spoofing your identity - slashcrypto · spoofing your identity breaking self service security...
TRANSCRIPT
![Page 1: Spoofing your Identity - slashcrypto · Spoofing your Identity Breaking Self Service Security Mechanisms IT-SeCX 2016 04/11/2016 @slashcrypto ~$ id •David Wind •Bachelor degree](https://reader035.vdocuments.us/reader035/viewer/2022070719/5edf093dad6a402d666a646a/html5/thumbnails/1.jpg)
Spoofing your IdentityBreaking Self Service Security Mechanisms
IT-SeCX 2016 04/11/2016
@slashcrypto
![Page 2: Spoofing your Identity - slashcrypto · Spoofing your Identity Breaking Self Service Security Mechanisms IT-SeCX 2016 04/11/2016 @slashcrypto ~$ id •David Wind •Bachelor degree](https://reader035.vdocuments.us/reader035/viewer/2022070719/5edf093dad6a402d666a646a/html5/thumbnails/2.jpg)
~$ id
• David Wind
• Bachelor degree in IT Security at the University of Applied Sciences St. Pölten
• Currently Master in Information Security
• Working for XSEC in Vienna (mainly doing Pentesting)
• Privacy enthusiast and bug bounty hunter
![Page 3: Spoofing your Identity - slashcrypto · Spoofing your Identity Breaking Self Service Security Mechanisms IT-SeCX 2016 04/11/2016 @slashcrypto ~$ id •David Wind •Bachelor degree](https://reader035.vdocuments.us/reader035/viewer/2022070719/5edf093dad6a402d666a646a/html5/thumbnails/3.jpg)
“Self Service Security Mechanisms”
© by slashcrypto
![Page 4: Spoofing your Identity - slashcrypto · Spoofing your Identity Breaking Self Service Security Mechanisms IT-SeCX 2016 04/11/2016 @slashcrypto ~$ id •David Wind •Bachelor degree](https://reader035.vdocuments.us/reader035/viewer/2022070719/5edf093dad6a402d666a646a/html5/thumbnails/4.jpg)
Self Service Security Mechanisms
• Password reset– Email
– Voice call, SMS
– Security question
• 2 Factor Authentication
• ...
Basically everything which can be used to identify you without the need of a human.
![Page 5: Spoofing your Identity - slashcrypto · Spoofing your Identity Breaking Self Service Security Mechanisms IT-SeCX 2016 04/11/2016 @slashcrypto ~$ id •David Wind •Bachelor degree](https://reader035.vdocuments.us/reader035/viewer/2022070719/5edf093dad6a402d666a646a/html5/thumbnails/5.jpg)
Bugs affecting SSSM
![Page 6: Spoofing your Identity - slashcrypto · Spoofing your Identity Breaking Self Service Security Mechanisms IT-SeCX 2016 04/11/2016 @slashcrypto ~$ id •David Wind •Bachelor degree](https://reader035.vdocuments.us/reader035/viewer/2022070719/5edf093dad6a402d666a646a/html5/thumbnails/6.jpg)
![Page 7: Spoofing your Identity - slashcrypto · Spoofing your Identity Breaking Self Service Security Mechanisms IT-SeCX 2016 04/11/2016 @slashcrypto ~$ id •David Wind •Bachelor degree](https://reader035.vdocuments.us/reader035/viewer/2022070719/5edf093dad6a402d666a646a/html5/thumbnails/7.jpg)
● 6 digit PIN via SMS or Email ● Rate limiting on facebook.com
– Blocked after 10-12 attempts
● No rate limiting on beta.facebook.com and mbasic.beta.facebook.com
Facebook Password Reset PIN Bruteforce
http://www.anandpraka.sh/2016/03/how-i-could-have-hacked-your-facebook.html
![Page 8: Spoofing your Identity - slashcrypto · Spoofing your Identity Breaking Self Service Security Mechanisms IT-SeCX 2016 04/11/2016 @slashcrypto ~$ id •David Wind •Bachelor degree](https://reader035.vdocuments.us/reader035/viewer/2022070719/5edf093dad6a402d666a646a/html5/thumbnails/8.jpg)
![Page 9: Spoofing your Identity - slashcrypto · Spoofing your Identity Breaking Self Service Security Mechanisms IT-SeCX 2016 04/11/2016 @slashcrypto ~$ id •David Wind •Bachelor degree](https://reader035.vdocuments.us/reader035/viewer/2022070719/5edf093dad6a402d666a646a/html5/thumbnails/9.jpg)
![Page 10: Spoofing your Identity - slashcrypto · Spoofing your Identity Breaking Self Service Security Mechanisms IT-SeCX 2016 04/11/2016 @slashcrypto ~$ id •David Wind •Bachelor degree](https://reader035.vdocuments.us/reader035/viewer/2022070719/5edf093dad6a402d666a646a/html5/thumbnails/10.jpg)
● Attacker initiates password reset● Ebay leaks “secret” token to attacker
What could possibly go wrong?!
Ebay Password Reset Vulnerability
http://yasserali.com/how-i-could-change-your-ebay-password/
![Page 11: Spoofing your Identity - slashcrypto · Spoofing your Identity Breaking Self Service Security Mechanisms IT-SeCX 2016 04/11/2016 @slashcrypto ~$ id •David Wind •Bachelor degree](https://reader035.vdocuments.us/reader035/viewer/2022070719/5edf093dad6a402d666a646a/html5/thumbnails/11.jpg)
http://yasserali.com/how-i-could-change-your-ebay-password/
Alice EbayMallory
Forgot password
Username/Email
Password reset link
Alice clicks link
Mallory intercepts request and saves “secret” token
Mallory changes password
![Page 12: Spoofing your Identity - slashcrypto · Spoofing your Identity Breaking Self Service Security Mechanisms IT-SeCX 2016 04/11/2016 @slashcrypto ~$ id •David Wind •Bachelor degree](https://reader035.vdocuments.us/reader035/viewer/2022070719/5edf093dad6a402d666a646a/html5/thumbnails/12.jpg)
![Page 13: Spoofing your Identity - slashcrypto · Spoofing your Identity Breaking Self Service Security Mechanisms IT-SeCX 2016 04/11/2016 @slashcrypto ~$ id •David Wind •Bachelor degree](https://reader035.vdocuments.us/reader035/viewer/2022070719/5edf093dad6a402d666a646a/html5/thumbnails/13.jpg)
What about Spoofing?
![Page 14: Spoofing your Identity - slashcrypto · Spoofing your Identity Breaking Self Service Security Mechanisms IT-SeCX 2016 04/11/2016 @slashcrypto ~$ id •David Wind •Bachelor degree](https://reader035.vdocuments.us/reader035/viewer/2022070719/5edf093dad6a402d666a646a/html5/thumbnails/14.jpg)
sendEmail -f "[email protected]" -t [email protected] -u "Noten" -s mail.XXX.XXX -o tls=yes -xu [email protected]
-o message-header="From: Haag Johann <[email protected]>" -o reply-to="Haag Johann <[email protected]>"
-o message-file=email_haag.html -a noten.pdf
● Sender of E-Mails can be easily spoofed– Check the Sender Policy Framework (SPF) entry!
● Often used for Spam – normally no impact on SSSM
E-Mail Spoofing
![Page 15: Spoofing your Identity - slashcrypto · Spoofing your Identity Breaking Self Service Security Mechanisms IT-SeCX 2016 04/11/2016 @slashcrypto ~$ id •David Wind •Bachelor degree](https://reader035.vdocuments.us/reader035/viewer/2022070719/5edf093dad6a402d666a646a/html5/thumbnails/15.jpg)
Caller IDSpoofing
![Page 16: Spoofing your Identity - slashcrypto · Spoofing your Identity Breaking Self Service Security Mechanisms IT-SeCX 2016 04/11/2016 @slashcrypto ~$ id •David Wind •Bachelor degree](https://reader035.vdocuments.us/reader035/viewer/2022070719/5edf093dad6a402d666a646a/html5/thumbnails/16.jpg)
VOIP
![Page 17: Spoofing your Identity - slashcrypto · Spoofing your Identity Breaking Self Service Security Mechanisms IT-SeCX 2016 04/11/2016 @slashcrypto ~$ id •David Wind •Bachelor degree](https://reader035.vdocuments.us/reader035/viewer/2022070719/5edf093dad6a402d666a646a/html5/thumbnails/17.jpg)
● Business phone services mostly use VOIP to manage calls● Own phone service within business
– Open source Private Branch Exchange (PBX) (e.g. Asterix) can be used
– Direct inward dialing (DID) assigns every VOIP phone an individual phone number within a PBX
● VOIP made access to the phone network cheap and available for everyone
VOIP (Business)
![Page 18: Spoofing your Identity - slashcrypto · Spoofing your Identity Breaking Self Service Security Mechanisms IT-SeCX 2016 04/11/2016 @slashcrypto ~$ id •David Wind •Bachelor degree](https://reader035.vdocuments.us/reader035/viewer/2022070719/5edf093dad6a402d666a646a/html5/thumbnails/18.jpg)
Business
PBX
Phone1
PhoneX
Phone1
Phone2
Phone3
01555888-0
01555888-0
PSTN01555888-2
01555888-1
01555888-3
![Page 19: Spoofing your Identity - slashcrypto · Spoofing your Identity Breaking Self Service Security Mechanisms IT-SeCX 2016 04/11/2016 @slashcrypto ~$ id •David Wind •Bachelor degree](https://reader035.vdocuments.us/reader035/viewer/2022070719/5edf093dad6a402d666a646a/html5/thumbnails/19.jpg)
Business
PBX
Phone1
PhoneX
Phone1
Phone2
Phone3
01555888-0
01555777-7
PSTN01555888-2
01555888-1
01555888-3
01555888-3
![Page 20: Spoofing your Identity - slashcrypto · Spoofing your Identity Breaking Self Service Security Mechanisms IT-SeCX 2016 04/11/2016 @slashcrypto ~$ id •David Wind •Bachelor degree](https://reader035.vdocuments.us/reader035/viewer/2022070719/5edf093dad6a402d666a646a/html5/thumbnails/20.jpg)
There is one Problem ...
![Page 21: Spoofing your Identity - slashcrypto · Spoofing your Identity Breaking Self Service Security Mechanisms IT-SeCX 2016 04/11/2016 @slashcrypto ~$ id •David Wind •Bachelor degree](https://reader035.vdocuments.us/reader035/viewer/2022070719/5edf093dad6a402d666a646a/html5/thumbnails/21.jpg)
![Page 22: Spoofing your Identity - slashcrypto · Spoofing your Identity Breaking Self Service Security Mechanisms IT-SeCX 2016 04/11/2016 @slashcrypto ~$ id •David Wind •Bachelor degree](https://reader035.vdocuments.us/reader035/viewer/2022070719/5edf093dad6a402d666a646a/html5/thumbnails/22.jpg)
https://shubs.io/how-i-bypassed-2-factor-authentication-on-google-yahoo-linkedin-and-many-others/
![Page 23: Spoofing your Identity - slashcrypto · Spoofing your Identity Breaking Self Service Security Mechanisms IT-SeCX 2016 04/11/2016 @slashcrypto ~$ id •David Wind •Bachelor degree](https://reader035.vdocuments.us/reader035/viewer/2022070719/5edf093dad6a402d666a646a/html5/thumbnails/23.jpg)
● Enter phone number of the victim● Request voice call
– At the same time, call the victim so that the automated call gets redirected to the Voicemail
● Spoof Caller ID to access victims mailbox● Profit
Exploit Flow
![Page 24: Spoofing your Identity - slashcrypto · Spoofing your Identity Breaking Self Service Security Mechanisms IT-SeCX 2016 04/11/2016 @slashcrypto ~$ id •David Wind •Bachelor degree](https://reader035.vdocuments.us/reader035/viewer/2022070719/5edf093dad6a402d666a646a/html5/thumbnails/24.jpg)
![Page 25: Spoofing your Identity - slashcrypto · Spoofing your Identity Breaking Self Service Security Mechanisms IT-SeCX 2016 04/11/2016 @slashcrypto ~$ id •David Wind •Bachelor degree](https://reader035.vdocuments.us/reader035/viewer/2022070719/5edf093dad6a402d666a646a/html5/thumbnails/25.jpg)
![Page 26: Spoofing your Identity - slashcrypto · Spoofing your Identity Breaking Self Service Security Mechanisms IT-SeCX 2016 04/11/2016 @slashcrypto ~$ id •David Wind •Bachelor degree](https://reader035.vdocuments.us/reader035/viewer/2022070719/5edf093dad6a402d666a646a/html5/thumbnails/26.jpg)
Another Password Reset Vulnerability
![Page 27: Spoofing your Identity - slashcrypto · Spoofing your Identity Breaking Self Service Security Mechanisms IT-SeCX 2016 04/11/2016 @slashcrypto ~$ id •David Wind •Bachelor degree](https://reader035.vdocuments.us/reader035/viewer/2022070719/5edf093dad6a402d666a646a/html5/thumbnails/27.jpg)
![Page 28: Spoofing your Identity - slashcrypto · Spoofing your Identity Breaking Self Service Security Mechanisms IT-SeCX 2016 04/11/2016 @slashcrypto ~$ id •David Wind •Bachelor degree](https://reader035.vdocuments.us/reader035/viewer/2022070719/5edf093dad6a402d666a646a/html5/thumbnails/28.jpg)
● 26/09/2016 – Initial report● 28/09/2016 – Response (won't fix)● 28/09/2016 – Provided additional context due to the criticality of
the issue● 04/10/2016 – Accepted the issue – rolling out a fix● 04/11/2016 – FIXED
Reporting Timeline
![Page 29: Spoofing your Identity - slashcrypto · Spoofing your Identity Breaking Self Service Security Mechanisms IT-SeCX 2016 04/11/2016 @slashcrypto ~$ id •David Wind •Bachelor degree](https://reader035.vdocuments.us/reader035/viewer/2022070719/5edf093dad6a402d666a646a/html5/thumbnails/29.jpg)
What about Austrian Mobile Network
Operators ?
