40,15 €*
Versandkostenfrei per Post / DHL
Lieferzeit 1-2 Wochen
"A thoughtful demonstration that, like all security technologies, MFA is not a panacea."
?BRUCE SCHNEIER
"Roger provides example after example that there is no silver bullet computer security defense. MFA alone will not protect you against sophisticated adversaries. The real problems behind computer security involve people and making the appropriate risk decisions."
? KEVIN MITNICK
DISCOVER THE STRENGTHS AND WEAKNESSES OF MULTI-FACTOR AUTHENTICATION
So-called "experts" point to multifactor authentication (MFA) as the solution to most hacks and breaches. But, far from being the unhackable, off- the-shelf panacea they're widely touted to be, MFA systems require careful planning and design in order to be properly secured and not fall prey to the dozens of real-world MFA vulnerabilities Roger A. Grimes details in Hacking Multifactor Authentication.
Administrators and users of multifactor authentication systems will learn that all MFA systems can be hacked, most in at least five different ways. Anyone telling you MFA can't be hacked is either trying to sell you something or naïve. Either way, you'll want to avoid their advice.
You'll learn how to mitigate the most common MFA security loopholes to prevent bad actors from accessing your systems. Readers will learn to quickly and comprehensively evaluate their own MFA solutions to assess their vulnerability to the known hacking methods.
This book provides real-world example MFA hacks and the practical strategies to prevent them. Perfect for CISSPs, CIOs, CISOs, and penetration testers, Hacking Multifactor Authentication also belongs on the bookshelves of any information security professional interested in creating or improving their MFA security infrastructure. Learn:
How MFA works behind the scenes and how to hack it The strengths and weaknesses of different MFA types How to develop or pick a more secure MFA solution How to select the best MFA for your environment out of the hundreds available"A thoughtful demonstration that, like all security technologies, MFA is not a panacea."
?BRUCE SCHNEIER
"Roger provides example after example that there is no silver bullet computer security defense. MFA alone will not protect you against sophisticated adversaries. The real problems behind computer security involve people and making the appropriate risk decisions."
? KEVIN MITNICK
DISCOVER THE STRENGTHS AND WEAKNESSES OF MULTI-FACTOR AUTHENTICATION
So-called "experts" point to multifactor authentication (MFA) as the solution to most hacks and breaches. But, far from being the unhackable, off- the-shelf panacea they're widely touted to be, MFA systems require careful planning and design in order to be properly secured and not fall prey to the dozens of real-world MFA vulnerabilities Roger A. Grimes details in Hacking Multifactor Authentication.
Administrators and users of multifactor authentication systems will learn that all MFA systems can be hacked, most in at least five different ways. Anyone telling you MFA can't be hacked is either trying to sell you something or naïve. Either way, you'll want to avoid their advice.
You'll learn how to mitigate the most common MFA security loopholes to prevent bad actors from accessing your systems. Readers will learn to quickly and comprehensively evaluate their own MFA solutions to assess their vulnerability to the known hacking methods.
This book provides real-world example MFA hacks and the practical strategies to prevent them. Perfect for CISSPs, CIOs, CISOs, and penetration testers, Hacking Multifactor Authentication also belongs on the bookshelves of any information security professional interested in creating or improving their MFA security infrastructure. Learn:
How MFA works behind the scenes and how to hack it The strengths and weaknesses of different MFA types How to develop or pick a more secure MFA solution How to select the best MFA for your environment out of the hundreds availableROGER A. GRIMES is a computer security professional and penetration tester with over three decades of experience. He's an internationally renowned consultant and was the IDG/InfoWorld/CSO magazine weekly columnist for fifteen years. He's a sought-after speaker who has given talks at major security industry events, including RSA, Black Hat, and TechMentor.
