"2fac: facebook's internal multi-factor authentication". tim tickel, chad greene,...
DESCRIPTION
An in-depth look at Facebook's easy-to-use internal multi-factor authentication deployment. We will discuss our motivations, how our solution works, technical and security trade-offs, deployment problems, and outstanding issues. Bio Chad Greene: A security manager at Facebook, Chad Greene focuses on security engineering, intrusion detection and incident response at scale. Protecting user data for over 1 billion active users of the social network, his teams are responsible for building creative security solutions that balance rapid growth and innovation with a strong security posture. Prior to Facebook, for more than seven years Chad worked at eBay, where he worked on solving product security and security operations challenges. Chad holds a Bachelor's degree in Management Information Systems from The University of Notre Dame.TRANSCRIPT
Tuesday, October 1, 13
2FAC: Facebook’s internal multi-factor auth platform
C O N F I D E N T I A L
Facebook Security
Tuesday, October 1, 13
Agenda
Attacks - A Force for Change
2FAC Authentication
Questions?
Tuesday, October 1, 13
Facebook - Big Numbers
1.15B monthly active users
699M daily active users (80+% outside US)
5K+ employees
Tuesday, October 1, 13
Identifying weakest points
Red Teams
Incident 1: Spear phishing OWA
Incident 2: Breach identified in January
Tuesday, October 1, 13
Red Team Drills - Identify weak points
Tuesday, October 1, 13
Incident: Spear Phishing OWA
Tuesday, October 1, 13
Incident: Spear Phishing OWA
Tuesday, October 1, 13
Incident: Breach discovered in Jan 2013
digitalinsight-ltd
Tuesday, October 1, 13
Incident: Breach discovered in Jan 2013
Tuesday, October 1, 13
Goal: Protect against remote attackers•Disrupt Lateral Movement phase
•Ensure local user is at keyboard
•Limit origin of illegitimate SSH access
Non-goal: Protect against local attackers
Why 2Fac for SSH?
Tuesday, October 1, 13
•Facebook culture: Move Fast
•Intolerant of slowdown
•Highly skilled at finding workarounds
•Primarily work via SSH on dev servers
Engineering @ FB
Tuesday, October 1, 13
•Facebook culture: Move Fast
•Intolerant of slowdown
•Highly skilled at finding workarounds
•Primarily work via SSH on dev servers
Goal: Make being secure effortless
Engineering @ FB
Tuesday, October 1, 13
State of Multi-Factor
Tuesday, October 1, 13
•Easy to use
•Good interoperability
•Synchronization is easy
•Time windows of acceptance
•Only good for infrequent use
Time-based
Tuesday, October 1, 13
•Easy to use
•Good interoperability
•Gets out of sync
•Most tokens designed for infrequent use
OTP
Tuesday, October 1, 13
•Limited device support
•Security limitations
• False acceptance
• Replay
•Practical Problems: How to biometric auth to remote machine?
•Poor usability
Biometrics
Tuesday, October 1, 13
PKI
•Limited device support
•Enrollment is painful
•Management is painful
•Smart Card Proxy attack
PKI
Tuesday, October 1, 13
•Easy to setup
•Easy to use
•Push (only on some devices)
•Requires fast, reliable online channel
•Usability is good only for infrequent use
OOB / Mobile
Tuesday, October 1, 13
Tuesday, October 1, 13
•Usability
• Support Very Frequent use
• Flexible options
•Security
• Require stronger authentication for every session
•Fast Deployment
•Minimal support overhead
Building it Better
Tuesday, October 1, 13
•Duo Security + Yubikey Nano
•Flexible Options
•Low operational overhead
•Provisioning process out of the box
•Yubikey is awesome for frequent use
•Bonus: Backup tokens from the start
The Solution
Tuesday, October 1, 13
Deployment: Planning
Tuesday, October 1, 13
•How is SSH being used?
•Thousands of engineers
•Tens of thousands of sessions per day
•Peak users with >3000 sessions
•Using all authentication mechanisms
Deployment: Planning
Tuesday, October 1, 13
•How is SSH being used?
•Thousands of engineers
•Tens of thousands of sessions per day
•Peak users with >3000 sessions
•Using all authentication mechanisms
•What are they doing?
Deployment: Planning
Tuesday, October 1, 13
•How is SSH being used?
•Thousands of engineers
•Tens of thousands of sessions per day
•Peak users with >3000 sessions
•Using all authentication mechanisms
•What are they doing?
sshd[87820]: Accepted keyboard-interactive/pam for twt from ::1 port 51317 ssh2sshd[87820]: User child is on pid 87825sshd[87825]: Received disconnect from ::1: 11: disconnected by user
Deployment: Planning
Tuesday, October 1, 13
•Add details about what the user is doing
sshd[27587]: Accepted publickey for ::1 port 61447 ssh2sshd[27587]: User child is on pid 27589sshd[27589]: Exec Request for user twt with command uname -a
sshd[8540]: Accepted publickey for twt from ::1 port 50654 ssh2sshd[8540]: User child is on pid 8548sshd[8548]: Allocated pty /dev/pts/18 for user twt session 0sshd[8548]: Shell Request for user twtsshd[8548]: Received disconnect from ::1: 11: disconnected by user
Improving SSH Logs: First Attempt
Tuesday, October 1, 13
•Add details about what the user is doing
sshd[27587]: Accepted publickey for ::1 port 61447 ssh2sshd[27587]: User child is on pid 27589sshd[27589]: Exec Request for user twt with command uname -a
sshd[8540]: Accepted publickey for twt from ::1 port 50654 ssh2sshd[8540]: User child is on pid 8548sshd[8548]: Allocated pty /dev/pts/18 for user twt session 0sshd[8548]: Shell Request for user twtsshd[8548]: Received disconnect from ::1: 11: disconnected by user
•Problem: requires multiple log lines with different PIDs for analysis
Improving SSH Logs: First Attempt
Tuesday, October 1, 13
•Add sessionization data to SSH logs
sshd[27587]: Accepted publickey for ::1 port 61447 ssh2 session=dev123:52369e5a.c6786sshd[27587]: User child is on pid 27589 session=dev123:52369e5a.c6786sshd[27589]: Exec Request for user twt with command uname -a session=dev123:52369e5a.c6786
sshd[8540]: Accepted publickey for twt from ::1 port 50654 ssh2 session=dev123:5236a24d.3f32sshd[8540]: User child is on pid 8548 session=dev123:5236a24d.3f32sshd[8548]: Allocated pty /dev/pts/18 for user twt session 0 session=dev123:5236a24d.3f32sshd[8548]: Shell Request for user twt session=dev123:5236a24d.3f32sshd[8548]: Received disconnect from ::1: 11: disconnected by user session=dev123:5236a24d.3f32
Sesssionizing SSH Logs
Tuesday, October 1, 13
•What are they doing?
• SFTP
• Random scripts
• TRAMP mode
• Lots of shells
• Using every authentication mechanism
SSH Usage Analysis
Tuesday, October 1, 13
Deployment: Implementation
Tuesday, October 1, 13
•OpenSSH 6.2 - support for multiple Auth Methods
• Public key, kerberos, password are first factors
• Duo is second factor
Deployment: Implementation
Tuesday, October 1, 13
•OpenSSH 6.2 - support for multiple Auth Methods
• Public key, kerberos, password are first factors
• Duo is second factor
•Problem: password and Duo are both handled by keyboard-interactive auth method
Deployment: Implementation
Tuesday, October 1, 13
•OpenSSH 6.2 - support for multiple Auth Methods
• Public key, kerberos, password are first factors
• Duo is second factor
•Problem: password and Duo are both handled by keyboard-interactive auth method
•Solutions:
• Submethods for keyboard-interactive/{pam,duo} in OpenSSH 6.2p1
• KerberosAuthentication yes
Deployment: Implementation
Tuesday, October 1, 13
Handling SFTP
Tuesday, October 1, 13
•Clients don’t support multiple auth mechanisms
Handling SFTP
Tuesday, October 1, 13
•Clients don’t support multiple auth mechanisms
•Primary security concern:
• Single factor command execution
Handling SFTP
Tuesday, October 1, 13
•Clients don’t support multiple auth mechanisms
•Primary security concern:
• Single factor command execution
•Solution:
• Single factor SFTP chroot
Handling SFTP
Tuesday, October 1, 13
Handling scripts + TRAMP mode
Tuesday, October 1, 13
•Switch to use SFTP solution?
Handling scripts + TRAMP mode
Tuesday, October 1, 13
•Switch to use SFTP solution?
•Primary security concern:
• Single factor command execution
Handling scripts + TRAMP mode
Tuesday, October 1, 13
•Switch to use SFTP solution?
•Primary security concern:
• Single factor command execution
•Solution:
• SSH whitelists
Handling scripts + TRAMP mode
Tuesday, October 1, 13
•Switch to use SFTP solution?
•Primary security concern:
• Single factor command execution
•Solution:
• SSH whitelists
•New problem:• REGEX:sh -‐c "cd (~/|\w)(((?<!\.\.)/)|((?<!/)\.)|[\w_-‐])+ && grep -‐P '[^']+\\t' tags | head -‐n 10"
Handling scripts + TRAMP mode
Tuesday, October 1, 13
•Keyboard layouts
•Exploding computers
•Possessed yubikeys
•Accidental discharge
•Client ssh config problems
•Need moar USB ports
•Enrollment issues
Unexpected Issues
Tuesday, October 1, 13
•more 2Fac:
• sudo
• SSH alternatives: mosh, VNC, NX
• priv esc points
• replace/supplement other multi-factor solutions
• 2Fac everywhere
•Get rid of command whitelists
•Make SFTP clients support multi-factor
Ongoing Work
Tuesday, October 1, 13
Facebook Security
Tuesday, October 1, 13