![Page 30: Spoofing your Identity - slashcrypto · Spoofing your Identity Breaking Self Service Security Mechanisms IT-SeCX 2016 04/11/2016 @slashcrypto ~$ id •David Wind •Bachelor degree](https://reader035.vdocuments.us/reader035/viewer/2022070719/5edf093dad6a402d666a646a/html5/thumbnails/30.jpg)
● A1 – Not vulnerable– Bob
– Yess
● DREI - Not vulnerable● T-Mobile - Vulnerable
– Telering
– HOT
– S-Budget
Voicemail Issues in Austria - TESTED
![Page 31: Spoofing your Identity - slashcrypto · Spoofing your Identity Breaking Self Service Security Mechanisms IT-SeCX 2016 04/11/2016 @slashcrypto ~$ id •David Wind •Bachelor degree](https://reader035.vdocuments.us/reader035/viewer/2022070719/5edf093dad6a402d666a646a/html5/thumbnails/31.jpg)
● T-Mobile Austria GmbH ATK Telekom und Service GmbH Allianz SIM● T-Mobile Austria GmbH AVIDO Telekommunikationsmanagement GmbH Avido● T-Mobile Austria GmbH DIALOG telekom GmbH & Co KG dialog● T-Mobile Austria GmbH HoT Telekom und Service GmbH HoT● T-Mobile Austria GmbH LTK Telekom und Service GmbH LIWEST Mobil● T-Mobile Austria GmbH Mundio Limited Delight mobile● T-Mobile Austria GmbH Mundio Mobile Austria Limited Vectone● T-Mobile Austria GmbH Russmedia IT GmbH VOLmobile● T-Mobile Austria GmbH Tele2 Telecommunication GmbH Tele2 Mobile● T-Mobile Austria GmbH T-Mobile Austria GmbH T-Mobile● T-Mobile Austria GmbH T-Mobile Austria GmbH tele.ring● T-Mobile Austria GmbH T-Mobile Austria GmbH s-budget
T-Mobile Austria GmbH
![Page 32: Spoofing your Identity - slashcrypto · Spoofing your Identity Breaking Self Service Security Mechanisms IT-SeCX 2016 04/11/2016 @slashcrypto ~$ id •David Wind •Bachelor degree](https://reader035.vdocuments.us/reader035/viewer/2022070719/5edf093dad6a402d666a646a/html5/thumbnails/32.jpg)
https://www.rtr.at/de/inf/KBericht2015/K-Bericht_2015.pdf
~ 3.5 mil. user affected
40.50%
28.00%
27.90%
3.60%
Austrian mobile network operators - Q4 2015
A1T-MobileHutchisonOthers
![Page 33: Spoofing your Identity - slashcrypto · Spoofing your Identity Breaking Self Service Security Mechanisms IT-SeCX 2016 04/11/2016 @slashcrypto ~$ id •David Wind •Bachelor degree](https://reader035.vdocuments.us/reader035/viewer/2022070719/5edf093dad6a402d666a646a/html5/thumbnails/33.jpg)
● Set a Voicemail password● Add user interaction before redirecting to Voicemail
– “Press # if you want to hear the security code”
● Configure a long welcome message
Possible Mitigations
![Page 34: Spoofing your Identity - slashcrypto · Spoofing your Identity Breaking Self Service Security Mechanisms IT-SeCX 2016 04/11/2016 @slashcrypto ~$ id •David Wind •Bachelor degree](https://reader035.vdocuments.us/reader035/viewer/2022070719/5edf093dad6a402d666a646a/html5/thumbnails/34.jpg)
● Mobile network security is poor (nothing new)– Voicemail issue is still wide spread
● Automated voice calls are a security risk regarding SSSM● You should be aware, that it is not too hard to spoof your identity
Conclusion
![Page 35: Spoofing your Identity - slashcrypto · Spoofing your Identity Breaking Self Service Security Mechanisms IT-SeCX 2016 04/11/2016 @slashcrypto ~$ id •David Wind •Bachelor degree](https://reader035.vdocuments.us/reader035/viewer/2022070719/5edf093dad6a402d666a646a/html5/thumbnails/35.jpg)
Q&A@slashcrypto
slashcrypto.org for the slides