Have you ever invited professional burglars to break into your home to steal your valuables? For the edu-ID service we have done exactly that, and we even paid for it. The valuables in our case is identity data from all edu-ID users. However, the “professional burglars” were actually very kind, professional and skilled security experts from Compass Security.
The Mission
We tasked Compass Security to perform a penetration test involving manual hacking and network penetration test on the SWITCH edu-ID service. We wanted them to identify vulnerabilities that potentially could allow malicious attackers to retrieve or temper edu-ID user data. The goal for Compass Security was to inspect or change foreign edu-ID account data, specifically that of the Trust & Identity team leader Andres Aeschlimann.
Scope of the Attack
Compass Security tested the edu-ID Login and the “My edu-ID” account management application, the central components of the edu-ID service. The test took place during a week in July. We were confident enough to let Compass Security do the penetration tests on our production edu-ID infrastructure. During the break-in attempts, we received quite a number of alerts from our different monitoring systems, which we ignored for the sake of the penetration tests. In case of a real attack, we would of course have applied active counter measures. During the tests neither users nor ourselves did notice a performance impact worth mentioning. The security experts afterwards stated that running the thousands of automated tests was quite fast compared to other applications they sometimes test.
Mission Accomplished?
Did the security testers succeed? Could they steal or alter our team leaders identity data? In the 73 page long report Compass Security states in the results section:
«Die Applikation baut auf modernen Web-Technologien auf, dies verkleinert die Angriffsoberfläche, es konnten keine Schwachstellen wie z.B. SQL Injection festgestellt werden. Weiter war es nicht möglich Daten anderer Nutzer oder Institutionen einzusehen, die Autorisierung ist gut umgesetzt.»
So in other words, no. In the given time they did not manage to alter data of third party edu-ID users. However, as one would expect with any comprehensive penetration test, Compass Security nevertheless identified several vulnerabilities of which most were fixed within days so that currently only a few issues with a “low” security rating are pending.
What Was One of the Most Serious Issues?
That was the CAPTCHA generation algorithm which was used. Initially, edu-ID users had to solve a math question (e.g. “25 -13 + 34”) shown in an image to create an account, to reset or to change a password. We thought that this type of CAPTCHA was easier and more fun than boringly re-typing for example “xDrR3h” as people usually are asked to in other CAPTCHAs. However, it was also less secure. Why? Because the solution space for these math CAPTCHAs is rather small. The CAPTCHA result was always between 1 and 99. Also there was no throttling implemented that would slow down an attacker who just tries guessing the CAPTCHA result.
Improving Security
Obviously we followed the security expert’s recommendation and changed the CAPTCHA generation algorithm. This is the reason why edu-ID users now have to retype letters and numbers from an image like with so many other CAPTCHAs. Additionally, too many failed attempts to solve a CAPTCHA are now throttled to make brute-force attacks harder.
The Side Effects of Improved Security
Although most security improvements that we applied are unnoticed by users, the new CAPTCHA generation algorithm resulted in some complaints from users who found the new CAPTCHA too hard to solve. So, for some recommendations we received from Compass Security there is a trade-off between security and usability.
What else did we learn?
Security has always played an important role in AAI and in edu-ID. Even though we already were familiar with many potential security vulnerabilities, it nevertheless was an enriching and eye-opening experience to get an outside expert view. Especially when it comes from independent security experts who are as up-to-date in penetration testing as possible.
We now have even more confidence in the security of the edu-ID service. However, even though we try our best to make the edu-ID service technically as secure as possible, one of the biggest risk is still the end users themselves. Attacking users directly using phishing and social engineering techniques is probably often easier than attacking the service as a whole. This is also one of the reasons why SWITCH is putting a lot of efforts into increasing the security awareness of the higher education community and all internet users in Switzerland.
Want to Become More Security Aware Yourself?
If you want to get less prone to phishing and social engineering techniques yourself, have a look at the Stop.Think.Connect. platform that is operated by the Swiss Internet Security Alliance. If you rather prefer hands-on work combined with an exciting experience, you might also have a look at SWITCH’s escape room experience “Hack the Hacker” created by our own security experts from the SWITCH-CERT team. This activity not only strengthens the security awareness of its participants but it is also a thrilling and fun group experience at the same time.
