ASP! • Explicit ASP Model: - Specify allowed services for an ASP - Limits abuse of compromised ASPs • Implicit ASP Model: - Restrict the ASP to the 1st application using it TODO: Make ASPs Application Specific
• Require a password to enable auto sign-in • Don’t allow auto sign-in for account settings • Allow disabling auto sign-in at an account level TODO: Lock Down Auto Sign-In
• Audit how and when an ASP is used • ‘Access type: Mobile’ is too vague • ASP name in the activity screen would help TODO: ASP Auditing
1. Android is a logged in browser session • Use caution when sharing your device • Consider unlinking your Google account when traveling • Watch app permissions closely (guard your tokens) • Use a strong password (Lock screen widgets FTW) 2. Don’t save ASPs without encryption 3. Monitor ASPs & change your passwords How to ProtectYourself Android 4.2 Lock Screen DialerWidget
Concluding Remarks • 2SV is vulnerable-by-design • 2SV increases risk from token-based attacks • Android + 2SV reduces security • ASPs are a bad idea - Password + OTP code makes security in 1-step - Let users decide whether ASPs are allowed
1. 11/26/12-11/30/12 - Multiple 2SV/ASP issues reported to Google 2. 12/5/12 – Confirmation of reported behavior as known issues 3. 1/11/13 – Google notified of BSides SF CFP submission 4. 2/18/13 – Account Activity Logic Error Reported to Google 5. 2/22/13 – Fix details received (Re-auth requirement implemented) 6. 2/24/13 – BSides presentation 7. 2/25/13 – ASP revocation fix begins to roll out DisclosureTimeline
For more information about enterprise risk management or Google 2-step verification: • Visit nCircle RSA booth 1023 • Check out the nCircleVERT blog: http://vert.ncircle.com • Follow @craigtweets Questions?

Recommended

Penetrating Android Aapplications
Penetrating Android AapplicationsPenetrating Android Aapplications
Penetrating Android AapplicationsRoshan Thomas
 
The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptxAnkit Giri
 
Mobile_app_security
Mobile_app_securityMobile_app_security
Mobile_app_securityHassan El Hadary
 
Hacking By Nirmal
Hacking By NirmalHacking By Nirmal
Hacking By NirmalNIRMAL RAJ
 
Testing Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionJose Manuel Ortega Candel
 
You installed what Thierry Sans
You installed what Thierry SansYou installed what Thierry Sans
You installed what Thierry SansOWASP-Qatar Chapter
 
Save Time & Be More Creative With Content Ideas
Save Time & Be More Creative With Content IdeasSave Time & Be More Creative With Content Ideas
Save Time & Be More Creative With Content IdeasAlice Seba
 
ESAPI
ESAPIESAPI
ESAPIn|u - The Open Security Community
 

Recommended

Penetrating Android Aapplications
Penetrating Android AapplicationsPenetrating Android Aapplications
Penetrating Android AapplicationsRoshan Thomas
 
The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptxAnkit Giri
 
Mobile_app_security
Mobile_app_securityMobile_app_security
Mobile_app_securityHassan El Hadary
 
Hacking By Nirmal
Hacking By NirmalHacking By Nirmal
Hacking By NirmalNIRMAL RAJ
 
Testing Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionJose Manuel Ortega Candel
 
You installed what Thierry Sans
You installed what Thierry SansYou installed what Thierry Sans
You installed what Thierry SansOWASP-Qatar Chapter
 
Save Time & Be More Creative With Content Ideas
Save Time & Be More Creative With Content IdeasSave Time & Be More Creative With Content Ideas
Save Time & Be More Creative With Content IdeasAlice Seba
 
ESAPI
ESAPIESAPI
ESAPIn|u - The Open Security Community
 
State of Web Security RailsConf 2016
State of Web Security RailsConf 2016State of Web Security RailsConf 2016
State of Web Security RailsConf 2016IMMUNIO
 
Intro to IronWASP
Intro to IronWASPIntro to IronWASP
Intro to IronWASPn|u - The Open Security Community
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Ajin Abraham
 
