1 00:00:00,400 --> 00:00:02,400 Authentication attacks. 2 00:00:02,400 --> 00:00:04,230 In this lesson, we are going to talk about 3 00:00:04,230 --> 00:00:07,660 authentication attacks and what you can do to prevent them. 4 00:00:07,660 --> 00:00:09,790 We're going to talk about things like spoofing, 5 00:00:09,790 --> 00:00:13,230 man-in-the-middle, password spraying, credential stuffing, 6 00:00:13,230 --> 00:00:16,630 and broken authentication, as well as several others. 7 00:00:16,630 --> 00:00:18,320 Now, when we talk about spoofing, 8 00:00:18,320 --> 00:00:20,070 this is a software-based attack 9 00:00:20,070 --> 00:00:21,850 where the goal is to assume the identity 10 00:00:21,850 --> 00:00:24,360 of a user, a process, an address, 11 00:00:24,360 --> 00:00:26,310 or other unique identifier. 12 00:00:26,310 --> 00:00:29,400 Spoofing is used a lot to try to bypass authentication 13 00:00:29,400 --> 00:00:32,250 and be able to present yourself as if you're somebody else. 14 00:00:32,250 --> 00:00:34,360 Now, one of the things attackers love to try 15 00:00:34,360 --> 00:00:36,570 is the man-in-the-middle attack. 16 00:00:36,570 --> 00:00:39,260 Now, a man-in-the-middle attack, or MitM, 17 00:00:39,260 --> 00:00:40,600 is an attack where the attacker 18 00:00:40,600 --> 00:00:42,720 is going to sit between two communicating hosts 19 00:00:42,720 --> 00:00:44,850 and transparently captures, monitors, 20 00:00:44,850 --> 00:00:47,690 and relays the communications between those hosts. 21 00:00:47,690 --> 00:00:49,310 Now, we've talked about a man-in-the-middle before, 22 00:00:49,310 --> 00:00:51,180 but essentially, if you're on a wireless network, 23 00:00:51,180 --> 00:00:53,700 somebody could be sniffing the air, capturing those packets, 24 00:00:53,700 --> 00:00:55,290 and then being a man-in-the-middle. 25 00:00:55,290 --> 00:00:57,190 They can capture what's being said. 26 00:00:57,190 --> 00:00:58,023 Now, they put themselves 27 00:00:58,023 --> 00:00:59,490 directly in the middle of the communication, 28 00:00:59,490 --> 00:01:00,940 you might be connecting to them, 29 00:01:00,940 --> 00:01:02,390 and they would be connecting to the server 30 00:01:02,390 --> 00:01:04,170 and they're listening to everything you say. 31 00:01:04,170 --> 00:01:06,720 They can capture it, monitor it, and relay it right on, 32 00:01:06,720 --> 00:01:09,610 or they could even modify it if they wanted to. 33 00:01:09,610 --> 00:01:10,800 Now, a variation on this 34 00:01:10,800 --> 00:01:12,550 is what's known as a man-in-the-browser. 35 00:01:12,550 --> 00:01:13,383 This is an MitB. 36 00:01:14,500 --> 00:01:16,810 This is an attack that intercepts the API calls 37 00:01:16,810 --> 00:01:19,420 between the browser process and its DLLs. 38 00:01:19,420 --> 00:01:21,340 And so, if you're attacking the network 39 00:01:21,340 --> 00:01:23,500 or between two clients or a client in the server, 40 00:01:23,500 --> 00:01:24,720 you're a man-in-the-middle. 41 00:01:24,720 --> 00:01:26,230 If you're using the browser to do it, 42 00:01:26,230 --> 00:01:28,130 you're a man-in-the-browser. 43 00:01:28,130 --> 00:01:30,390 Now, one of the things that people love to try to do 44 00:01:30,390 --> 00:01:33,090 is break passwords because if they can get your password, 45 00:01:33,090 --> 00:01:35,050 they can own your system, right? 46 00:01:35,050 --> 00:01:37,270 Well, let's talk about the way passwords work, for a moment. 47 00:01:37,270 --> 00:01:39,650 This will be a quick review from Security+. 48 00:01:39,650 --> 00:01:42,610 Now, when you take a password and you go to store it, 49 00:01:42,610 --> 00:01:45,420 do you store in the database as the word password? 50 00:01:45,420 --> 00:01:47,240 No, you actually hash it first. 51 00:01:47,240 --> 00:01:49,790 So, it's going to be an MD5 hash or a SHA1 hash 52 00:01:49,790 --> 00:01:51,470 or a SHA256 hash. 53 00:01:51,470 --> 00:01:53,770 And it's going to be able to be stored in that database 54 00:01:53,770 --> 00:01:55,060 as that hash. 55 00:01:55,060 --> 00:01:57,840 So, nobody knows what that actual password is. 56 00:01:57,840 --> 00:02:00,180 Not even the system administrator, in theory. 57 00:02:00,180 --> 00:02:03,140 Now, this means that that password can not be recoverable 58 00:02:03,140 --> 00:02:06,120 cause you can't go from the hash back to the original. 59 00:02:06,120 --> 00:02:07,940 So, when the user chooses that password, 60 00:02:07,940 --> 00:02:09,100 we're going to make sure we hash it 61 00:02:09,100 --> 00:02:10,490 using that cryptographic function 62 00:02:10,490 --> 00:02:12,420 anytime we store it to our database. 63 00:02:12,420 --> 00:02:13,680 This will help protect our users 64 00:02:13,680 --> 00:02:15,640 inside of our web applications. 65 00:02:15,640 --> 00:02:16,860 Now, even though we do that, 66 00:02:16,860 --> 00:02:19,460 a lot of people are still going to try to guess your password. 67 00:02:19,460 --> 00:02:20,740 Now, there's a lot of different ways 68 00:02:20,740 --> 00:02:21,610 that they try to do this. 69 00:02:21,610 --> 00:02:23,300 And one of the most common is what's known as 70 00:02:23,300 --> 00:02:25,040 an online password attack. 71 00:02:25,040 --> 00:02:27,180 This involves somebody simply trying to guess 72 00:02:27,180 --> 00:02:28,170 what your password is 73 00:02:28,170 --> 00:02:30,270 and entering it directly to the service. 74 00:02:30,270 --> 00:02:31,260 Think about this way, 75 00:02:31,260 --> 00:02:33,850 I want to log in to Facebook as if I was you. 76 00:02:33,850 --> 00:02:36,220 I know your username because it's tied to your email. 77 00:02:36,220 --> 00:02:38,030 So, I type in your email address 78 00:02:38,030 --> 00:02:40,960 and I start typing in passwords and try hitting login. 79 00:02:40,960 --> 00:02:43,770 Each time I do that, I'm doing an online password attack. 80 00:02:43,770 --> 00:02:45,920 I'm guessing passwords over and over and over again 81 00:02:45,920 --> 00:02:47,560 until I get in. 82 00:02:47,560 --> 00:02:49,720 Now, this is the idea of how you can do 83 00:02:49,720 --> 00:02:51,220 an online password attack. 84 00:02:51,220 --> 00:02:52,670 Now, how can you, as an analyst, 85 00:02:52,670 --> 00:02:54,720 identify that that's what's going on? 86 00:02:54,720 --> 00:02:56,430 Well, you can look at the logs. 87 00:02:56,430 --> 00:02:57,800 If you look at your audit logs, 88 00:02:57,800 --> 00:02:59,650 you should see something that looks like this. 89 00:02:59,650 --> 00:03:02,370 Here, somebody was trying to log in as Jason, 90 00:03:02,370 --> 00:03:05,560 they tried at 19:12 and they tried using the word p@$$w0rd. 91 00:03:05,560 --> 00:03:08,556 And then, they tried 19:13 using p@$$1234. 92 00:03:08,556 --> 00:03:13,020 Then, they tried 19:14, puppy123, 19:15, cupcake@#, 19:16, admin, 93 00:03:14,920 --> 00:03:17,170 19:17, admin123. 94 00:03:17,170 --> 00:03:18,650 And so, this is an example 95 00:03:18,650 --> 00:03:19,900 of when you see somebody trying to do 96 00:03:19,900 --> 00:03:21,490 an online password attack. 97 00:03:21,490 --> 00:03:22,620 They're basically going in 98 00:03:22,620 --> 00:03:24,910 and logging in as if they were you, just like you would, 99 00:03:24,910 --> 00:03:26,290 except they're using the wrong password 100 00:03:26,290 --> 00:03:27,690 cause they don't know yours yet. 101 00:03:27,690 --> 00:03:29,690 This can be useful if you know the person 102 00:03:29,690 --> 00:03:30,523 and if you're an attacker 103 00:03:30,523 --> 00:03:31,950 who has some knowledge about that person 104 00:03:31,950 --> 00:03:34,160 and can try to get something that they might be thinking. 105 00:03:34,160 --> 00:03:37,030 But, otherwise, it's a pretty inefficient way of doing it. 106 00:03:37,030 --> 00:03:39,260 Now, to prevent this type of an attack from happening, 107 00:03:39,260 --> 00:03:41,080 there's really a couple of things you can do. 108 00:03:41,080 --> 00:03:43,760 You can restrict the number or the rate of login attempts 109 00:03:43,760 --> 00:03:45,820 to prevent these online password attacks. 110 00:03:45,820 --> 00:03:48,730 So, you can lock the account after three incorrect attempts 111 00:03:48,730 --> 00:03:51,450 where they have to reset their password or contact security. 112 00:03:51,450 --> 00:03:52,760 That will be one way to do it. 113 00:03:52,760 --> 00:03:55,580 Or you could say, you can only log in three times. 114 00:03:55,580 --> 00:03:57,510 If you get it wrong, you have to wait 20 minutes 115 00:03:57,510 --> 00:03:58,730 and then it would reset again. 116 00:03:58,730 --> 00:04:00,330 That's limiting the rate of it. 117 00:04:00,330 --> 00:04:02,620 And so, these are different ways that you can do this. 118 00:04:02,620 --> 00:04:04,060 Now, another way that people would try to break 119 00:04:04,060 --> 00:04:06,530 into your password is by doing password spraying. 120 00:04:06,530 --> 00:04:08,220 This is a brute force type of attack 121 00:04:08,220 --> 00:04:10,240 in which multiple user accounts are tested 122 00:04:10,240 --> 00:04:12,570 with a dictionary of common passwords. 123 00:04:12,570 --> 00:04:16,670 So, here's an example of this going from 19:12 to 19:17 again. 124 00:04:16,670 --> 00:04:19,110 Notice the first two attempts were against Jason. 125 00:04:19,110 --> 00:04:21,540 They tried p@$$w0rd and p@$$123. 126 00:04:21,540 --> 00:04:23,350 The second two attempts were against Tim 127 00:04:23,350 --> 00:04:26,240 using, again, p@$$w0rd and p@$$123. 128 00:04:26,240 --> 00:04:30,180 The third attempt was against Tamera, p@$$w0rd and p@$$123. 129 00:04:30,180 --> 00:04:31,560 Notice the difference here. 130 00:04:31,560 --> 00:04:33,840 We have groupings of the same passwords 131 00:04:33,840 --> 00:04:35,760 that are common words from a dictionary 132 00:04:35,760 --> 00:04:38,390 being tried over and over again against different accounts. 133 00:04:38,390 --> 00:04:39,780 This makes it password spraying 134 00:04:39,780 --> 00:04:42,260 instead of an online password attack. 135 00:04:42,260 --> 00:04:43,730 Now, the last one we're going to talk about here 136 00:04:43,730 --> 00:04:45,240 is credential stuffing. 137 00:04:45,240 --> 00:04:46,300 Now, credential stuffing 138 00:04:46,300 --> 00:04:48,400 is another type of brute-force attack. 139 00:04:48,400 --> 00:04:49,233 In this one, 140 00:04:49,233 --> 00:04:51,230 they're going to try and take stolen user account names 141 00:04:51,230 --> 00:04:54,350 and passwords and test them against multiple websites. 142 00:04:54,350 --> 00:04:56,230 So, let's say there was a new story 143 00:04:56,230 --> 00:04:57,720 and there was a new data breach that happened 144 00:04:57,720 --> 00:04:59,130 and Facebook got hacked. 145 00:04:59,130 --> 00:05:01,900 And now, all of Facebook's usernames and passwords are known. 146 00:05:01,900 --> 00:05:04,540 So, everybody knows what the usernames are, which are emails 147 00:05:04,540 --> 00:05:05,840 and the passwords. 148 00:05:05,840 --> 00:05:07,670 Now, Facebook is going to make everybody go in 149 00:05:07,670 --> 00:05:09,150 and change their passwords, right? 150 00:05:09,150 --> 00:05:10,800 So, you're not going to be able to get back into Facebook, 151 00:05:10,800 --> 00:05:13,060 but they could take that user and password 152 00:05:13,060 --> 00:05:17,510 and try it on Gmail or Yahoo or MSN or some other website. 153 00:05:17,510 --> 00:05:19,670 And by going across to different websites, 154 00:05:19,670 --> 00:05:21,950 you can try doing this credential stuff because you know, 155 00:05:21,950 --> 00:05:24,340 it was a valid username and password on one system, 156 00:05:24,340 --> 00:05:25,500 it may be on others 157 00:05:25,500 --> 00:05:28,290 because people tend to reuse their usernames and passwords. 