CYBERSECURITY:ESSENTIALSDanielMedina—medina@nyu.edu

BillDorney—wpd1@nyu.edu

INTERMISSION

[5-minutebreak]

NEWS

h1ps://medina.github.io

RECAP

Lotsoflaws,regula?ons,andmore

ADMINISTRATION

Havetotalkabout

finalprojectsmake-upclass

ACCESSCONTROLS

I+AAA

Iden?fica?onAuthen?ca?onAuthoriza?onAccoun?ng

IDENTIFICATION

$iddm129

DanielMedinamedina@nyu.edu

N11412345

ASIDE:NYUID

NYUPolicyonPIN

Whatisthisdata?

CODABARbarcode

HIDCard

AUTHENTICATION

Proveyouare$idPasswords

Biometrics(manykinds)TOTP/rota?ngtoken

Cer?ficates(w/passphrase)

UGH,PASSWORDS

NEWGUIDANCECOMING

SP800-63-3 NISTDigitalIden?tyGuidelines

Sophos:NIST’snewpasswordrules

ASIDE:LANMANBruteForceSearchofaDESKeyspace:

Defea?ngLMHashes

ASIDE:LANMAN

“compromised”

sinceabout1997

disabledbydefaultin2008

KERBEROS

WindowsAc?veDirectory

KERBEROS

ATAPlaybook

Realworlda1acksusingmimikatzandothersfor

creden?althejandforgery

OATH-TOTP

RFC6238:Time-BasedOne-TimePasswordAlgorithm

Roughly:H(secrettoken⊕?mestamp)

OATH-TOTP

RSASECURID

PIN+ProprietaryTOTP(Somethingyouknow+Somethingyouhave)FailedLoginCounter,ClockDrijAdjustment,otherfeatures

2011RSATokenSeedCompromiseh1p://arstechnica.com/security/2011/06/rsa-finally-comes-clean-securid-is-compromised/

FIDO

h1p://fidoalliance.org

Supplementoreliminatepasswords

public/privatekeypairregisterpublickey

use“localverifica?on”useprivatekeytosignchallengeusepublickeytoverifychallenge

FIDOINACTION

WHATAREYOURSECURITYSETTINGS?

h1ps://security.google.com/selngs/security/secureaccount

INTERMISSION

[5-minutebreak]

AUTHORIZATION

Whatcan$iddo?a.k.a,

Permissions,Roles,ACLsEn?tlement,Access

AUTHORIZATION

GoogleDrivefile-sharingexample

Getshardat“enterprisescale”

AUTHORIZATION

ACCOUNTING

Whatdid$iddo?When?Where?

Gulp:UnifiedLoggingAc?vitymonitoring

ATTACKING

Iden?fica?onAuthen?ca?onAuthoriza?onAccoun?ng

ATTACKING

Brute-forceDic?onaries

RainbowTablesManInTheMiddle(MITM)

OfflinevsOnline,Ac?vevsPassive

CRACKERS

JohntheRipper,h1p://www.openwall.com/john

#c/s="combinationspersecond"$run/johncryptedLoaded6passwordhasheswith5differentsalts(DES)test(test)daniel2(medinad)medina1(medina)password(utility)guesses:4time:0:00:02:02(3)c/s:1355Ktrying:dmorai7-dmokOUM

ForWindows:h1p://ophcrack.sourceforge.net/

WEBSECURITY

CookiesandTLS

COOKIES

Sessioniden?fier

“Thisclientisalreadyloggedon”

Stateacrossstatelessrequests

ASIDE:ENTERPRISESSO

SAML/Shibboleth(NYUuses)OpenIDConnect

OAuth2(Google,Facebook,etc.)

SAML2.0

COOKIES

Let’sgetsomecookies

“CopyascURL”