Atnaujinkite slapukų nuostatas

El. knyga: Hacking Multifactor Authentication

4.32/5 (24 ratings by Goodreads)
  • Formatas: PDF+DRM
  • Išleidimo metai: 23-Sep-2020
  • Leidėjas: John Wiley & Sons Inc
  • Kalba: eng
  • ISBN-13: 9781119672340
Kitos knygos pagal šią temą:
Hacking Multifactor AuthenticationDidesnis paveikslėlis
  • Formatas: PDF+DRM
  • Išleidimo metai: 23-Sep-2020
  • Leidėjas: John Wiley & Sons Inc
  • Kalba: eng
  • ISBN-13: 9781119672340
Kitos knygos pagal šią temą:

DRM apribojimai

  • Kopijuoti:

    neleidžiama

  • Spausdinti:

    neleidžiama

  • El. knygos naudojimas:

    Skaitmeninių teisių valdymas (DRM)
    Leidykla pateikė šią knygą šifruota forma, o tai reiškia, kad norint ją atrakinti ir perskaityti reikia įdiegti nemokamą programinę įrangą. Norint skaityti šią el. knygą, turite susikurti Adobe ID . Daugiau informacijos  čia. El. knygą galima atsisiųsti į 6 įrenginius (vienas vartotojas su tuo pačiu Adobe ID).

    Reikalinga programinė įranga
    Norint skaityti šią el. knygą mobiliajame įrenginyje (telefone ar planšetiniame kompiuteryje), turite įdiegti šią nemokamą programėlę: PocketBook Reader (iOS / Android)

    Norint skaityti šią el. knygą asmeniniame arba „Mac“ kompiuteryje, Jums reikalinga  Adobe Digital Editions “ (tai nemokama programa, specialiai sukurta el. knygoms. Tai nėra tas pats, kas „Adobe Reader“, kurią tikriausiai jau turite savo kompiuteryje.)

    Negalite skaityti šios el. knygos naudodami „Amazon Kindle“.

Protect your organization from scandalously easy-to-hack MFA security “solutions” 

Multi-Factor Authentication (MFA) is spreading like wildfire across digital environments. However, hundreds of millions of dollars have been stolen from MFA-protected online accounts. How  Most people who use multifactor authentication (MFA) have been told that it is far less hackable than other types of authentication, or even that it is unhackable. You might be shocked to learn that all MFA solutions are actually easy to hack. That’s right: there is no perfectly safe MFA solution. In fact, most can be hacked at least five different ways. Hacking Multifactor Authentication will show you how MFA works behind the scenes and how poorly linked multi-step authentication steps allows MFA to be hacked and compromised. 

This book covers over two dozen ways that various MFA solutions can be hacked, including the methods (and defenses) common to all MFA solutions. You’ll learn about the various types of MFA solutions, their strengthens and weaknesses, and how to pick the best, most defensible MFA solution for your (or your customers') needs. Finally, this book reveals a simple method for quickly evaluating your existing MFA solutions. If using or developing a secure MFA solution is important to you, you need this book. 