Security guidelines
Security guidelinesSecurity guidelines
Security guidelineskarthz
 
Enough with the Mobile SDK Mess: A New Technology Is Born
Enough with the Mobile SDK Mess: A New Technology Is BornEnough with the Mobile SDK Mess: A New Technology Is Born
Enough with the Mobile SDK Mess: A New Technology Is BornSafeDK
 
Android mobile app security offensive security workshop
Android mobile app security offensive security workshopAndroid mobile app security offensive security workshop
Android mobile app security offensive security workshopAbhinav Sejpal
 
Learnings from Hybrid App Testing Jijesh Mohan
Learnings from Hybrid App Testing Jijesh MohanLearnings from Hybrid App Testing Jijesh Mohan
Learnings from Hybrid App Testing Jijesh MohanvodQA
 
Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...owaspindia
 
Pro Mobile web Apps with Phonegap 3.X - Adobe Mobile Day
Pro Mobile web Apps with Phonegap 3.X - Adobe Mobile DayPro Mobile web Apps with Phonegap 3.X - Adobe Mobile Day
Pro Mobile web Apps with Phonegap 3.X - Adobe Mobile Daybersoriano
 
Building an SSO platform in php (Zendcon 2010)
Building an SSO platform in php (Zendcon 2010)Building an SSO platform in php (Zendcon 2010)
Building an SSO platform in php (Zendcon 2010)Ivo Jansch
 
GoSec 2015 - Protecting the web from within
GoSec 2015 - Protecting the web from withinGoSec 2015 - Protecting the web from within
GoSec 2015 - Protecting the web from withinIMMUNIO
 
BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)
BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)
BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)Davide Cioccia
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersInon Shkedy
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101OWASP
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2drewz lin
 
Hacking mobile apps
Hacking mobile appsHacking mobile apps
Hacking mobile appskunwaratul hax0r
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security WorkshopOWASP
 
Building mobile back ends with windows azure mobile services
Building mobile back ends with windows azure mobile servicesBuilding mobile back ends with windows azure mobile services
Building mobile back ends with windows azure mobile servicesAidan Casey
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsJorge Orchilles
 
128-ch4.pptx
128-ch4.pptx128-ch4.pptx
128-ch4.pptxSankalpKabra
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsCláudio André
 
Cloud Foundry Summit 2015: 12 Factor Apps For Operations
Cloud Foundry Summit 2015: 12 Factor Apps For OperationsCloud Foundry Summit 2015: 12 Factor Apps For Operations
Cloud Foundry Summit 2015: 12 Factor Apps For OperationsVMware Tanzu
 

More Related Content

What's hot

State of Web Security RailsConf 2016
State of Web Security RailsConf 2016State of Web Security RailsConf 2016
State of Web Security RailsConf 2016IMMUNIO
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Ajin Abraham
 
Security guidelines
Security guidelinesSecurity guidelines
Security guidelineskarthz
 
Enough with the Mobile SDK Mess: A New Technology Is Born
Enough with the Mobile SDK Mess: A New Technology Is BornEnough with the Mobile SDK Mess: A New Technology Is Born
Enough with the Mobile SDK Mess: A New Technology Is BornSafeDK
 
Android mobile app security offensive security workshop
Android mobile app security offensive security workshopAndroid mobile app security offensive security workshop
Android mobile app security offensive security workshopAbhinav Sejpal
 
Learnings from Hybrid App Testing Jijesh Mohan
Learnings from Hybrid App Testing Jijesh MohanLearnings from Hybrid App Testing Jijesh Mohan
Learnings from Hybrid App Testing Jijesh MohanvodQA
 
Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...owaspindia
 
Pro Mobile web Apps with Phonegap 3.X - Adobe Mobile Day
Pro Mobile web Apps with Phonegap 3.X - Adobe Mobile DayPro Mobile web Apps with Phonegap 3.X - Adobe Mobile Day
Pro Mobile web Apps with Phonegap 3.X - Adobe Mobile Daybersoriano
 
