Stealing Identity Management Systems - DEF CON® Hacking
Transcript of Stealing Identity Management Systems - DEF CON® Hacking
![Page 1: Stealing Identity Management Systems - DEF CON® Hacking](https://reader031.fdocuments.net/reader031/viewer/2022012011/613d4292736caf36b75b37c7/html5/thumbnails/1.jpg)
Stealing Identity Management Systems
![Page 2: Stealing Identity Management Systems - DEF CON® Hacking](https://reader031.fdocuments.net/reader031/viewer/2022012011/613d4292736caf36b75b37c7/html5/thumbnails/2.jpg)
Part I: Background of Identity Management systems, and some
philosiphy on attacking them
![Page 3: Stealing Identity Management Systems - DEF CON® Hacking](https://reader031.fdocuments.net/reader031/viewer/2022012011/613d4292736caf36b75b37c7/html5/thumbnails/3.jpg)
What are identity Management Systems?
Theory of IDMSome specific productsSome common configurations
![Page 4: Stealing Identity Management Systems - DEF CON® Hacking](https://reader031.fdocuments.net/reader031/viewer/2022012011/613d4292736caf36b75b37c7/html5/thumbnails/4.jpg)
Theory of IDMThe system connecting two or more systems that hold Identities (some concept of a physical or logical user)Continuously manage those Identities based on a set of business rulesManagement of the identity throughout the lifecycle of the identity
Provisioning => Granting / Revoking privileges and changing Authentication tokens => DeprovisioningAll done in a way that can be proved and audited
![Page 5: Stealing Identity Management Systems - DEF CON® Hacking](https://reader031.fdocuments.net/reader031/viewer/2022012011/613d4292736caf36b75b37c7/html5/thumbnails/5.jpg)
Some specific products
Novell Identity ManagerMicrosoft Identity Integration ServerSun Java System Identity ManagerCA Identity ManagerIBM Tivoli Identity Manager
![Page 6: Stealing Identity Management Systems - DEF CON® Hacking](https://reader031.fdocuments.net/reader031/viewer/2022012011/613d4292736caf36b75b37c7/html5/thumbnails/6.jpg)
Who's running IDM? *Allianz Suisse, Allied Irish Bank, Alvarado Independent School District, America First Credit Union, American National Standards Institute, Bezirk Oberbayern, Bezirk Oberbayern, Bridgepoint Health, Catholic Healthcare West, City of Peterborough, Continuum Health Partners, Coop, De Montfort University, Department of Enterprise, Trade & Employment (DETE), Deutsche Annington
* - This is just from Novell's list of succes stories: http://www.novell.com/servlet/CRS?reference_name=&- op=%25&Action=Start+Search&Submit=Start+Search&source=novl&full_text_limit=showcase_verbiage+%2C+press_ release&MaxRows=0&&solutions=4&&language_id=0®ion_id=0&country_id=0&industry=0
![Page 7: Stealing Identity Management Systems - DEF CON® Hacking](https://reader031.fdocuments.net/reader031/viewer/2022012011/613d4292736caf36b75b37c7/html5/thumbnails/7.jpg)
Who's running IDM?Eastern Michigan University, Fairchild Semiconductor, Fairfax County Public Schools, Furukawa Electric, GEHE, GKB, Gundersen Lutheran, Indiana State University, James Richardson International, JohnsonDiversey, Kanton Thurgau, Leiden University, Macmahon Holdings Ltd, Maine Medical Center, Miyazaki Prefectural Office, National Health Service (NHS), Municipality of Baerum, Nevada Department of Corrections, North Kansas City School District, Ohio Office of the Attorney General
![Page 8: Stealing Identity Management Systems - DEF CON® Hacking](https://reader031.fdocuments.net/reader031/viewer/2022012011/613d4292736caf36b75b37c7/html5/thumbnails/8.jpg)
Who's running IDM?Palm Beach County, Philips, Public Trust Office of New Zealand, RedSpider, Rikshospitalet, Stadtverwaltung Singen, State of Geneva, State of Nevada Welfare Division, Swisscom IT Services, The AA, Victorian Government, Waubonsee Community College
![Page 9: Stealing Identity Management Systems - DEF CON® Hacking](https://reader031.fdocuments.net/reader031/viewer/2022012011/613d4292736caf36b75b37c7/html5/thumbnails/9.jpg)
Who else?
