 Alright folks, let's get started. Happy Thursday. I feel like there's less of you, but yeah. You scared us off. I mean, if you've made it this far, like, I would be possibly be scared, like. I'm not, I'm not, I'm not scared. We definitely, I think we have about 30 or 40 students drop at the beginning of the course, so be serious. We started with, I think, 130, I want to say, and we have about 100 now still in role. The honest class is worse. I do know that. And it's all about, well, it's fine. I think when I taught 340, it had a 30 or 40% either with drop, like a withdrawal fail rate. So either 30 or 40% of the students either withdraw from the class or fail, so that was fun. 340. 340, yeah. It's a hard class. Is that compilers, 340? Yeah, that's compilers. Yeah, wait till the end. No, I think it would bother you, right? Oh, alright, and see, so you're a part of that. Alright, cool. Okay, so a brief note before we get started. In a week from now on, it was at November 1st, we will have a really awesome guest lecturer, Andy Kirkland, who is basically in charge of security for Starbucks, the corporation. He'll be here, he'll be talking a bit about kind of his background, how he got here, and kind of what it's like to try to secure a very large corporation. I think they're a Fortune 200. That not only has stores all around the US, but all around the world as well. So that'll be super exciting. So show up, A, and then B, he's going to leave a lot of time for questions and answers. So if you have questions about how to get into the industry from somebody who's high up and a company doing security and defense and that kind of stuff, perfect time for all of that. Is that for your job? Talk to him, you know. Maybe if you impress him in class, he'll just hire you on the spot. And no promises, though. No promises. They actually do have a... Starbucks does have a corporate office in, I guess, technically in Scottsdale, that's SkySong. They have about 30 or 40 people over there, including a security team. So yeah, lots of cool stuff. So that's what's coming up. Right now, we're going to talk about password reuse. So this is something we discussed a little bit on Tuesday. What's the basic idea here behind password reuse? It's bad, but what is it? Everything is bad, basically, of what we talked about in this class. Using the same password across multiple services. This is really what we're trying to talk about here. We talked about this. We talked about password strategies of are they all equally secure? Do you use the... We talked about different strategies. Some people have algorithmic generation strategies where they would have an algorithm to generate a unique password per site. Some people have different varying levels of security in terms of passwords that they use. So, when you think about will your passwords be leaked or will your password hashes be leaked? The answer is almost certainly yes. It will be at one of your passwords will at some point be leaked. In 2013, they had 3.5 billion user accounts from Yahoo were leaked. It's a lot of user accounts, right? How many of those are active? That is a good question. I'd say low, but... Does that have a Yahoo account? So, good question. Think about it that way. If you haven't used your Yahoo account in two years, should you still be worried about this? Maybe. Maybe, why? If you use your password on other sites, if your Yahoo account password is the same as your Gmail password, which you use all the time, and why is... So, why would something like a Yahoo account or a Gmail account, why would that be, would you say that's more high value than any other random account? Yeah? You use emails to restore your passwords for most of your service. Right. Yeah, so once someone gets access to your email, they can go to almost any site that you have access to, say they forgot their password. They'll email them a password reset link into your email, which they now control. They'll click on it and change your password to something else that you have no idea about. They can also get in there and set up filters. So, even if you still have access to your account, you don't know that there's somebody in there intercepting all of your emails, unless you look very, very closely. So, this is why account compromises of really, to me, I think about things like Yahoo, Gmail, whatever your email provider is, that's really like the cornerstone of your online identity. So, you need to really make sure if you're not doing anything, I would enable two-factor authentication on Gmail or your email provider, and create a random, unique password for that, to adjust your email. That's some of the best advice I think I can give. In 2006, a little more recently, 412 million accounts were in password were stolen from an adult friend-finder. Good, what is that? Good questions. So, this was a... This was a giant... I think they were like a conglomerate. They owned many different websites. One I wished was AshleyMadison.com. I think it was the most famous one. It's basically for those that don't know, it's a site that people go to sign up to basically commit adultery. I'll give you a test. So, what do you think came out of this breach? A lot of divorce. There's actually stories of that because these databases are open, and people made websites that indexed this database so you could easily search for who's in this database. So, yeah, all it takes is one search for an email address to find out if your significant other is in this database. What else? So, yeah, it's a similar type of password reuse thing. They can try to break passwords and then see which ones are used across other sites. Not very people, a group of people. Blackmail is something. Yeah, so blackmail actually, there are significant cases of blackmail arising from this. So, a malicious person would figure out your email address, find out that you were in this database, email you saying, hey, I know you were using AshleyMadison.com. I will tell your significant other unless you pay me a certain amount of bitcoins. And this was actually a very common scam that happened. A lot of people lost money from that. Another interesting one was the Adobe breach in 2013. There's 152 million passwords. And eBay even in 2014 had 140 million passwords in user accounts. And this is just like a snapshot. So, yes, please. What's this time when the password is stolen? Are they encrypted? So, they dump the database? It depends. Usually it's a database dump. So, it all depends on the exact data. These user names or email addresses along with, if they're doing it right, password salted hashed passwords with a good hash function. As we'll see, that's usually not the case of what they do. So, looking into the Adobe breach a little bit more. This is a blog article at the bottom that you can go to learn more about where they actually dug into this breach and what happened. So, this is a snapshot of the data that they stole. So, they had... So, these are the fields that they were able to steal. They were able to steal the user ID, the user name, their email address. We'll call it password data right now. We can maybe see from the equal signs that it's probably highly likely base 64 encoded. So, we made the decode that to figure out what it actually is. And then, the fifth field so, what's a password hint? If you enter the wrong password it will prompt you and say, hey, this is what you said was your password hint. Does anybody use that? I know Windows does that. Do they extend it? I think so. I don't know. Yeah, so, what do you think this person's password is? Use your ID 4464. The password hint is QWERTY123. Sorry, the password hint is try QWERTY123. QWERTY123. It's probably QWERTY123. That would be the immediate thing I would try. So, this is why actually having some of this stuff