Building an SSO platform in php (Zendcon 2010)
Building an SSO platform in php (Zendcon 2010)Building an SSO platform in php (Zendcon 2010)
Building an SSO platform in php (Zendcon 2010)Ivo Jansch
 
GoSec 2015 - Protecting the web from within
GoSec 2015 - Protecting the web from withinGoSec 2015 - Protecting the web from within
GoSec 2015 - Protecting the web from withinIMMUNIO
 

What's hot (11)

State of Web Security RailsConf 2016
State of Web Security RailsConf 2016State of Web Security RailsConf 2016
State of Web Security RailsConf 2016
 
Intro to IronWASP
Intro to IronWASPIntro to IronWASP
Intro to IronWASP
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
 
Security guidelines
Security guidelinesSecurity guidelines
Security guidelines
 
Enough with the Mobile SDK Mess: A New Technology Is Born
Enough with the Mobile SDK Mess: A New Technology Is BornEnough with the Mobile SDK Mess: A New Technology Is Born
Enough with the Mobile SDK Mess: A New Technology Is Born
 
Android mobile app security offensive security workshop
Android mobile app security offensive security workshopAndroid mobile app security offensive security workshop
Android mobile app security offensive security workshop
 
Learnings from Hybrid App Testing Jijesh Mohan
Learnings from Hybrid App Testing Jijesh MohanLearnings from Hybrid App Testing Jijesh Mohan
Learnings from Hybrid App Testing Jijesh Mohan
 
Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...
 
Pro Mobile web Apps with Phonegap 3.X - Adobe Mobile Day
Pro Mobile web Apps with Phonegap 3.X - Adobe Mobile DayPro Mobile web Apps with Phonegap 3.X - Adobe Mobile Day
Pro Mobile web Apps with Phonegap 3.X - Adobe Mobile Day
 
Building an SSO platform in php (Zendcon 2010)
Building an SSO platform in php (Zendcon 2010)Building an SSO platform in php (Zendcon 2010)
Building an SSO platform in php (Zendcon 2010)
 
GoSec 2015 - Protecting the web from within
GoSec 2015 - Protecting the web from withinGoSec 2015 - Protecting the web from within
GoSec 2015 - Protecting the web from within
 

Similar to Google-Jacking: A Review of Google 2-Factor Authentication

BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)
BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)
BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)Davide Cioccia
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersInon Shkedy
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101OWASP
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2drewz lin
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security WorkshopOWASP
 
Building mobile back ends with windows azure mobile services
Building mobile back ends with windows azure mobile servicesBuilding mobile back ends with windows azure mobile services
Building mobile back ends with windows azure mobile servicesAidan Casey
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsJorge Orchilles
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsCláudio André
 
Cloud Foundry Summit 2015: 12 Factor Apps For Operations
Cloud Foundry Summit 2015: 12 Factor Apps For OperationsCloud Foundry Summit 2015: 12 Factor Apps For Operations
Cloud Foundry Summit 2015: 12 Factor Apps For OperationsVMware Tanzu
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)ClubHack
 
CNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidCNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidSam Bowne
 
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...Area41
 
A Walk through SSO
A Walk through SSOA Walk through SSO
A Walk through SSOWSO2
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
iOS Application Security.pdf
iOS Application Security.pdfiOS Application Security.pdf
iOS Application Security.pdfRavi Aggarwal
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 

Similar to Google-Jacking: A Review of Google 2-Factor Authentication (20)

BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)
BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)
BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentesters
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2
 
Hacking mobile apps
Hacking mobile appsHacking mobile apps
Hacking mobile apps
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop
 
Building mobile back ends with windows azure mobile services
Building mobile back ends with windows azure mobile servicesBuilding mobile back ends with windows azure mobile services
Building mobile back ends with windows azure mobile services
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 Apps
 
128-ch4.pptx
128-ch4.pptx128-ch4.pptx
128-ch4.pptx
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
 