Introduction xxv
Who This Book is For xxvii
What is Covered in This Book? xxvii
MFA is Good xxx
How to Contact Wiley or the Author xxxi
Part I Introduction 1
1 Logon Problems 3
It's Bad Out There 3
The Problem with Passwords 5
Password Basics 9
Identity 9
The Password 10
Password Registration 11
Password Complexity 11
Password Storage 12
Password Authentication 13
Password Policies 15
Passwords Will Be with Us for a While 18
Password Problems and Attacks 18
Password Guessing 19
Password Hash Cracking 23
Password Stealing 27
Passwords in Plain View 28
Just Ask for It 29
Password Hacking Defenses 30
MFA Riding to the Rescue? 31
Summary 32
2 Authentication Basics 33
Authentication Life Cycle 34
Identity 35
Authentication 46
Authorization 54
Accounting/Auditing 54
Standards 56
Laws of Identity 56
Authentication Problems in the Real World 57
Summary 58
3 Types of Authentication 59
Personal Recognition 59
Knowledge-Based Authentication 60
Passwords 60
PINS 62
Solving Puzzles 64
Password Managers 69
Single Sign-Ons and Proxies 71
Cryptography 72
Encryption 73
Public Key Infrastructure 76
Hashing 79
Hardware Tokens 81
One-Time Password Devices 81
Physical Connection Devices 83
Wireless 87
Phone-Based 89
Voice Authentication 89
Phone Apps 89
SMS 92
Biometrics 92
FIDO 93
Federated Identities and APIs 94
OAuth 94
APIs 96
Contextual/Adaptive 96
Less Popular Methods 97
Voiceover Radio 97
Paper-Based 98
Summary 99
4 Usability vs Security 101
What Does Usability Mean? 101
We Don't Really Want the Best Security 103
Security Isn't Usually Binary 105
Too Secure 106
Seven-Factor MFA 106
Moving ATM Keypad Numbers 108
Not as Worried as You Think About Hacking 109
Unhackable Fallacy 110
Unbreakable Oracle 113
DJB 113
Unhackable Quantum Cryptography 114
We are Reactive Sheep 115
Security Theater r 116
Security by Obscurity 117
MFA Will Cause Slowdowns 117
MFA Will Cause Downtime 118
No MFA Solution Works Everywhere 118
Summary 119
Part II Hacking MFA 121
5 Hacking MFA in General 123
MFA Dependency Components 124
Enrollment 125
User 127
Devices/Hardware 127
Software 128
API 129
Authentication Factors 129
Authentication Secrets Store 129
Cryptography 130
Technology 130
Transmission/Network Channel 131
Namespace 131
Supporting Infrastructure 131
Relying Party 132
Federation/Proxies 132
Alternate Authentication Methods/Recovery 132
Migrations 133
Deprovision 133
MFA Component Conclusion 134
Main Hacking Methods 134
Technical Attacks 134
Human Element 135
Physical 137
Two or More Hacking Methods Used 137
"You Didn't Hack the MFA!" 137
How MFA Vulnerabilities are Found 138
Threat Modeling 138
Code Review 138
Fuzz Testing 138
Penetration Testing 139
Vulnerability Scanning 139
Human Testing 139
Accidents 140
Summary 140
6 Access Control Token Tricks 141
Access Token Basics 141
Access Control Token General Hacks142
Token Reproduction/Guessing 142
Token Theft 145
Reproducing Token Hack Examples 146
Network Session Hijacking Techniques and Examples 149
Firesheep 149
MitM Attacks 150
Access Control Token Attack Defenses 157
Generate Random, Unguessable Session IDs 157
Use Industry-Accepted Cryptography and Key Sizes 158
Developers Should Follow Secure Coding Practices 159
Use Secure Transmission Channels 159
Include Timeout Protections 159
Tie the Token to Specifi c Devices or Sites 159
Summary 161
7 Endpoint Attacks 163
Endpoint Attack Risks 163
General Endpoint Attacks 165
Programming Attacks 165
Physical Access Attacks 165
What Can an Endpoint Attacker Do? 166
Specifi c Endpoint Attack Examples 169
Bancos Trojans 169
Transaction Attacks 171
Mobile Attacks 172
Compromised MFA Keys 173
Endpoint Attack Defenses 174
MFA Developer Defenses 174
End-User Defenses 177
Summary 179
8 SMS Attacks 181
Introduction to SMS 181
SS7 184
Biggest SMS Weaknesses 186
Example SMS Attacks 187
SIM Swap Attacks 187
SMS Impersonation 191
SMS Buffer Overflow 194
Cell Phone User Account Hijacking 195
Attacks Against the Underlying Supporting Infrastructure 196
Other SMS-Based Attacks 196
SIM/SMS Attack Method Summary 197
NIST Digital Identity Guidelines Warning 198
Defenses to SMS-Based MFA Attacks 199
Developer Defenses 199
User Defenses 201
Is RCS Here to Save Mobile Messaging? 202
Is SMS-Based MFA Still Better than Passwords? 202
Summary 203
9 One-Time Password Attacks 205
Introduction to OTP 205
Seed Value-Based OTPs 208
HMAC-Based OTP 209
Event-Based OTP 211
TOTP 212
Example OTP Attacks 217
Phishing OTP Codes 217
Poor OTP Creation 219
OTP Theft, Re-Creation, and Reuse 219
Stolen Seed Database 220
Defenses to OTP Attacks 222
Developer Defenses 222
Use Reliable and Trusted and Tested OTP Algorithms 223
OTP Setup Code Must Expire 223
OTP Result Code Must Expire 223
Prevent OTP Replay 224
Make Sure Your RNG is NIST-Certified or Quantum 224
Increase Security by Requiring Additional Entry Beyond OTP Code 224
Stop Brute-Forcing Attacks224
Secure Seed Value Database 225
User Defenses 225
Summary 226
10 Subject Hijack Attacks 227
Introduction 227
Example Attacks 228
Active Directory and Smartcards 228
Simulated Demo Environment 231
Subject Hijack Demo Attack 234
The Broader Issue 240
Dynamic Access Control Example 240
ADFS MFA Bypass 241
Defenses to Component Attacks 242
Threat Model Dependency Abuse Scenarios 242
Secure Critical Dependencies 242
Educate About Dependency Abuses 243
Prevent One to Many Mappings 244
Monitor Critical Dependencies 244
Summary 244
11 Fake Authentication Attacks 245
Learning About Fake Authentication Through UAC 245
Example Fake Authentication Attacks 251
Look-Alike Websites 251
Fake Office 365 Logons 252
Using an MFA-Incompatible Service or Protocol 253
Defenses to Fake Authentication Attacks 254
Developer Defenses 254
User Defenses 256
Summary 257
12 Social Engineering Attacks 259
Introduction 259
Social Engineering Commonalities 261
Unauthenticated Communication 261
Nonphysical 262
Usually Involves Well-Known Brands 263
Often Based on Notable Current Events and Interests 264
Uses Stressors 264
Advanced: Pretexting 265
Third-Party Reliances 266
Example Social Engineering Attacks on MFA 266
Fake Bank Alert 267
Crying Babies 267
Hacking Building Access Cards 268
Defenses to Social Engineering Attacks on MFA 270
Developer Defenses to MFA 270
User Defenses to Social Engineering Attacks 271
Summary 273
13 Downgrade/Recovery Attacks 275
Introduction 275
Example Downgrade/Recovery Attacks 276
Alternate Email Address Recovery 276
Abusing Master Codes 280
Guessing Personal-Knowledge Questions 281
Defenses to Downgrade/Recovery Attacks 287
Developer Defenses to Downgrade/Recovery Attacks 287
User Defenses to Downgrade/Recovery Attacks 292
Summary 294
14 Brute-Force Attacks 295
Introduction 295
Birthday Attack Method 296
Brute-Force Attack Methods 297
Example of Brute-Force Attacks 298
OTP Bypass Brute-Force Test 298
Instagram MFA Brute-Force 299
Slack MFA Brute-Force Bypass 299
UAA MFA Brute-Force Bug 300
Grab Android MFA Brute-Force 300
Unlimited Biometric Brute-Forcing 300
Defenses Against Brute-Force Attacks 301
Developer Defenses Against Brute-Force Attacks 301
User Defenses Against Brute-Force Attacks 305
Summary 306
15 Buggy Software 307
Introduction 307
Common Types of Vulnerabilities 308
Vulnerability Outcomes 316
Examples of Vulnerability Attacks 317
Uber MFA Vulnerability 317
Google Authenticator Vulnerability 318
YubiKey Vulnerability 318
Multiple RSA Vulnerabilities 318
SafeNet Vulnerability 319
Login gov 319
ROCA Vulnerability 320
Defenses to Vulnerability Attacks 321
Developer Defenses Against Vulnerability Attacks 321
User Defenses Against Vulnerability Attacks 322
Summary 323
16 Attacks Against Biometrics 325
Introduction 325
Biometrics 326
Common Biometric Authentication Factors 327
How Biometrics Work 337
Problems with...