of this the password hint is actually can be just as damaging as storing the password itself in plain text. Because if this hint is clear enough or maybe they'll just put the password here. This is kind of funny. This is like a nice face, dash regular. So, maybe they're reminding themselves of which password it is. Luckily, not everyone has that. Dash, question mark, question mark, question mark. So, those are smart things. But then maybe that tells you the size of the password hint. So, looking at the password data when you look at it so you base 64 decode it you get these values in hex. And you'll notice that all of these are kind of the same chunk like the same modulo, some similar size. Does this tell you about how these are being stored? So, all we actually have is this data dump. We don't have any other information about this system. So, let's think about this. Does it look like a hash? Random alpha numeric. It could be like encrypted or it could be a hash. Well, why could it be a hash? It's the same size. But these are two different sizes. And these are two different sizes. And these three are different sizes. So, what's one of the properties of a hash function? Same size. Same size output, right? So, Chaud 256 outputs a 256-bit hash. So, unless they're doing something very weird where different user accounts are encrypted with different hashes or different hash functions of different sizes, we can probably safely say that this is not not hashed because otherwise they would be all constant and be the same. But we can maybe ask, well, it looks kind of like gibberish. So, and maybe we can look at query123 and compare that and say, okay, that's probably not it's not just a stored version of query123. Maybe they are using some kind of encryption. So, you can do this. You can look at an account and see how many of the password data lengths were 8, 16, 24, 32. So, these are all multiples of 8. So, this would maybe say we've looked at encryption functions and they operate on what? Positions. What's like a DES or AES? Key? Blocks of data. Blocks of data, right? And it outputs Cypher text in blocks which is very similar to kind of what this looks like, right? It's outputting blocks of data. So, one thing you could interestingly look at is, okay, how unique are each of these outputs? These blocks of data. And you can see that in 1.6% of the passwords there was this value in the first block of data. Doesn't this look like sort of the same problem about the next thing you showed us that similar passwords will have similar encryptions? Yeah, so this would probably tell us so they're all encrypting. Maybe we don't know the key in this case, but they're all encrypting to the same value. If they have like one hint for like a password you could probably like find a password and then go from there. Yeah, or I would probably say that this is probably a password. That would be my guess. It's the most frequently occurring hash in this system. And... Oh, there we go. So, these are different pieces of data. So this is data, a graph generated by the Gokker had all of their passwords leaked and I believe it was in plain text. So they were going to look at user accounts and see that the most used password was actually 1, 2, 3, 4, 5, 6. And the second most used password was password. And then the super secure password of 1 through 8, because that's a character's long, you must be more secure. Interesting one of life hacks. Whatever red here, red colors here. Isn't it one of like Gokker media's It was one of Gokker's websites, right? So they were using their password of the website itself. So it was looking at this, you would probably not think that life hack would be the fourth most likely password in the Adobe breach because that doesn't make sense, right? There's a semantic connection there between that password and the data set itself. So what you can start doing here is just like we were talking about combining this password data with the password hints because here you have what's 1.6% it is of all those million, what's a what's it 140 million with 1% what's a million, you have a million user accounts with the same hash so you look for them and you see does anybody have a password hint that makes sense and you can say well, yeah you have numbers one, two, three, four, five, six equals equals one, two, three, four, five, six that's a very good password hint I think French yes, one, two, three, four, five, six so you use all these and so you can say now you've broken a million what, 1.6 million people's passwords on the Adobe site and then you also have correspondingly not just their username on Adobe but also their email address so then for this second most common one here this 8 fd was 0.45 which is 1 through 8 1 through 5, 6, 7, 8 and you can see that it actually matches up pretty well number three is password, the password is password password rhymes with after all things you can guess this person was super clever with QWERTY is putting spaces in between the letters so maybe the password hint is looking to make sure that the password hint is not exactly the same as the password itself but clearly you can still embed that information in here six ones one, two, three, four, five, six and so by using this they can even without knowing the encryption algorithm this is something we talked about you could maybe use encryption use an encryption key but even without that because they're not using any salts or anything like this they're still able to break and the additional data that doesn't help is the password hint any questions on this? this is for this is a graph from Gokar Media so you can see it doesn't map one to one here of these most frequently used passwords you have to use your intuition you actually don't have to use your intuition if you have these password hints and once you've broken one of these password hints it tells you now everyone has this same encryption encrypted output would tell you which ones are the same so doing this quickly summing this up, this is about three or four percent of that data it's about four million passwords that you now have that you can then try those user names and passwords on other accounts would encrypting the email account also provide any protection against this? I don't know, what do you guys think? not encrypting it but maybe hashing it? so as a business would you want to hash their email addresses? no. why? you can't send them emails you can't notify them of sales you can't even I guess you could do a password reset so you could hash the passwords probably if you're doing this encryption thing you would probably do that in this case it would be nicer because now you don't because we don't have the encryption key that we can't go backwards but that isn't to say that the people who stole this didn't have the encryption key all we have is the leak of this database and so we don't know what other information they have that they didn't give to us they could very easily have the key that unlocks all of these things and just decided not to release it but release everything else I wouldn't say that's out of the realm of possibility so I would still consider it as part of my threat model yeah this is crazy this happens all the time it's actually super sad so password managers so this is what we talked about a little bit so basic idea is some other program that keeps track of your passwords on various websites or applications and generates random passwords for websites and so what do we think about this as a group what do you think we'll go in the back and work our way forward yeah you need to use hard to get passwords okay good because it forces people to use random, difficult to get passwords we still have the same vulnerability that someone gets more passwords in what sense if they get your