Cloud Foundry Summit 2015: 12 Factor Apps For Operations
Cloud Foundry Summit 2015: 12 Factor Apps For OperationsCloud Foundry Summit 2015: 12 Factor Apps For Operations
Cloud Foundry Summit 2015: 12 Factor Apps For Operations
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
 
CNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidCNIT 128 Ch 4: Android
CNIT 128 Ch 4: Android
 
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
 
Sql securitytesting
Sql securitytestingSql securitytesting
Sql securitytesting
 
Sso walk-through
Sso walk-throughSso walk-through
Sso walk-through
 
A Walk through SSO
A Walk through SSOA Walk through SSO
A Walk through SSO
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
iOS Application Security.pdf
iOS Application Security.pdfiOS Application Security.pdf
iOS Application Security.pdf
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
 

More from nCircle - a Tripwire Company

2012 nCircle Federal Security and Compliance Trends Survey
2012 nCircle Federal Security and Compliance Trends Survey 2012 nCircle Federal Security and Compliance Trends Survey
2012 nCircle Federal Security and Compliance Trends Survey nCircle - a Tripwire Company
 
Applying Boyd's OODA Loop Strategy to Drive IT Security Decision and Action
Applying Boyd's OODA Loop Strategy to Drive IT Security Decision and ActionApplying Boyd's OODA Loop Strategy to Drive IT Security Decision and Action
Applying Boyd's OODA Loop Strategy to Drive IT Security Decision and ActionnCircle - a Tripwire Company
 

More from nCircle - a Tripwire Company (9)

Computer Forensics Bootcamp
Computer Forensics BootcampComputer Forensics Bootcamp
Computer Forensics Bootcamp
 
Password War Games Webinar
Password War Games Webinar Password War Games Webinar
Password War Games Webinar
 
Continuous Monitoring 2.0
Continuous Monitoring 2.0Continuous Monitoring 2.0
Continuous Monitoring 2.0
 
2012 nCircle Federal Security and Compliance Trends Survey
2012 nCircle Federal Security and Compliance Trends Survey 2012 nCircle Federal Security and Compliance Trends Survey
2012 nCircle Federal Security and Compliance Trends Survey
 
Applying Boyd's OODA Loop Strategy to Drive IT Security Decision and Action
Applying Boyd's OODA Loop Strategy to Drive IT Security Decision and ActionApplying Boyd's OODA Loop Strategy to Drive IT Security Decision and Action
Applying Boyd's OODA Loop Strategy to Drive IT Security Decision and Action
 
Compliance what does security have to do with it
Compliance what does security have to do with it Compliance what does security have to do with it
Compliance what does security have to do with it
 
Security on a budget
Security on a budget Security on a budget
Security on a budget
 
nCircle Webinar: Get your Black Belt
nCircle Webinar: Get your Black Belt nCircle Webinar: Get your Black Belt
nCircle Webinar: Get your Black Belt
 
Real world security webinar (v2012-05-30)
Real world security webinar (v2012-05-30)Real world security webinar (v2012-05-30)
Real world security webinar (v2012-05-30)
 

Recently uploaded

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 

Recently uploaded (20)

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 

Google-Jacking: A Review of Google 2-Factor Authentication

  • 1. A Review of Google 2-Factor Authentication Google-Jacking CraigYoung Security B Sides San Francisco, USA 2013
  • 3. • Defining 2-Factor Authentication (2FA) • Defining 2-Step Verification (2SV) • diff -Burp 2FA 2SV # Compare & Contrast • Attacking Application-Specific Passwords • DEMO: Do androids dream of übertokens? • TODO: Making 2SV Better Talk Overview
  • 5. • 2SV is Google’s 2FA branding • Phone becomes the ‘something you have’ - STEP 1 – Login to with account password - STEP 2 – Enter code from phone • Application-Specific Passwords (ASPs) - Used for 3rd party & legacy support - 16 lowercase letters - Limited by application (in theory anyway) man 2SV
  • 6. Authentication Credentials 2FA 2SV Something you have + Something you know ♦ ♦ Something you know ♦ Something you have ♦ $ diff –Burp 2FA 2SV Bottom Line? 2FA enhances security by compromising convenience 2SV enhances security but only when it is convenient
  • 7. • Are ASPs the Achilles heal of 2SV? 1. ASPs are all powerful 2. ASP revocation is broken 3. ASPs increase the risk of token attacks 4. Google recommends saving ASPs Attacking Application-Specific Passwords
  • 8. Google attempts to restrict browser-based ASP use: Android browser auto sign-in bypasses this restriction: ASPs Provide Full Account Access
  • 9. HOWTO: punting the intruder Recovery MeasureTested Result Revoke application-specific passwords No effect on logged in intruder ‘Sign out all other sessions’ from Gmail No effect on logged in intruder Revoke ‘Android Login Service’ Androids must re-authenticate Change account password Androids must re-authenticate Recommended Procedure: STEP 1 : Revoke allASPs STEP 2: Change account password STEP 3:Verify account settings
  • 10. • Pay attention to permissions! • Apps with root can directly access acounts.db • ASPs are backdoors by design AndroidApps Can Generate ASPs
  • 11. • Privacy advisors don’t look at token related permissions • Far too many apps have the ability to request tokens There’s An App ForThat
  • 12. Auditing the ASP Auditing ASPs added and removed in the same activity period are not reported!
  • 14. • Saving passwords gives attackers an edge - OS X Keychain can be dumped • Pidgin (chat) doesn’t bother to use crypto - Most applications provide limited protection What could go wrong?
  • 15. DEMO!
  • 16. • Ideal Solution: - ASPs are no longer part of 2SV - Use account password + time-based code • Quick Fix: - Force authentication when generating ASPs - Allow users to disable ASP creation TODO: Ditch ASPs
  • 17. • Ideal Solution: - Tokens should be revoked along with the ASP - Requires tokens & ASPs to be related • Quick Fix: - Treat ASP removal like a password change - All sessions are forced to authenticate again TODO: Fix ASP Revocation
  • 18. NO MORE ANDROID LOGIN WITH ASP! • Explicit ASP Model: - Specify allowed services for an ASP - Limits abuse of compromised ASPs • Implicit ASP Model: - Restrict the ASP to the 1st application using it TODO: Make ASPs Application Specific
  • 19. • Require a password to enable auto sign-in • Don’t allow auto sign-in for account settings • Allow disabling auto sign-in at an account level TODO: Lock Down Auto Sign-In
  • 20. • Audit how and when an ASP is used • ‘Access type: Mobile’ is too vague • ASP name in the activity screen would help TODO: ASP Auditing
  • 21. 1. Android is a logged in browser session • Use caution when sharing your device • Consider unlinking your Google account when traveling • Watch app permissions closely (guard your tokens) • Use a strong password (Lock screen widgets FTW) 2. Don’t save ASPs without encryption 3. Monitor ASPs & change your passwords How to ProtectYourself Android 4.2 Lock Screen DialerWidget
  • 22. Concluding Remarks • 2SV is vulnerable-by-design • 2SV increases risk from token-based attacks • Android + 2SV reduces security • ASPs are a bad idea - Password + OTP code makes security in 1-step - Let users decide whether ASPs are allowed
  • 23. 1. 11/26/12-11/30/12 - Multiple 2SV/ASP issues reported to Google 2. 12/5/12 – Confirmation of reported behavior as known issues 3. 1/11/13 – Google notified of BSides SF CFP submission 4. 2/18/13 – Account Activity Logic Error Reported to Google 5. 2/22/13 – Fix details received (Re-auth requirement implemented) 6. 2/24/13 – BSides presentation 7. 2/25/13 – ASP revocation fix begins to roll out DisclosureTimeline
  • 24. For more information about enterprise risk management or Google 2-step verification: • Visit nCircle RSA booth 1023 • Check out the nCircleVERT blog: http://vert.ncircle.com • Follow @craigtweets Questions?