Search google or .gov rfp's for “identity management RFP”
![Page 10: Stealing Identity Management Systems - DEF CON® Hacking](https://reader031.fdocuments.net/reader031/viewer/2022012011/613d4292736caf36b75b37c7/html5/thumbnails/10.jpg)
What are the issues
ComplexityHigh ValueCarelessness
![Page 11: Stealing Identity Management Systems - DEF CON® Hacking](https://reader031.fdocuments.net/reader031/viewer/2022012011/613d4292736caf36b75b37c7/html5/thumbnails/11.jpg)
Complex systems are hard to secure
duhIDM systems often have a huge attack surface
By definition, dealing with at least 2 systemsTypically add in several management tools, user-facing applications and auditing systems.
![Page 12: Stealing Identity Management Systems - DEF CON® Hacking](https://reader031.fdocuments.net/reader031/viewer/2022012011/613d4292736caf36b75b37c7/html5/thumbnails/12.jpg)
High ValueThese systems almost always deal with authentication tokens (passwords, certificates, etc.)
![Page 13: Stealing Identity Management Systems - DEF CON® Hacking](https://reader031.fdocuments.net/reader031/viewer/2022012011/613d4292736caf36b75b37c7/html5/thumbnails/13.jpg)
ComplacensyThere is often a perception that as a security product, these systems are themselves secureAdmins sometimes view “directory” information as needing little security Often non-intuitive to set up securely, or there are conflicting “best practices”For Novell systems, many have been running since before security was thought about by many adminsTo secure the system, you have to understand all of the connected systems
![Page 14: Stealing Identity Management Systems - DEF CON® Hacking](https://reader031.fdocuments.net/reader031/viewer/2022012011/613d4292736caf36b75b37c7/html5/thumbnails/14.jpg)
Many admins look at software, like Identity Manager, as a means of securing their directory, not as a
liability
![Page 15: Stealing Identity Management Systems - DEF CON® Hacking](https://reader031.fdocuments.net/reader031/viewer/2022012011/613d4292736caf36b75b37c7/html5/thumbnails/15.jpg)
In summary: high complexity + high value information + carelessness = likely target
for attack
![Page 16: Stealing Identity Management Systems - DEF CON® Hacking](https://reader031.fdocuments.net/reader031/viewer/2022012011/613d4292736caf36b75b37c7/html5/thumbnails/16.jpg)
Part II: Theory of the Exploitation
![Page 17: Stealing Identity Management Systems - DEF CON® Hacking](https://reader031.fdocuments.net/reader031/viewer/2022012011/613d4292736caf36b75b37c7/html5/thumbnails/17.jpg)
Leverage the Complexity
Complexity in rapidly changing systems is usually an advantage for the attackerMore systems = more unique vulnerabilities will discoveredDefender has to deal with change management bureaucracy
![Page 18: Stealing Identity Management Systems - DEF CON® Hacking](https://reader031.fdocuments.net/reader031/viewer/2022012011/613d4292736caf36b75b37c7/html5/thumbnails/18.jpg)
“Hot” technology often has poor code quality as companies rush to
implement
![Page 19: Stealing Identity Management Systems - DEF CON® Hacking](https://reader031.fdocuments.net/reader031/viewer/2022012011/613d4292736caf36b75b37c7/html5/thumbnails/19.jpg)
IDM systems can be attack at the...
Network LayerIDM system usually connects systems over a network
Connected System layerdirectories, databases, OS authentication mechanisms, etc.
Application LayerIDM application, system agents, and management tools
RulesThe chosen business rules can often be exploited
Rules implementation of rules and the programmatic processing can often be exploited
![Page 20: Stealing Identity Management Systems - DEF CON® Hacking](https://reader031.fdocuments.net/reader031/viewer/2022012011/613d4292736caf36b75b37c7/html5/thumbnails/20.jpg)
Part III: Novell Identity Manager
![Page 21: Stealing Identity Management Systems - DEF CON® Hacking](https://reader031.fdocuments.net/reader031/viewer/2022012011/613d4292736caf36b75b37c7/html5/thumbnails/21.jpg)
Why am I presenting this stuff?Novell has made several security architecture decisions that I think are bad, and they are not clearly explained to many customersEven when security best-practices are followed, vulnerabilities can still be exploitedI would like to see these problems addressed
![Page 22: Stealing Identity Management Systems - DEF CON® Hacking](https://reader031.fdocuments.net/reader031/viewer/2022012011/613d4292736caf36b75b37c7/html5/thumbnails/22.jpg)
A minimal Novell system
eDirMetadirectory EngineDrivers (usually from Novell)Driver ruleset
![Page 23: Stealing Identity Management Systems - DEF CON® Hacking](https://reader031.fdocuments.net/reader031/viewer/2022012011/613d4292736caf36b75b37c7/html5/thumbnails/23.jpg)
Some Typical Novell Configurations
![Page 24: Stealing Identity Management Systems - DEF CON® Hacking](https://reader031.fdocuments.net/reader031/viewer/2022012011/613d4292736caf36b75b37c7/html5/thumbnails/24.jpg)
Security Best Practices (from the 3.0.1 Administration Guide)
Use SSLEngine to Remote LoaderEngine or Remote Loader to application
Monitor and Control access to: Driver sets, Drivers, Driver configuration objects (filters, style sheets, policies), Password policy objects (and the iManager task for editing them)Don't allow too much information in Password Hint attributes
![Page 25: Stealing Identity Management Systems - DEF CON® Hacking](https://reader031.fdocuments.net/reader031/viewer/2022012011/613d4292736caf36b75b37c7/html5/thumbnails/25.jpg)
Security Best Practices (cont)
Force password changes after admin resetsCreate Strong Password Policies
So by implication, use Universal PasswordsSecure Connected Systems“Follow industry best practices for security measures, such as blocking unused ports on the server.”