master long passwords so I guess it puts it up more to the individual how much they want to secure their own master password so you still have well it's kind of a different threat model in some sense what will happen in a good password manager is all your passwords are actually encrypted with your master password so you have this master password that then unlocks your passwords and so the idea is if anybody well somebody to get access to your passwords would have to steal maybe your database and then guess your master password so there is kind of a once you get that one password you get them all but they have to then steal that password database either from your local machine or from that website rather than basically any password on the web or password database on the web yeah that's good bad why right right so it could give you a false sense of security if you're using something that's not actually that much different than storing all your passwords in a plain text file on your system there still are some benefits you do get you know there's still some benefits but yeah that's definitely a there's definitely trust here in the operators of these password manager systems what else any other thoughts yeah that's a good point right so you now especially if it's running locally now you as a user have to worry about how do I back up those passwords is this file encrypted like we were just talking about in a proper way that it will be difficult for somebody to brute force it so you actually have maintenance problems it's just something on your laptop because then if you lose all your passwords then you have to deal with that problem of crap I need to reset a password on every site that I use right and other thoughts so it really I think comes down to who do you trust so this goes back to the point over there do you actually trust the people making this application there are a lot of options here last pass one pass key pass for me personally so a I would usually not use a free password manager for the similar reasons especially a service like last pass it's like I want to pay them money so that they can secure my passwords right they're storing an encrypted copy of my passwords it helps that a lot of these companies that last pass in particular is the one I'm more familiar with that's not to say the other ones aren't are very open and how their systems work so they even tell you last pass says we don't even store I mean we don't store your passwords we store an encrypted blob that you then down you're basically down to your machine and then decrypts it with your master password so even if somebody were to break into last pass if they just told the data all they would get is those encrypted blobs that are as strong as your passwords you have other things to think about there you know do you trust them not to be storing and stealing your master password as you put it in how do you know that they're not doing that you can analyze the source code you can analyze the binary but at the end of the day it's really about trust so for me personally it's it's a step above using the built-in functionalities of your browser especially now I will say the best thing if anybody uses an iPhone the iOS 12 integration with third-party password managers and the other apps has completely changed like so it's really great you go to an app and you get a bar at the bottom that says oh last pass has an account for this app do you want me to type it in another thing that password managers are good at defending it against are phishing attacks what are phishing attacks yeah so if I want to steal your facebook account I'll send you a link to facebook with three O's and I'll have registered that domain so you go to the site you think it's facebook.com it looks exactly like facebook.com you put in your username and password and when you click submit it actually I steal that password and then I redirect you to the real facebook so you don't even know what happened so password managers can be very good defenses against that because they use the URL to map your passwords to the website so they would actually not fill in your facebook username and password on that page because it's not actually facebook.com now on the flip side there are there has been people who found vulnerabilities in some of these applications that a website can trick the password manager to auto fill in the username and password for a certain site that's with most things you can have vulnerabilities so you kind of have to again trust and hope that things get better it's definitely better than having like one password that you use everywhere and for practical manner I think I was talking about this for some of the office hours as a practical manner I think it's easy to get started using one of these things just to collect what passwords you currently have then over time as you generate new sites and you can change your important ones to kind of random passwords I like it I don't know my ASU password I don't know my bank ones I know and my gmail I know so like very important ones I have memorized those passwords but everything else is all random I have no idea what it is cool what would you do as a user if last pass just completely stopped their service if they stopped I don't know try and throw more money at them raise money I would probably move to I've heard a good thing about both one password and key pass so I would probably investigate those to see which ones those work well I know like Apple Safari and on the Mac have password generation functions the key thing for me is being synced across all devices that's the the killer feature I think so I guess now I'm mostly in the iOS or the Apple world so that would be something I would be comfortable doing if the service goes down if the service goes down like for a long period of time or just a short period of time that's what I was good at but because I have last pass and I'm like what if I forget my master password if you forget your master password you're screwed so you should definitely like I would write I think if I remember correctly you can get recovery codes so I believe like in a safe in my house I have my 20 recovery codes or whatever in that safe you can also put your master password there too so I think that's totally reasonable of like taking additional steps to prevent yourself from getting locked out of your account but at the end of the day right if you forget your password I mean if last pass goes down you can't log into a website if it's not your email you can just reset that through your email right so you're not completely locked out the other nice thing is I mean last pass in particular works offline on your phone so it has a local copy of your data so you could still use it even if the last pass servers go down then it's your question or five variations of your question so the problem I have with last pass is like say I'm like in Linux terminal and I'm pulling from GitHub or something I'd have to like remember that password because I can't like use last pass you should be using SSH keys that's your face you should use GitHub with SSH keys so you never have to type in passwords into a terminal that's step one step two the general case is yes that can be a pain in the butt you have to like go I mean I go to last pass copy the password to the clipboard and then paste it wherever I need it if I need it somewhere else like a terminal but yes then my next thing would be to try to limit the number of times I have to do that because that's crazy yeah I've heard that some sites allow you to sign in using your Google password so basically you use one account one password to log into yeah so that's or Facebook or yeah that I actually don't think we'll talk about that but that's technology wise that's called OAuth so the basic