| Erscheinungsjahr: | 2020 |
|---|---|
| Fachbereich: | Datenkommunikation, Netze & Mailboxen |
| Genre: | Importe, Informatik |
| Rubrik: | Naturwissenschaften & Technik |
| Medium: | Taschenbuch |
| Inhalt: | 576 S. |
| ISBN-13: | 9781119650799 |
| ISBN-10: | 1119650798 |
| Sprache: | Englisch |
| Einband: | Kartoniert / Broschiert |
| Autor: | Grimes, Roger A |
| Hersteller: | Wiley |
| Verantwortliche Person für die EU: | Wiley-VCH GmbH, Boschstr. 12, D-69469 Weinheim, amartine@wiley-vch.de |
| Maße: | 232 x 186 x 29 mm |
| Von/Mit: | Roger A Grimes |
| Erscheinungsdatum: | 27.10.2020 |
| Gewicht: | 0,938 kg |
ROGER A. GRIMES is a computer security professional and penetration tester with over three decades of experience. He's an internationally renowned consultant and was the IDG/InfoWorld/CSO magazine weekly columnist for fifteen years. He's a sought-after speaker who has given talks at major security industry events, including RSA, Black Hat, and TechMentor.
Introduction xxv
Who This Book is For xxvii
What is Covered in This Book? xxvii
MFA is Good xxx
How to Contact Wiley or the Author xxxi
Part I Introduction 1
1 Logon Problems 3
It's Bad Out There 3
The Problem with Passwords 5
Password Basics 9
Identity 9
The Password 10
Password Registration 11
Password Complexity 11
Password Storage 12
Password Authentication 13
Password Policies 15
Passwords Will Be with Us for a While 18
Password Problems and Attacks 18
Password Guessing 19
Password Hash Cracking 23
Password Stealing 27
Passwords in Plain View 28
Just Ask for It 29
Password Hacking Defenses 30
MFA Riding to the Rescue? 31
Summary 32
2 Authentication Basics 33
Authentication Life Cycle 34
Identity 35
Authentication 46
Authorization 54
Accounting/Auditing 54
Standards 56
Laws of Identity 56
Authentication Problems in the Real World 57
Summary 58
3 Types of Authentication 59
Personal Recognition 59
Knowledge-Based Authentication 60
Passwords 60
PINS 62
Solving Puzzles 64
Password Managers 69
Single Sign-Ons and Proxies 71
Cryptography 72
Encryption 73
Public Key Infrastructure 76
Hashing 79
Hardware Tokens 81
One-Time Password Devices 81
Physical Connection Devices 83
Wireless 87
Phone-Based 89
Voice Authentication 89
Phone Apps 89
SMS 92
Biometrics 92
FIDO 93
Federated Identities and APIs 94
OAuth 94
APIs 96
Contextual/Adaptive 96
Less Popular Methods 97
Voiceover Radio 97
Paper-Based 98
Summary 99
4 Usability vs Security 101
What Does Usability Mean? 101
We Don't Really Want the Best Security 103
Security Isn't Usually Binary 105
Too Secure 106
Seven-Factor MFA 106
Moving ATM Keypad Numbers 108
Not as Worried as You Think About Hacking 109
Unhackable Fallacy 110
Unbreakable Oracle 113
DJB 113
Unhackable Quantum Cryptography 114
We are Reactive Sheep 115
Security Theater r 116
Security by Obscurity 117
MFA Will Cause Slowdowns 117
MFA Will Cause Downtime 118
No MFA Solution Works Everywhere 118
Summary 119
Part II Hacking MFA 121
5 Hacking MFA in General 123
MFA Dependency Components 124
Enrollment 125
User 127
Devices/Hardware 127
Software 128
API 129
Authentication Factors 129
Authentication Secrets Store 129