![Page 26: Stealing Identity Management Systems - DEF CON® Hacking](https://reader031.fdocuments.net/reader031/viewer/2022012011/613d4292736caf36b75b37c7/html5/thumbnails/26.jpg)
Security Best Practices (cont)
Various Designer RecommendationsLimit Consultants rightsControl .proj filesdelete log filesSecure connection from Designer to directoryDon't use encrypted attributesDon't store passwords that are sensitive
![Page 27: Stealing Identity Management Systems - DEF CON® Hacking](https://reader031.fdocuments.net/reader031/viewer/2022012011/613d4292736caf36b75b37c7/html5/thumbnails/27.jpg)
Security Best Practices (cont)
Tracking Changes to Sensitive InformationDone with Novell AuditRecommended operations to log: Change Password, Password Set, Password Sync, and Driver Activity
![Page 28: Stealing Identity Management Systems - DEF CON® Hacking](https://reader031.fdocuments.net/reader031/viewer/2022012011/613d4292736caf36b75b37c7/html5/thumbnails/28.jpg)
Part IV: Exploitation
![Page 29: Stealing Identity Management Systems - DEF CON® Hacking](https://reader031.fdocuments.net/reader031/viewer/2022012011/613d4292736caf36b75b37c7/html5/thumbnails/29.jpg)
Goals of Exploitation
What are the targets when attacking an identity management system?
Gain access in connected systemExceed authorization in a systemSteal someone's identity in a system (control authentication tokens)Break the auditing
![Page 30: Stealing Identity Management Systems - DEF CON® Hacking](https://reader031.fdocuments.net/reader031/viewer/2022012011/613d4292736caf36b75b37c7/html5/thumbnails/30.jpg)
Exploitation Targets
Exploits in the IDM system components
![Page 31: Stealing Identity Management Systems - DEF CON® Hacking](https://reader031.fdocuments.net/reader031/viewer/2022012011/613d4292736caf36b75b37c7/html5/thumbnails/31.jpg)
Exploitation Targets (2)
Modify the IDM system
![Page 32: Stealing Identity Management Systems - DEF CON® Hacking](https://reader031.fdocuments.net/reader031/viewer/2022012011/613d4292736caf36b75b37c7/html5/thumbnails/32.jpg)
Exploitation Targets (3)
Use the system rules to your advantage
![Page 33: Stealing Identity Management Systems - DEF CON® Hacking](https://reader031.fdocuments.net/reader031/viewer/2022012011/613d4292736caf36b75b37c7/html5/thumbnails/33.jpg)
Exploitation Targets (4)
Exploit the rules processing
![Page 34: Stealing Identity Management Systems - DEF CON® Hacking](https://reader031.fdocuments.net/reader031/viewer/2022012011/613d4292736caf36b75b37c7/html5/thumbnails/34.jpg)
Exploitation Targets (5)
Exploit the remote loader, and connection to the remote loader
![Page 35: Stealing Identity Management Systems - DEF CON® Hacking](https://reader031.fdocuments.net/reader031/viewer/2022012011/613d4292736caf36b75b37c7/html5/thumbnails/35.jpg)
Exploitation Targets (6)
PasswordsWindows PasswordsUniversal Passwords
![Page 36: Stealing Identity Management Systems - DEF CON® Hacking](https://reader031.fdocuments.net/reader031/viewer/2022012011/613d4292736caf36b75b37c7/html5/thumbnails/36.jpg)
Exploitation Targets (7)
Auditing subsystem
![Page 37: Stealing Identity Management Systems - DEF CON® Hacking](https://reader031.fdocuments.net/reader031/viewer/2022012011/613d4292736caf36b75b37c7/html5/thumbnails/37.jpg)
Conclusions