idea is that party is delegating to some other person to authenticate you and then they send a token back saying yes this person is authenticated here's their information and usually there's some a different token so that you can query their services to find out more information about the person that's a super interesting thing so if you think about a business if you're owning a business or a website do you want your customers to have accounts with you or with Facebook or Google I don't know it's tough because on one hand it's like it's great for the user they want to remember the password they can just do that you're basically winking Google with accounts from your website possibly sometimes they don't even do that or sometimes they'll auto create a new account based on data from Google but yeah it becomes tricky it's like whose customer are you right it's like if one of Google decides to shut that off then now you have all these people who can't access their accounts on your site it's a similar problem that we've seen many times with oh man I'm probably going to date myself so I'm trying to figure out what example I should do with Farmville okay at least you know what that is so there's a whole series of companies that made games that ran on Facebook's platform like Farmville and all these other crazy games I can't remember the name of the company Zynga there we go who was founded on this who got like multiple millions of dollars of investments and their business basically blew up because Facebook like they were already a Facebook application the platform they were developing for and so over time people realized hey these apps are basically spam and clickbait things so our users don't like that so we're going to turn down the alerts and the sharing capabilities of your apps and then that dried up all of the like revenue sources for these companies so their entire business depended on this other company and they realized hey we don't really like that so we're going to basically shut that off and now your whole business is going on there but it's also shift to mobile was another thing people are terrified anybody develop iOS apps how's the app store submission process pain? why is it a pain? yeah so that Apple and the app store has a series of rules that you must follow to develop an app every time you submit an app or an update they will test it and check it against these rules manually and they determine that it violates those rules they say no thanks you keep the app we will not submit it so there are ways around that on its both they will definitely check both apps but there are ways to get around that the ultimate lever that Apple has of course is there's a blacklist on your phone but they can add your apps name to the blacklist and it wipes it on every Apple device that they have which is great for protecting it from all wear it's a different thing if your entire business model depends on getting money from Apple and Apple's customers it's businessy things to think about yeah I actually talked to someone who had made the company open faint which was like basically like the leaderboard system that a lot of mobile gaming apps were using Apple tried to buy them they said no and then Apple was like we're going to make GameCenter so just talking to him about how they had to reposition the company and everything to not go under and they ended up being successful it happens all the time right it's like join us or we'll crush you so yeah you have to deal with that cool that was a crazy tandoor but fun okay so we talked about password recovery so what are the different ways that you can get access back into your account we talked about one of them email how do those actually work why is it a randomized token yeah because if somebody can guess that token then they can reset your account right if I can guess the token I can click reset anybody's email guess the token and go to the password reset page so you say I want to reset my password it auto generates some token it'll store that in the database usually send me the email and then later when you click through what are other ways do you have your hand up what do you think I was going to say text message text message can you actually can you reset the password through text message I actually don't know so usually those are what I consider more into like those are usually second factor authentications where they're saying hey I don't recognize this computer I haven't seen it before let's make sure it's you and so give me that passcode interesting okay cool what sites do that do you mind sharing your what one okay interesting last pass can do that there are other hands for other ways yeah what about okay except for email we talked about email SMS what other ways oh they email it to you your password yeah they can rather than send you a link to reset it they just tell you here's your password what is that telling you about their database system some plain text it's either in plain text or it's encrypted like the adobe thing so they can easily decrypt it right in both ways excuse me in both cases you should be wary of that site and not use the high value password they may reset your password for you right and generate a new password for you instead of an email security questions so they may let you do it so what are security questions yeah so another type of thing of what you know so when you created the account you would say things like I don't know what was your favorite sports team growing up what's your father's middle name I don't know what are some other ones mother's maiden name mother's maiden name maybe name of your first pet yeah what's the problem with those you post those online yeah you post those online all the time right so if I looked at all of your twitter and facebook activity could I guess the values of those things could I figure out the street that you grew up on based on your facebook or twitter history so yeah those are all things they're of what you know but the other way to think about it is it's something that you know but is it something that other people can easily guess about you cool what other ways you call them you ever do that before well I've had to do this with my bank a couple times it's like an old account you haven't used in multiple years you try like three different passwords it locks you out completely and it says if you want to reset this password call us and so you have to call them and authenticate to them over the phone by giving information about yourself you know who you are those kind of things yeah I think google maybe does this it'll sometimes ask for like previous passwords that you've used on this account interesting I have not heard of that but that's interesting so doing previous passwords so that would actually be something clever that an attacker would be unlikely to be able to guess unless they already have that information yeah facebook has you pick your friends out of the sort of pictures yes I like that one that's a cool one so yeah picking two identifying just based on pictures which ones are your friends so it would be something that somebody who doesn't know you would maybe not be able to do so we talk about this we talk about security of your inbox and your email is an incredibly important important part two factor authentication okay cool so we've been kind of talking about this a while now we'll more formally talk about this so when we think about two factor is two factor mean your password and your security messages or your security what do we call those security questions why not you're shaking your head you must have an answer well I just I don't know why not but I just know that two factors checking like two things that like you have so like you have your original password right and then like it sends you a