  • Learn how different types of multifactor authentication work behind the scenes
  • See how easy it is to hack MFA security solutions—no matter how secure they seem
  • Identify the strengths and weaknesses in your (or your customers’) existing MFA security and how to mitigate
Author Roger Grimes is an internationally known security expert whose work on hacking MFA has generated significant buzz in the security world. Read this book to learn what decisions and preparations your organization needs to take to prevent losses from MFA hacking.
Introduction xxv
Who This Book Is For xxvii
What Is Covered in This Book? xxvii
MFA Is Good xxx
How to Contact Wiley or the Author xxxi
PART I Introduction
1(120)
1 Logon Problems
3(30)
It's Bad Out There
3(2)
The Problem with Passwords
5(1)
Password Basics
5(13)
Identity
9(1)
The Password
9(2)
Password Registration
11(1)
Password Complexity
11(1)
Password Storage
12(1)
Password Authentication
13(2)
Password Policies
15(3)
Passwords Will Be with Us for a While
18(1)
Password Problems and Attacks
18(13)
Password Guessing
19(4)
Password Hash Cracking
23(4)
Password Stealing
27(1)
Passwords in Plain View
28(1)
Just Ask for It
29(1)
Password Hacking Defenses
30(1)
MFA Riding to the Rescue?
31(1)
Summary
32(1)
2 Authentication Basics
33(26)
Authentication Life Cycle
34(22)
Identity
35(11)
Authentication
46(8)
Authorization
54(1)
Accounting/Auditing
54(2)
Standards
56(1)
Laws of Identity
56(1)
Authentication Problems in the Real World
57(1)
Summary
58(1)
3 Types of Authentication
59(42)
Personal Recognition
59(1)
Knowledge-Based Authentication
60(9)
Passwords
60(2)
PINS
62(2)
Solving Puzzles
64(5)
Password Managers
69(2)
Single Sign-Ons and Proxies
71(1)
Cryptography
72(9)
Encryption
73(3)
Public Key Infrastructure
76(3)
Hashing
79(2)
Hardware Tokens
81(8)
One-Time Password Devices
81(2)
Physical Connection Devices
83(4)
Wireless
87(2)
Phone-Based
89(3)
Voice Authentication
89(1)
Phone Apps
89(3)
SMS
92(1)
Biometrics
92(1)
FIDO
93(1)
Federated Identities and APIs
94(2)
OAuth
94(2)
APIs
96(1)
Contextual/Adaptive
96(1)
Less Popular Methods
97(2)
Voiceover Radio
97(1)
Paper-Based
98(1)
Summary
99(2)
4 Usability vs. Security
101(20)
What Does Usability Mean?
101(2)
We Don't Really Want the Best Security
103(2)
Security Isn't Usually Binary
105(1)
Too Secure
106(3)
Seven-Factor MFA
106(2)
Moving ATM Keypad Numbers
108(1)
Not as Worried as You Think About Hacking
109(1)
Unhackable Fallacy
110(5)
Unbreakable Oracle
113(1)
DJB
113(1)
Unhackable Quantum Cryptography
114(1)
We Are Reactive Sheep
115(1)
Security Theater
116(1)
Security by Obscurity
117(1)
MFA Will Cause Slowdowns
117(1)
MFA Will Cause Downtime
118(1)
No MFA Solution Works Everywhere
118(1)
Summary
119(2)
PART II Hacking MFA
121(332)
5 Hacking MFA in General
123(18)
MFA Dependency Components
124(10)
Enrollment
125(2)
User
127(1)
Devices/Hardware
127(1)
Software
128(1)
API
129(1)
Authentication Factors
129(1)
Authentication Secrets Store
129(1)
Cryptography
130(1)
Technology
130(1)
Transmission/Network Channel
131(1)
Namespace
131(1)
Supporting Infrastructure
131(1)
Relying Party
132(1)
Federation/Proxies
132(1)
Alternate Authentication Methods/Recovery
132(1)
Migrations
133(1)
Deprovision
133(1)
MFA Component Conclusion
134(1)
Main Hacking Methods
134(4)
Technical Attacks
134(1)
Human Element
135(2)
Physical
137(1)
Two or More Hacking Methods Used
137(1)
"You Didn't Hack the MFA!"
137(1)
How MFA Vulnerabilities Are Found
138(2)
Threat Modeling
138(1)
Code Review
138(1)
Fuzz Testing
138(1)
Penetration Testing
139(1)
Vulnerability Scanning
139(1)
Human Testing
139(1)
Accidents
140(1)
Summary
140(1)