158 00:05:28,290 --> 00:05:30,210 So, how do you prevent credential stuffing? 159 00:05:30,210 --> 00:05:32,370 Well, credential stuffing can be prevented 160 00:05:32,370 --> 00:05:35,830 by not reusing passwords across these different websites. 161 00:05:35,830 --> 00:05:37,280 Now, the next thing we want to talk about 162 00:05:37,280 --> 00:05:39,060 is broken authentication. 163 00:05:39,060 --> 00:05:41,550 Broken authentication is a software vulnerability 164 00:05:41,550 --> 00:05:43,160 where the authentication mechanisms 165 00:05:43,160 --> 00:05:45,280 allow the attacker to gain entry. 166 00:05:45,280 --> 00:05:48,370 Essentially, the coders did a really bad job. 167 00:05:48,370 --> 00:05:50,660 Now, when this happens, you can have bad things happen 168 00:05:50,660 --> 00:05:52,560 like displaying clear text credentials, 169 00:05:52,560 --> 00:05:53,930 using weak session tokens, 170 00:05:53,930 --> 00:05:56,420 or permitting brute-force login requests. 171 00:05:56,420 --> 00:05:58,470 Now, what causes these types of things? 172 00:05:58,470 --> 00:06:00,870 Well, weak password credentials, for one. 173 00:06:00,870 --> 00:06:01,990 Let's say you built a system 174 00:06:01,990 --> 00:06:04,480 and you said, all passwords will be four digits long. 175 00:06:04,480 --> 00:06:05,500 That's a pretty weak system. 176 00:06:05,500 --> 00:06:06,940 There's only a thousand variations. 177 00:06:06,940 --> 00:06:09,380 So, people could brute force their way in. 178 00:06:09,380 --> 00:06:11,240 Another thing that would happen is if you had weak password 179 00:06:11,240 --> 00:06:12,430 reset methods. 180 00:06:12,430 --> 00:06:14,840 So, you're going to use something like knowledge factors 181 00:06:14,840 --> 00:06:17,360 that are tied to things that people could easily look up. 182 00:06:17,360 --> 00:06:18,580 What is your birthday? 183 00:06:18,580 --> 00:06:19,910 Where were you born? 184 00:06:19,910 --> 00:06:21,700 What state are you registered to vote in? 185 00:06:21,700 --> 00:06:22,720 These are all weak things, 186 00:06:22,720 --> 00:06:24,230 because most of this information is stuff 187 00:06:24,230 --> 00:06:25,930 you can find online about people. 188 00:06:25,930 --> 00:06:28,340 So, we wouldn't want to use those types of things. 189 00:06:28,340 --> 00:06:30,190 Next, you have credential exposure. 190 00:06:30,190 --> 00:06:32,980 Now, credential exposure is when the app actually exposes 191 00:06:32,980 --> 00:06:35,230 the credentials or the authentication tokens 192 00:06:35,230 --> 00:06:36,450 to somebody who's in the middle, 193 00:06:36,450 --> 00:06:37,920 so if we have a man-in-the-middle. 194 00:06:37,920 --> 00:06:40,470 Now, this is really bad because a lot of applications 195 00:06:40,470 --> 00:06:43,170 will hard-code credentials into the application 196 00:06:43,170 --> 00:06:45,010 or they're not using encryption. 197 00:06:45,010 --> 00:06:47,220 So, they're sending things across the network in plain text, 198 00:06:47,220 --> 00:06:48,700 or they're using weak encryption. 199 00:06:48,700 --> 00:06:51,050 And so, because of using weak encryption, it can be cracked. 200 00:06:51,050 --> 00:06:52,100 These are all things that can lead 201 00:06:52,100 --> 00:06:53,610 to this credential exposure. 202 00:06:53,610 --> 00:06:55,920 And then, finally, we have session hijacking. 203 00:06:55,920 --> 00:06:57,630 This is when the application is vulnerable 204 00:06:57,630 --> 00:06:58,840 to session hijacking 205 00:06:58,840 --> 00:07:00,670 because maybe you're using session keys 206 00:07:00,670 --> 00:07:01,880 that just aren't really strong 207 00:07:01,880 --> 00:07:03,210 and they're really easy to guess. 208 00:07:03,210 --> 00:07:05,720 And so, that's an easy way for people to guess that session, 209 00:07:05,720 --> 00:07:07,240 jump into it, hijack it, 210 00:07:07,240 --> 00:07:09,190 and then get the information they want.