link to your phone yeah so what is that yeah those are the whole things that you know so it has to be something you know so it goes all the way back then when we talked about the beginning of authentication you want two different types of authentication mechanisms something you know or something you have so in that case the text message says do you have the ability to receive text messages from this phone number that you told us about earlier it could be now Google is doing less of that and more pop-ups on apps so the app will pop up something saying do you want to authenticate is there a factor about the height of authentication or the channel or band that authentication is done you want to explain more yeah sure so like the security question is done over the internet on my website I enter my password over the internet on the website but when I verify that I have an authentication number that was communicated through the phone channel and not directly over the internet likewise some companies send you a postcard having your answer as it was verified through the physical mail channel as opposed to that same reminder communication that was coming in yes I think in I think they're very closely related I wouldn't say they're exactly the same thing so the difference would be if you're communicating the same piece of information across different channels it's not I would say it's not too factor on authentication so for instance if they're saying send us your password and then your phone number and enter your password it's like that's not really two factors even though you're using two different communication mechanisms in all those cases I think it's more about by receiving that information through this channel proves that you own that thing so getting a text message means that you could receive text messages from that phone number it is difficult to spoof and to be able to intercept other people's phone numbers and then address like physical piece of mail means that you can get mail like you have the ability to get mail from that address it doesn't necessarily mean that you live there it would be that you're stealing that mail or whatever but at least that's what it's saying rather than the specific communication mechanism there was a third example you had but I don't remember what it was yeah if you have a question yeah please if you want to transfer funds between one account to another account you put in all of the bank account information to the first account and then it says okay we made this tiny transaction of a certain number of cents that we took out of that account go to that account and tell us what that was because if you can view that balance that means you can transfer money out of there anyways which means we're fine with taking that money out of that account it's actually kind of crazy because all you need the only piece of information you need to transfer money out of somebody's account is all the information that's on a check that you can get from that person so this is what tries to defend against that there's a funny story I heard about but I don't quite know if this is true but we're basically there was a bank that did this but would leave the money like it would deposit money into the account when they would do this and not take it back so they would create like thousands of fake accounts each depositing like you know five cents into this account to get like free money and they like automated this and scripted this across the large number of banks to just like get a bunch of money free money out of this like five cents at a time I would not recommend this it's not a good way to make money cool so yeah so and yeah this all goes back really to the authentication categories the exact factors you're you're asking for really kind of depend on what your threat model is right so most websites don't require as we talk about a bit a blood sample right for you know like mail them a blood sample every time you use the app where there's no eye blood test kit that you can plug into your phone to verify who you are anybody use google authenticator apps what is that what do you want to explain I'm listening I'm pulling up my app I'm pulling up my app I'm listening I'm just checking my phone in the middle of class yeah so this is my google authenticator I can show you I've got a number of sites on here google dropbox last class github and apparently another poll the asu google one so why am I okay showing you these passwords yeah so every I think it's like 30 seconds or something so each passcode is only valid for 30 seconds the way it works is actually super cool interesting like crypto where basically you scan to set it up you scan a qr code on the website that shares some private secret that hold the server and you have and then over time they can keep generating random numbers such that if you know any single random number or random code you can't predict the next one but if you have the secret you can predict the whole thing up to whatever point in time that you generate so yeah super cool so in order for you to use this within 30 seconds you would have to know this and my password right so you have to know my password for google or dropbox which I already told you are random things and then you only have 30 seconds for getting that code to so this way even if you steal my password somehow you still need this google authenticator app with the secret code that's sort of interesting so yeah you can use social proof to get onto a website so actually gmail used to be like this when it first started it used to be invite only and to get a gmail account in like 2003-2004 it was like a huge deal so yeah it spread like organically that would be like a who you know but I wouldn't necessarily say it's like a yeah it's kind of tricky so yeah it's like social based authentication I would say so anybody work for ASU or have worked for ASU what happens when you try to log onto my ASU yeah so they're forcing everyone to use two-factor authentication there's an app called duo so basically when I try to log into my ASU a request pops up on my phone that I approve from the phone you obviously have to set that up beforehand but the basic idea is the same approving that I know the password to my ASU account and I have possession of this phone so you need two of those things in order to log in as me not just one any questions on two-factor I highly recommend it it can be a pain in the butt sometimes but I don't know the way I think of it is like you can get locked out of your apartment by leaving your keys in your house so that's a pain but we still lock our doors and use locks this is kind of the digital equivalent of making sure that you can do this now there was a hack that I read about where that targeted like non-two-factor authentication websites where you could sign up with like the support email for the website and the websites that didn't protect against it whenever somebody went to change their password it would create like a feedback link or like a link that you go to reset your password and it would create a support ticket for that which was linked to the email that he signed up with so he would sign into his account and then be able to see the email and click the link to reset the password so he could take anybody's email from a website reset their password for them and then have access to their whole account so that's like a crazy being able to create an account it's almost like an authentication problem in some sense or a registration problem of if I can sign up as an admin it's game over right or in that case if I can sign up as a support person which you wouldn't necessarily think is security critical if there's all the password reset links in there then it becomes security critical he did it to a bunch of websites like Slack and stuff that and after that they implemented that's why it's super important to enable right yeah cool CAPTCHA so what is a CAPTCHA those squiggly lines the numbers they used to look like numbers and now that are all messed up or a challenge from Google to identify street signs in an image or an OCR figure from a book we have to type in what word it is so it stands for a completely automated public turning test to tell humans and computers apart so what is the purpose to tell computers and humans apart why is it important to tell humans and computers apart to maybe prevent brute force attacks of automated scripts what else denial of service so if you are getting hit by a lot of automated traffic you may want only humans to access your system what else keeping your website clean instead of spamming ads yeah all kinds of automated systems usually we want good humans and not bad robots I guess but robots I guess is a little bit much it's really just algorithms so the idea is to create challenges that the website knows the answer to that are difficult for computers to solve but easy ish for humans to solve so is CAPTCHA authentication and so what is it authenticating it is authentication it's just authenticating that you're a human user versus like a non-perfect user do you verify it? well like it doesn't verify who you are really so it's not only verifying identity but it is verifying some attribute or some aspect of our identity maybe or it could be maybe doing a not just well I wouldn't say necessarily are you human but did a human solve this problem right it's kind of what it's trying to do there was a good article about Ticketmaster that's right so they had CAPTCHA systems to prevent automated systems from logging in and buying up all the tickets and basically doing ticket scalping it turns out that the CAPTCHA images they were using they were only using a thousand of them so you just keep refreshing download every image manually break it and then you can just verify right away write a program that matches the image to the text and completely break their CAPTCHA so yeah there's a lot of ways to break CAPTCHA really funny stories are people using Google's OCR to break Google's CAPTCHA I think they own recap now if I remember correctly so you can use Google OCR other kinds of OCR deep learning image recognition things to break CAPTCHAs if you can't get a machine to do it you get lowly paid humans to do it you can get mechanical Turk workers to break CAPTCHAs for pennies penny per try I think I mentioned earlier there's been cases of people putting these CAPTCHAs in front of porn sites so before you're able to access some content that somebody really wants to access you present them with a CAPTCHA but it's from some automated script that's trying to automate sending spam they take the CAPTCHA that they see send it to the site put it in front of a human let the human fill it in and then relay the results back so yeah all kinds of like CAPTCHAs are good I guess I don't know it's really tough to say it's basically of the case it is but the key problem is this computers and humans are trying to figure out who's behind this request but malicious people can easily pretend to be humans in this case but still do it in an automated fashion but it does I guess it does increase the bar for attackers and make it more expensive to do things cool yeah so some of the things we didn't talk about other types of like two factor authentication hardware tokens so everybody have like a UV key just like a randomly generated thing so that works similarly to to the Google authenticator but in hardware so that that information is stored securely we talked a little bit about authenticating based on IP address so you could set up something like the AWS server that's only accessible from your home IP address range location based authentication so first that when you go close to them they will unlock this is actually detecting location in some sense as long as the key is within this distance then you have the question of is it possible to relay somebody so I know that you're here but your your car is in the lot across the street can I relay that unlock symbol to the car and back to get your car to unlock yeah I actually did see a video a while back I asked you guys some dudes car was parked in his driveway and they knew that his key fob was like somewhere in the house they relayed the signal and stole his car yeah it's definitely possible just without even using it you don't need the signal yeah so a lot of key fobs now if you're close to the car the car will just unlock so you basically trick the it depends on how it's done but you can relay that signal from the key fob to the car because it's all just wireless stuff so you basically boost the signal both ways such that the car thinks the key fob is closer than it actually is so yeah this kind of stuff is crazy biometrics we talked about this research into here so some interesting things that are happening continuous authentication so why is continuous what does that mean what do you think that means it's not just like oh log in and you can do things it's like there's some step that's continuously authenticating with like every action that you're taking right so even sites that we're used to using like amazon use this if you've already logged into amazon you can go to amazon and say hey this is you this is great if you go try to change your password it will say hey let's re authenticate you give us your current password before we let you change the password there's different types there you can even think about your phone so there's been people that have done work in typing so if you keep you can get fingerprints of people typing so that if you leave your phone unlocked and somebody else picks it up and starts typing it will automatically lock because it detects that it's not actually you typing all they do I think gate authentication is one thing of the way that people walk with the gyroscopes in the phone you can tell yeah I read a really interesting paper about how each person has a unique resistance and they created touch screens that when you interact with it it would actually send a current into your body and then measure what came back so it could differentiate between users so you could like use it simultaneously as different touches but also so it could tell like and track actually who's using it that's cool yeah yeah so yeah that's so there's a lot of research into replacing passwords if one of these actually works I will be amazed and it will be awesome FIDO is a protocol that basically uses a some kind of device either your phone or a dedicated key that stores some encrypted information on the device we talked very briefly about OAuth if you ever use a lot of the ASU online services we'll actually use this kind of access and authentication delegation model that we talked about with OAuth where you go to a website it says ok you can log in with your Facebook account so it sends you to Facebook you log in to Facebook and it sends the information back to the original site any questions on this stuff you're not going to go alright so let's talk about threats so I want to have a discussion that was I've been thinking about talking about off of the internet of things you can't say it's IoT that's the acronym like saying computer sciences CS embedded devices connected to it so exactly the core idea is basically any device that could be an embedded device that could be if you think about all basically many devices you could buy today fridges, microwaves this says hair brushes, scales have the ability to access the internet and even more so now have the ability to be controlled through the internet so you can get smart light bulbs in your home to control the light all this kind of stuff connecting this to the internet so is this a good thing yeah why so why is it good it's convenient people would be buying these things if they weren't useful okay so it's convenient so I mean the old I guess pipe ring is your fridge being able to text you when you're out of milk so you can go to the store on the way home and get milk you could I mean you can even hook up all these things to other IoT hubs and devices like Alexa you can have Alexa controlling the light in your house to say turn off the lights in the living room and it will turn off those lights what other thoughts yeah I know you have a good one terrible terrible why is it terrible because it creates a giant fragmented environment and better devices that are made by a bunch of different manufacturers don't stain your fills, never be continuously updated and inevitably be vulnerable to something's future cool okay very pessimistic view so you basically view each of these items here as an attack point either somebody and this has actually happened so I like this title Internet of Things is becoming an Internet of Threats and one of the key so there was the Mirai botnet which I can't remember the exact number up top of my head, I think it was 10 to 20 gigabits per second or maybe maybe more they were able to generate traffic to take down large servers and the way they did this was taking over devices like routers and other kind of hardware devices that hadn't been upgraded creating a botnet out of all of these and using that traffic to take down sites so yeah one thing to think about is if you get this microwave what if that company goes under how many updates do you get on your laptop or your phone a lot Microsoft is once a month iPhone is once every 3 months or 4 months is your microwave getting updated that much what about your fridge what about anybody have a nest a company doesn't even exist or I guess they got bought by Google there's another company that some kind of company that went out of business and now all their devices are bricked and you can't even use them if you could use them and they have a security vulnerability who's going to update that so this is kind of the context of things we want to be talking about our example is we are a large retail chain so we're all in charge now of securing a large retail chain we have about 10,000 stores we won't say worldwide we have about 10,000 plus stores across the United States we are in the food industry so what are some of the things we're concerned about health yeah do you want your customers getting sick maybe not be a successful business person this is one of the key things and as most businesses think about trust they think about their brand if your brand is suddenly tarnished because you just poisoned a bunch of people and got them sick that has very severe consequences that's a separate issue we won't go into that maybe not so as part of this we'll just focus even on one problem one problem let's say something like milk in your refrigerator what are the states handling temperatures for milk cold I have no idea there's a standard but the health department says every four hours every refrigerator at every 10,000 of your stores needs to be checked for the temperature and then what happens close the fridge close the fridge what do you do, you just write down the temperature yeah, so if it's over the threshold right, so there's a health standard threshold whatever, do you want to make up a number can somebody Google what's the USDA state handling temperature of milk or safe fridge temperature for milk 60 40 degrees 40 degrees, I like that one that was going to be my guess 40 degrees so, you check the fridge it's 39 degrees, we'll say Fahrenheit that makes more sense 39 degrees Fahrenheit, what do you do nothing, good to go what if it's 41 degrees replace the whole fridge replace the whole fridge you throw everything out of that fridge you get new stuff and you maybe adjust the temperature of the fridge down so that you're in the right thing what if it was only 41 degrees for 5 seconds when you open it you don't care, the rules say you have to check every four hours if the temperature is over that threshold you need to throw everything out those are the rules, I don't make the rules and this is every so think about this 10,000 stores across nationwide every four hours this happens how much time is being spent doing this a lot can you afford to skip this you don't get caught so what happens if so, let's say you had a store where an employee didn't do this and then and then you had somebody get sick and they go back and check the logs and they say you did not check the refrigerator what you were supposed to do then your company gets sued and it's like a whole big deal your reputation is tarnished if somebody does get sick but you're still following this and you have the log to say exactly when you did and checked and what the temperature was then you absolved yourself of some responsibility here so we have 10,000 stores around the world we also have corporate headquarters so we have our corporate headquarters and as we're starting to see all of these smart devices why don't we get a smart thermometer put it inside every refrigerator have that data be reporting back to corporate that way we can save our employees from having to check every four hours on the temperature how do you make that work do you have that idea? I was going to say it's good because anytime you're running an employee by paper you can fire them if they don't do it this is one of the key things you must do otherwise you could get people sick and ruin your whole business so you could make this a priority of your business you have management of the store check the logs make sure that things are happening so I'll say that the current process works we'll save that is this a legal requirement for the business to run or is it just the thing you should be doing? tricky I actually don't know that I would say it's very closely related we're in the food service business this is a food health and safety requirement I think they could shut down our businesses if we're not doing this quality assurance quality assurance we're doing this for quality assurance purposes so do we want these IoT devices? sure why? as an attack on this you could send false information for a random 10 fridges every 4 hours and then the company has to throw away that product which is 10 fridges every 4 hours at a lot of overtime so I think we need to worry about if we have all these sensors that are relying on their data what's the integrity of this data? how can we be sure that these are actually the right results? maybe somebody goes into our store hacks into our thermometer and ruins our results what's the cost? what's the fail rate? fail rate of what? the sensors, the installation okay I don't know what number, what would be a acceptable number? 0? 