6 Access Control Token Tricks
141(22)
Access Token Basics
141(1)
Access Control Token General Hacks
142(4)
Token Reproduction/Guessing
142(3)
Token Theft
145(1)
Reproducing Token Hack Examples
146(3)
Network Session Hijacking Techniques and Examples
149(8)
Firesheep
149(1)
MitM Attacks
150(7)
Access Control Token Attack Defenses
157(4)
Generate Random, Unguessable Session IDs
157(1)
Use Industry-Accepted Cryptography and Key Sizes
158(1)
Developers Should Follow Secure Coding Practices
159(1)
Use Secure Transmission Channels
159(1)
Include Timeout Protections
159(1)
Tie the Token to Specific Devices or Sites
159(2)
Summary
161(2)
7 Endpoint Attacks
163(18)
Endpoint Attack Risks
163(2)
General Endpoint Attacks
165(4)
Programming Attacks
165(1)
Physical Access Attacks
165(1)
What Can an Endpoint Attacker Do?
166(3)
Specific Endpoint Attack Examples
169(5)
Bancos Trojans
169(2)
Transaction Attacks
171(1)
Mobile Attacks
172(1)
Compromised MFA Keys
173(1)
Endpoint Attack Defenses
174(5)
MFA Developer Defenses
174(3)
End-User Defenses
177(2)
Summary
179(2)
8 SMS Attacks
181(24)
Introduction to SMS
181(6)
SS7
184(2)
Biggest SMS Weaknesses
186(1)
Example SMS Attacks
187(12)
SIM Swap Attacks
187(4)
SMS Impersonation
191(3)
SMS Buffer Overflow
194(1)
Cell Phone User Account Hijacking
195(1)
Attacks Against the Underlying Supporting Infrastructure
196(1)
Other SMS-Based Attacks
196(1)
SIM/SMS Attack Method Summary
197(1)
NIST Digital Identity Guidelines Warning
198(1)
Defenses to SMS-Based MFA Attacks
199(4)
Developer Defenses
199(2)
User Defenses
201(1)
Is RCS Here to Save Mobile Messaging?
202(1)
Is SMS-Based MFA Still Better than Passwords?
202(1)
Summary
203(2)
9 One-Time Password Attacks
205(22)
Introduction to OTP
205(12)
Seed Value-Based OTPs
208(1)
H MAC-Based OTP
209(2)
Event-Based OTP
211(1)
TOTP
212(5)
Example OTP Attacks
217(5)
Phishing OTP Codes
217(2)
Poor OTP Creation
219(1)
OTP Theft, Re-Creation, and Reuse
219(1)
Stolen Seed Database
220(2)
Defenses to OTP Attacks
222(4)
Developer Defenses
222(1)
Use Reliable and Trusted and Tested OTP Algorithms
223(1)
OTP Setup Code Must Expire
223(1)
OTP Result Code Must Expire
223(1)
Prevent OTP Replay
224(1)
Make Sure Your RNC Is NIST-Certified or Quantum
224(1)
Increase Security by Requiring Additional Entry Beyond OTP Code
224(1)
Stop Brute-Forcing Attacks
224(1)
Secure Seed Value Database
225(1)
User Defenses
225(1)
Summary
226(1)
10 Subject Hijack Attacks
227(18)
Introduction
227(1)
Example Attacks
228(14)
Active Directory and Smartcards
228(3)
Simulated Demo Environment
231(3)
Subject Hijack Demo Attack
234(6)
The Broader Issue
240(1)
Dynamic Access Control Example
240(1)
ADFS MFA Bypass
241(1)
Defenses to Component Attacks
242(2)
Threat Model Dependency Abuse Scenarios
242(1)
Secure Critical Dependencies
242(1)
Educate About Dependency Abuses
243(1)
Prevent One to Many Mappings
244(1)
Monitor Critical Dependencies
244(1)
Summary
244(1)
11 Fake Authentication Attacks
245(14)
Learning About Fake Authentication Through UAC
245(6)
Example Fake Authentication Attacks
251(3)
Look-Alike Websites
251(1)
Fake Office
252(1)
Logons
252(1)
Using an MFA-lncompatible Service or Protocol
253(1)
Defenses to Fake Authentication Attacks
254(3)
Developer Defenses
254(2)
User Defenses
256(1)
Summary
257(2)
12 Social Engineering Attacks
259(16)
Introduction
259(2)
Social Engineering Commonalities
261(5)
Unauthenticated Communication
261(1)
Nonphysical
262(1)
Usually Involves Weil-Known Brands
263(1)
Often Based on Notable Current Events and Interests
264(1)
Uses Stressors
264(1)
Advanced: Pretexting
265(1)
Third-Party Reliances
266(1)
Example Social Engineering Attacks on MFA