Cryptography 130
Technology 130
Transmission/Network Channel 131
Namespace 131
Supporting Infrastructure 131
Relying Party 132
Federation/Proxies 132
Alternate Authentication Methods/Recovery 132
Migrations 133
Deprovision 133
MFA Component Conclusion 134
Main Hacking Methods 134
Technical Attacks 134
Human Element 135
Physical 137
Two or More Hacking Methods Used 137
"You Didn't Hack the MFA!" 137
How MFA Vulnerabilities are Found 138
Threat Modeling 138
Code Review 138
Fuzz Testing 138
Penetration Testing 139
Vulnerability Scanning 139
Human Testing 139
Accidents 140
Summary 140
6 Access Control Token Tricks 141
Access Token Basics 141
Access Control Token General Hacks142
Token Reproduction/Guessing 142
Token Theft 145
Reproducing Token Hack Examples 146
Network Session Hijacking Techniques and Examples 149
Firesheep 149
MitM Attacks 150
Access Control Token Attack Defenses 157
Generate Random, Unguessable Session IDs 157
Use Industry-Accepted Cryptography and Key Sizes 158
Developers Should Follow Secure Coding Practices 159
Use Secure Transmission Channels 159
Include Timeout Protections 159
Tie the Token to Specifi c Devices or Sites 159
Summary 161
7 Endpoint Attacks 163
Endpoint Attack Risks 163
General Endpoint Attacks 165
Programming Attacks 165
Physical Access Attacks 165
What Can an Endpoint Attacker Do? 166
Specifi c Endpoint Attack Examples 169
Bancos Trojans 169
Transaction Attacks 171
Mobile Attacks 172
Compromised MFA Keys 173
Endpoint Attack Defenses 174
MFA Developer Defenses 174
End-User Defenses 177
Summary 179
8 SMS Attacks 181
Introduction to SMS 181
SS7 184
Biggest SMS Weaknesses 186
Example SMS Attacks 187
SIM Swap Attacks 187
SMS Impersonation 191
SMS Buffer Overflow 194
Cell Phone User Account Hijacking 195
Attacks Against the Underlying Supporting Infrastructure 196
Other SMS-Based Attacks 196
SIM/SMS Attack Method Summary 197
NIST Digital Identity Guidelines Warning 198
Defenses to SMS-Based MFA Attacks 199
Developer Defenses 199
User Defenses 201
Is RCS Here to Save Mobile Messaging? 202
Is SMS-Based MFA Still Better than Passwords? 202
Summary 203
9 One-Time Password Attacks 205
Introduction to OTP 205
Seed Value-Based OTPs 208
HMAC-Based OTP 209
Event-Based OTP 211
TOTP 212
Example OTP Attacks 217
Phishing OTP Codes 217
Poor OTP Creation 219
OTP Theft, Re-Creation, and Reuse 219
Stolen Seed Database 220
Defenses to OTP Attacks 222
Developer Defenses 222
Use Reliable and Trusted and Tested OTP Algorithms 223
OTP Setup Code Must Expire 223
OTP Result Code Must Expire 223
Prevent OTP Replay 224
Make Sure Your RNG is NIST-Certified or Quantum 224
Increase Security by Requiring Additional Entry Beyond OTP Code 224
Stop Brute-Forcing Attacks224
Secure Seed Value Database 225
User Defenses 225
Summary 226
10 Subject Hijack Attacks 227
Introduction 227
Example Attacks 228
Active Directory and Smartcards 228
Simulated Demo Environment 231
Subject Hijack Demo Attack 234
The Broader Issue 240
Dynamic Access Control Example 240
ADFS MFA Bypass 241
Defenses to Component Attacks 242
Threat Model Dependency Abuse Scenarios 242
Secure Critical Dependencies 242