0% cost and 0% failure rate it's definitely going to cost some money but the hope is that it will save our people time from checking the fridge every 4 hours what if the thermometers are wrong? what if the thermometers are wrong? you can say the same thing about the thermometers on the refrigerators already so you're trusting that those thermometers work I think we could put at least enough faith that they will report the numbers we would have to worry about other people you have to worry about your dependency on the thermometers so that the thermometers break you have another method of changing the temperature right because in this case who's checking so if we go back to the old scenario how do you know if a thermometer breaks? somebody checking every 4 hours that it breaks let's think about it from a different perspective so we now have smart thermometers do we need to take measurements every 4 hours? no we can get constant temperature would that be nice? why? what was that? it's a lot of data you scared of data? I want you to follow that thought why is that a problem? or why could that be a problem? it could be a lot of information and over time like 10 years not like useless but redundant information let's say it's every 10 seconds we'll say that granularity it's reporting the current temperature of the fridge back to corporate do you need that information? you only need it every 4 hours what was that? you only need it every 4 hours so you don't have to store that data every 10 seconds you can just check if it's above the temperature if it's not you maybe don't have to store it but we have the data you can get an 8TB hard drive for $200 now the storage itself is not going to be too crazy monitor for trends maybe on monitor for trends maybe you can detect when refrigerators are going on the frits and proactively replace them so you're not out of a refrigerator and your store has to close there could be useful reasons for storing historical data let's go back to your things we have this system the data is coming in just like before if the temperature is under 40 degrees Fahrenheit or 5 what happens when a fridge goes to 41? we have to alert the workers too you have to alert the specific store from the corporate office you have to somehow alert the specific store to do what? to change the milk of a specific fridge to change the milk that specific fridge is bad to go chuck everything in there how do you do that? call them up or something? there's 10,000 of them what if they all spike at the same time? maybe like a secondary? a secondary device? a backup to keep track of if the first device fails now we're worried about we know that it's working it's reporting back to back to corporate we've detected a fridge hot situation fridge is 41 degrees what happens? how do we make that happen? why don't we just connect the data to the corporate and the store manager's phone so he gets an alert every time when is there on vacation? when the store manager is fired and we haven't hired a new one yet what exactly is the in-term manager? we could put some sort of light or sound to notify people in the area put an alarm? in front of the fridge it could be a store phone so the phone isn't connected to the manager it's connected to the store store phone? most stores have some sort of computer system in place already, like in the back you could definitely just have something who's back there checking? like the manager when do they check? how often do they check? if you're using a new refrigerator you can browse Facebook on them these days so you can just put a message up on the screen okay I've put a message on the screen but now we have to upgrade all of our refrigerators which I'd say buying a smart thermometer that we want is going to be a lot cheaper than buying new fridges yeah I'd say maybe a tech somebody maybe the system notifies on-duty managers tech someone? are people in retail stores usually busy? let's say it's rush hour well there could be a way where we could possibly display like don't buy from this fridge or lock that fridge or something oh I like that okay remotely lock the fridge now we need smarter fridges too but yeah we could do that we're just ordering things we're getting down the way of purchasing things no that's not a great idea well back to like the alarm idea like there's always people in the back doing stocking and stuff so if the alarm kind of just went off like kind of in the back area then most people back there would hear it and they would take care of it okay okay in what sense let's say I'm making something with this milk right I don't even scan anything what if it's an ingredient in what we're making no if it's like Star Wars it's like a it's a product that goes into what we sell no like we have the fridge right we're putting it in our fridge we're going to use what we're making we're a chocolate milk shop we're going to make chocolate milk and when we put chocolate in it we mix it up and we sell it to you for $4 so how do you do that you don't have a smart fridge so I was thinking if you have like these sensors and stuff like you can you're continuously checking them say we keep it at like 38 right so I mean what is that it goes up one then you can say oh there's like a issue there's a something wrong with the fridge right okay so maybe you can monitor it and try to okay let's go back to the original process that we had in place right here what's the process check the temperature every 4 hours and then do what change the record record it and then do what if it's over if it's over toss it out right take action so what's the delay between noticing the temperature was over and tossing out the offending items most 4 hours or no instantaneous more or less right we look at the fridge every 4 hours we look at the fridge detect and throw it away yeah we could just like combine the old policy with a new one so someone still has to check every 4 hours but they don't have to go to the fridge they can check it so then we can say somebody needs to check something every 4 hours that has an alert from the central system now now you're in a case where somebody got sick so you check at hour 0 15 minutes from now the fridge detects it's at 42 degrees then for the next 3 hours when you're drinking drinks with food that milk has already passed the threshold somebody gets sick during that time frame of course when you find out in 4 hours you throw everything away somebody gets sick they sue you they subpoena your database that shows every 10 seconds the fridge temperature and they say look your fridge was over temperature but you didn't throw out the milk and you're endangering your customers we're going to revoke your food license you can no longer sell anything yeah but that would have been an issue with the old system anyway no there's a key difference what's the key difference well health code allows for milk to be in a danger zone for I think it's between like 2 and 4 hours before it needs to be thrown away so it can be between 50 and 75 degrees without having to be gone we're logging data every 10 seconds down so that every 4 hours yes which opens us up to legal liabilities because we have this data we know that the food has entered a dangerous state but we're not acting on it whereas before we were following the prescribed limits of check every 4 hours and of course just like you said that could have happened and it does happen it could go up and then just go back down and be perfectly safe but the problem is the legal basically health requirements of checking every 4 hours after collecting this data every 10 seconds we open ourselves up to potential legal liabilities because we have no effective way of acting on that information and it's if you have one store it's pretty easy when you have 10,000 plus across the country it becomes a more difficult problem in other words just use the gold ghost yes or I'd say I think the interesting thing here is not just the security aspects which are good things to think about but it also comes with us by hacking into our fridge devices that definitely is an avenue we need to consider but this idea and this was from talking with somebody in industry going over something like this this was something they struggled with and that some VPs wanted to present as a cool way to save money would be to introduce these smart thermometers the problem is ultimately it actually potential legal ramifications and legal liability that did not exist before so you have this data now you're not acting on it to keep your customers safe and that really complicates the situation so anyways super interesting, I don't know I think it's a super interesting scenario so I wanted to bring that up to have us think about it