266(4)
Fake Bank Alert
267(1)
Crying Babies
267(1)
Hacking Building Access Cards
268(2)
Defenses to Social Engineering Attacks on MFA
270(3)
Developer Defenses to MFA
270(1)
User Defenses to Social Engineering Attacks
271(2)
Summary
273(2)
13 Downgrade/Recovery Attacks
275(20)
Introduction
275(1)
Example Downgrade/Recovery Attacks
276(11)
Alternate Email Address Recovery
276(4)
Abusing Master Codes
280(1)
Guessing Personal-Knowledge Questions
281(6)
Defenses to Downgrade/Recovery Attacks
287(7)
Developer Defenses to Downgrade/Recovery Attacks
287(5)
User Defenses to Downgrade/Recovery Attacks
292(2)
Summary
294(1)
14 Brute-Force Attacks
295(12)
Introduction
295(3)
Birthday Attack Method
296(1)
Brute-Force Attack Methods
297(1)
Example of Brute-Force Attacks
298(3)
OTP Bypass Brute-Force Test
298(1)
Instagram MFA Brute-Force
299(1)
Slack MFA Brute-Force Bypass
299(1)
UAA MFA Brute-Force Bug
300(1)
Crab Android MFA Brute-Force
300(1)
Unlimited Biometric Brute-Forcing
300(1)
Defenses Against Brute-Force Attacks
301(5)
Developer Defenses Against Brute-Force Attacks
301(4)
User Defenses Against Brute-Force Attacks
305(1)
Summary
306(1)
15 Buggy Software
307(18)
Introduction
307(10)
Common Types of Vulnerabilities
308(8)
Vulnerability Outcomes
316(1)
Examples of Vulnerability Attacks
317(4)
Uber MFA Vulnerability
317(1)
Google Authenticator Vulnerability
318(1)
YubiKey Vulnerability
318(1)
Multiple RSA Vulnerabilities
318(1)
SafeNet Vulnerability
319(1)
Login.gov
319(1)
ROCA Vulnerability
320(1)
Defenses to Vulnerability Attacks
321(2)
Developer Defenses Against Vulnerability Attacks
321(1)
User Defenses Against Vulnerability Attacks
322(1)
Summary
323(2)
16 Attacks Against Biometrics
325(32)
Introduction
325(1)
Biometrics
326(13)
Common Biometric Authentication Factors
327(10)
How Biometrics Work
337(2)
Problems with Biometric Authentication
339(6)
High False Error Rates
340(4)
Privacy Issues
344(1)
Disease Transmission
345(1)
Example Biometric Attacks
345(7)
Fingerprint Attacks
345(3)
Hand Vein Attack
348(1)
Eye Biometric Spoof Attacks
348(1)
Facial Recognition Attacks
349(3)
Defenses Against Biometric Attacks
352(3)
Developer Defenses Against Biometric Attacks
352(2)
User/Admin Defenses Against Biometric Attacks
354(1)
Summary
355(2)
17 Physical Attacks
357(20)
Introduction
357(5)
Types of Physical Attacks
357(5)
Example Physical Attacks
362(8)
Smartcard Side-Channel Attack
362(2)
Electron Microscope Attack
364(1)
Cold-Boot Attacks
365(2)
Snooping On RFID-Enabled Credit Cards
367(3)
EMV Credit Card Tricks
370(1)
Defenses Against Physical Attacks
370(5)
Developer Defenses Against Physical Attacks
371(1)
User Defenses Against Physical Attacks
372(3)
Summary
375(2)
18 DNS Hijacking
377(22)
Introduction
377(11)
DNS
378(4)
DNS Record Types
382(1)
Common DNS Hacks
382(6)
Example Namespace Hijacking Attacks
388(5)
DNS Hijacking Attacks
388(1)
MX Record Hijacks
388(1)
Dangling CDN Hijack
389(1)
Registrar Takeover
390(1)
DNS Character Set Tricks
390(2)
ASN.1 Tricks
392(1)
BCP Hijacks
392(1)
Defenses Against Namespace Hijacking Attacks
393(4)
Developer Defenses
394(1)
User Defenses
395(2)
Summary
397(2)
19 API Abuses
399(26)
Introduction
399(15)
Common Authentication Standards and Protocols Involving APIs
402(9)
Other Common API Standards and Components
411(3)
Examples of API Abuse
414(6)
Compromised API Keys
414(1)
Bypassing PayPal 2FA Using an API
415(1)
AuthO MFA Bypass
416(1)
Authy API Format Injection
417(1)
Duo API As-Designed MFA Bypass
417(2)
Microsoft OAuth Attack
419(1)
Sign In with Apple MFA Bypass
419(1)
Token TOTP BLOB Future Attack
420(1)
Defenses Against API Abuses