Educate About Dependency Abuses 243
Prevent One to Many Mappings 244
Monitor Critical Dependencies 244
Summary 244
11 Fake Authentication Attacks 245
Learning About Fake Authentication Through UAC 245
Example Fake Authentication Attacks 251
Look-Alike Websites 251
Fake Office 365 Logons 252
Using an MFA-Incompatible Service or Protocol 253
Defenses to Fake Authentication Attacks 254
Developer Defenses 254
User Defenses 256
Summary 257
12 Social Engineering Attacks 259
Introduction 259
Social Engineering Commonalities 261
Unauthenticated Communication 261
Nonphysical 262
Usually Involves Well-Known Brands 263
Often Based on Notable Current Events and Interests 264
Uses Stressors 264
Advanced: Pretexting 265
Third-Party Reliances 266
Example Social Engineering Attacks on MFA 266
Fake Bank Alert 267
Crying Babies 267
Hacking Building Access Cards 268
Defenses to Social Engineering Attacks on MFA 270
Developer Defenses to MFA 270
User Defenses to Social Engineering Attacks 271
Summary 273
13 Downgrade/Recovery Attacks 275
Introduction 275
Example Downgrade/Recovery Attacks 276
Alternate Email Address Recovery 276
Abusing Master Codes 280
Guessing Personal-Knowledge Questions 281
Defenses to Downgrade/Recovery Attacks 287
Developer Defenses to Downgrade/Recovery Attacks 287
User Defenses to Downgrade/Recovery Attacks 292
Summary 294
14 Brute-Force Attacks 295
Introduction 295
Birthday Attack Method 296
Brute-Force Attack Methods 297
Example of Brute-Force Attacks 298
OTP Bypass Brute-Force Test 298
Instagram MFA Brute-Force 299
Slack MFA Brute-Force Bypass 299
UAA MFA Brute-Force Bug 300
Grab Android MFA Brute-Force 300
Unlimited Biometric Brute-Forcing 300
Defenses Against Brute-Force Attacks 301
Developer Defenses Against Brute-Force Attacks 301
User Defenses Against Brute-Force Attacks 305
Summary 306
15 Buggy Software 307
Introduction 307
Common Types of Vulnerabilities 308
Vulnerability Outcomes 316
Examples of Vulnerability Attacks 317
Uber MFA Vulnerability 317
Google Authenticator Vulnerability 318
YubiKey Vulnerability 318
Multiple RSA Vulnerabilities 318
SafeNet Vulnerability 319
Login gov 319
ROCA Vulnerability 320
Defenses to Vulnerability Attacks 321
Developer Defenses Against Vulnerability Attacks 321
User Defenses Against Vulnerability Attacks 322
Summary 323
16 Attacks Against Biometrics 325
Introduction 325
Biometrics 326
Common Biometric Authentication Factors 327
How Biometrics Work 337
Problems with...
| Erscheinungsjahr: | 2020 |
|---|---|
| Fachbereich: | Datenkommunikation, Netze & Mailboxen |
| Genre: | Importe, Informatik |
| Rubrik: | Naturwissenschaften & Technik |
| Medium: | Taschenbuch |
| Inhalt: | 576 S. |
| ISBN-13: | 9781119650799 |
| ISBN-10: | 1119650798 |
| Sprache: | Englisch |
| Einband: | Kartoniert / Broschiert |
| Autor: | Grimes, Roger A |
| Hersteller: | Wiley |
| Verantwortliche Person für die EU: | Wiley-VCH GmbH, Boschstr. 12, D-69469 Weinheim, amartine@wiley-vch.de |
| Maße: | 232 x 186 x 29 mm |
| Von/Mit: | Roger A Grimes |
| Erscheinungsdatum: | 27.10.2020 |
| Gewicht: | 0,938 kg |
Ähnliche Produkte
Lieferzeit 1-2 Werktage
