An in-depth look at Facebook's easy-to-use internal multi-factor authentication deployment. We will discuss our motivations, how our solution works, technical and security trade-offs, deployment problems, and outstanding issues.
Bio Chad Greene:
A security manager at Facebook, Chad Greene focuses on security engineering, intrusion detection and incident response at scale. Protecting user data for over 1 billion active users of the social network, his teams are responsible for building creative security solutions that balance rapid growth and innovation with a strong security posture. Prior to Facebook, for more than seven years Chad worked at eBay, where he worked on solving product security and security operations challenges. Chad holds a Bachelor's degree in Management Information Systems from The University of Notre Dame.
11. Goal: Protect against remote attackers
•DisruptLateralMovementphase
•Ensurelocaluserisatkeyboard
•LimitoriginofillegitimateSSHaccess
Non-goal: Protect against local attackers
Why 2Fac for SSH?
Tuesday, October 1, 13
27. •Adddetailsaboutwhattheuserisdoing
sshd[27587]: Accepted publickey for ::1 port 61447 ssh2
sshd[27587]: User child is on pid 27589
sshd[27589]: Exec Request for user twt with command uname -a
sshd[8540]: Accepted publickey for twt from ::1 port 50654 ssh2
sshd[8540]: User child is on pid 8548
sshd[8548]: Allocated pty /dev/pts/18 for user twt session 0
sshd[8548]: Shell Request for user twt
sshd[8548]: Received disconnect from ::1: 11: disconnected by user
Improving SSH Logs: First Attempt
Tuesday, October 1, 13
28. •Adddetailsaboutwhattheuserisdoing
sshd[27587]: Accepted publickey for ::1 port 61447 ssh2
sshd[27587]: User child is on pid 27589
sshd[27589]: Exec Request for user twt with command uname -a
sshd[8540]: Accepted publickey for twt from ::1 port 50654 ssh2
sshd[8540]: User child is on pid 8548
sshd[8548]: Allocated pty /dev/pts/18 for user twt session 0
sshd[8548]: Shell Request for user twt
sshd[8548]: Received disconnect from ::1: 11: disconnected by user
•Problem:requiresmultipleloglineswithdifferentPIDsforanalysis
Improving SSH Logs: First Attempt
Tuesday, October 1, 13
29. •AddsessionizationdatatoSSHlogs
sshd[27587]: Accepted publickey for ::1 port 61447 ssh2 session=dev123:52369e5a.c6786
sshd[27587]: User child is on pid 27589 session=dev123:52369e5a.c6786
sshd[27589]: Exec Request for user twt with command uname -a session=dev123:52369e5a.c6786
sshd[8540]: Accepted publickey for twt from ::1 port 50654 ssh2 session=dev123:5236a24d.3f32
sshd[8540]: User child is on pid 8548 session=dev123:5236a24d.3f32
sshd[8548]: Allocated pty /dev/pts/18 for user twt session 0 session=dev123:5236a24d.3f32
sshd[8548]: Shell Request for user twt session=dev123:5236a24d.3f32
sshd[8548]: Received disconnect from ::1: 11: disconnected by user session=dev123:5236a24d.3f32
Sesssionizing SSH Logs
Tuesday, October 1, 13