420(3)
Developer Defenses Against API Abuses
420(2)
User Defenses Against API Abuses
422(1)
Summary
423(2)
20 Miscellaneous MFA Hacks
425(6)
Amazon Mystery Device MFA Bypass
425(1)
Obtaining Old Phone Numbers
426(1)
Auto-Logon MFA Bypass
427(1)
Password Reset MFA Bypass
427(1)
Hidden Cameras
427(1)
Keyboard Acoustic Eavesdropping
428(1)
Password Hints
428(1)
HP MFA DoS
429(1)
Trojan TOTP
429(1)
Hackers Turn MFA to Defeat You
430(1)
Summary
430(1)
21 Test: Can You Spot the Vulnerabilities?
431(22)
Threat Modeling MFA Solutions
431(5)
Document and Diagram the Components
432(1)
Brainstorm Potential Attacks
432(2)
Estimate Risk and Potential Losses
434(2)
Create and Test Mitigations
436(1)
Do Security Reviews
436(1)
Introducing the Bloomberg MFA Device
436(3)
Bloomberg, L.P. and the Bloomberg Terminal
437(1)
New User B-Unit Registration and Use
438(1)
Threat-Modeling the Bloomberg MFA Device
439(11)
Threat-Modeling the B-Unit in a General Example
440(1)
Specific Possible Attacks
441(9)
Multi-Factor Authentication Security Assessment Tool
450(1)
Summary
451(2)
PART III Looking Forward
453(68)
22 Designing a Secure Solution
455(18)
Introduction
455(2)
Exercise: Secure Remote Online Electronic Voting
457(14)
Use Case Scenario
457(1)
Threat Modeling
458(2)
SDL Design
460(1)
Physical Design and Defenses
461(1)
Cryptography
462(1)
Provisioning/Registration
463(1)
Authentication and Operations
464(2)
Verifiable/Auditable Vote
466(1)
Communications
467(1)
Backend Blockchain Ledger
467(3)
Migration and Deprovisioning
470(1)
API
470(1)
Operational Training
470(1)
Security Awareness Training
470(1)
Miscellaneous
471(1)
Summary
471(2)
23 Selecting the Right MFA Solution
473(20)
Introduction
473(3)
The Process for Selecting the Right MFA Solution
476(15)
Create a Project Team
477(1)
Create a Project Plan
478(1)
Educate
479(1)
Determine What Needs to Be Protected
479(1)
Choose Required and Desired Features
480(8)
Research/Select Vendor Solutions
488(2)
Conduct a Pilot Project
490(1)
Select a Winner
491(1)
Deploy to Production
491(1)
Summary
491(2)
24 The Future of Authentication
493(16)
Cyber Crime Is Here to Stay
493(1)
Future Attacks
494(4)
Increasing Sophisticated Automation
495(1)
Increased Nation-State Attacks
496(1)
Cloud-Based Threats
497(1)
Automated Attacks Against MFA
497(1)
What Is Likely Staying
498(3)
Passwords
498(1)
Proactive Alerts
498(1)
Preregistration of Sites and Devices
499(1)
Phones as MFA Devices
500(1)
Wireless
501(1)
Changing/Morphing Standards
501(1)
The Future
501(5)
Zero Trust
502(1)
Continuous, Adaptive, Risk-Based
503(3)
Quantum-Resistant Cryptography
506(1)
Interesting Newer Authentication Ideas
506(1)
Summary
507(2)
25 Takeaway Lessons
509(12)
Broader Lessons
509(7)
MFA Works
509(1)
MFA Is Not Unhackable
510(1)
Education Is Key
510(1)
Security Isn't Everything
511(1)
Every MFA Solution Has Trade-Offs
511(1)
Authentication Does Not Exist in a Vacuum
512(3)
There Is No Single Best MFA Solution for Everyone
515(1)
There Are Better MFA Solutions
515(1)
MFA Defensive Recap
516(5)
Developer Defense Summary
516(2)
User Defense Summary
518(3)
Appendix: List of MFA Vendors 521(6)
Index 527
ROGER A. GRIMES is a computer security professional and penetration tester with over three decades of experience. He's an internationally renowned consultant and was the IDG/InfoWorld/CSO magazine weekly columnist for fifteen years. He's a sought-after speaker who has given talks at major security industry events, including RSA, Black Hat, and TechMentor.
Daugiau apie elektronines knygas Daugiau apie elektronines knygas
Pastovi nuoroda: https://www.kriso.lt/db/97811196723402e.html
Raktažodžiai: