1 / 37

Network Security Hacking & Defense 2

Network Security Hacking & Defense 2. From Computer Security: Principles & Practice Chapter 3 Authentication Not 2012: Chapter 11.1-11.2 Buffer Overflows. Objectives. The student shall be able to: Define these types of attacks: dictionary, rainbow table, eavesdrop, replay, brute force

nitsa
Download Presentation

Network Security Hacking & Defense 2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network SecurityHacking & Defense 2 From Computer Security: Principles & Practice Chapter 3 Authentication Not 2012: Chapter 11.1-11.2 Buffer Overflows

  2. Objectives The student shall be able to: Define these types of attacks: dictionary, rainbow table, eavesdrop, replay, brute force Define purpose of salt and how it works Describe features of password complexity and advantages of each Show three ways of generating a secure password from a phrase Calculate the number of possible combinations when lower case versus lower & upper case versus alphanumeric versus alphanumeric plus symbols are used. Describe how remote user authentication works – packet sequence. Not in 2012: Class Time: The class shall be conducted as follows: Lecture 1.5 hour Lab 1.5 hour Total 3 hours

  3. Authenticated Attacks Once an attacker gains access: Escalating privilege: After obtaining a user account, next goal -> obtain Administrator status Installing backdoors: To ensure future access Covering tracks: Modifying logs, hiding existence Making vulnerability secure, so system isn’t lost to other hackers.

  4. Privilege Escalation Hacker methods include: Grabbing password hashes DLL injection: Modify or replace the DLL with a Trojan (allowing back door entry) Spoofing LPC Port Requests: Using Local Procedure Call (LPC) to impersonate a client and access a server Install rootkit: includes installing backdoor, replacing existing utilities: ps, telnet

  5. Many slides by William Stallings and Lawrie Brown: Computer Security From Computer SecurityChapter 3 – User Authentication

  6. User Authentication • fundamental security building block • basis of access control & user accountability • is the process of verifying an identity claimed by or for a system entity • has two steps: • identification - specify identifier • verification - bind entity (person) and identifier

  7. Means of User Authentication • four means of authenticating user's identity • based on something the individual • knows - e.g. password, PIN • possesses - e.g. key, token, smartcard • is (static biometrics) - e.g. fingerprint, retina • does (dynamic biometrics) - e.g. voice, sign • can use alone or combined • ‘two-factor’ or ‘three-factor’ authentication • all can provide user authentication • all have issues

  8. Password Authentication • widely used user authentication method • user provides name/login and password • system compares password with that saved for specified login • authenticates ID of user logging and • that the user is authorized to access system • determines the user’s privileges • is used in discretionary access control

  9. Authentication Security Issues client attacks: keystroke monitoring host attacks: capture authentication file eavesdropping: observe or sniff password, keystroke monitor replay: play same password back trojan horse: captures authentication file denial-of-service: prevents access via flooding

  10. Password Choices • users may pick short passwords • e.g. 3% were 3 chars or less, easily guessed • system can reject choices that are too short • users may pick guessable passwords • so crackers use lists of likely passwords • e.g. one study of 14000 encrypted passwords guessed nearly 1/4 of them • would take about 1 hour on fastest systems to compute all variants, and only need 1 break!

  11. Password Cracking • dictionary attacks • try each word then obvious variants in large dictionary against hash in password file • rainbow table attacks • precompute tables of hash values for all salts • a mammoth table of hash values • e.g. 1.4GB table cracks 99.9% of alphanumeric Windows passwords in 13.8 secs • not feasible if larger salt values used

  12. Dictionary Attack & Brute Force : How easy it is!

  13. Password Cracking:Dictionary Attack & Brute Force

  14. Password Vulnerabilities Single user focus • specific account attack • password guessing against known user • workstation hijacking: unattended console • exploiting user mistakes: write down passwd • exploiting same password: different machines Multi-user • electronic eavesdropping • offline dictionary attack • popular password attack

  15. Password Complexity Can specify: At least 8 (preferably 12) chars. Password expires in N Days Lockout after N bad login attempts Reset count after N minutes Lockout duration N minutes Enforce password history (N-count memory of passwords)

  16. Creating a Good Password Merry Christmas Bad Password (Lengthen) Merry Xmas MerryChrisToYou (Synonym) (Intertwine Letters) MerryJul (convert vowels to numeric) (Abbreviate) MaryJul MerChr2You (Keypad shift Right …. Up) MXemrays GladJesBirth M5rryXm1s Mary*Jul Good Password ,stuzc,sd Jq46Sjqw mErcHr2yOu

  17. Creating A Good Password

  18. Password Recommendations • Change the default passwords on firewalls, services, servers, etc. • Never use ‘admin’ or ‘root’ or ‘administrator’ as a login for the admin • Use a software firewall on each computer system, with antivirus & antispyware. • A good password is: • private: it is used and known by one person only • secret: it does not appear in clear text in any file or program or on a piece of paper pinned to the terminal • changed regularly: periodically change your password. • easily remembered: so there is no need to write it down • at least 8 characters but preferably 12 • a mixture of at least 3 of the following: upper case letters, lower case letters, digits and punctuation • not guessable by any program in a reasonable time, for instance less than one week. Why you must change passwords • Even if you choose a good password, it can still be discovered: • someone may see you typing it or snoop network. • If you accidentally type your password instead of your login name, it can be in system log files

  19. Using Better Passwords • clearly there are problems with passwords • goal is to eliminate guessable passwords • whilst still easy for user to remember • techniques: • user education • computer-generated passwords • reactive password checking • proactive password checking

  20. Proactive Password Checking • rule enforcement plus user advice, e.g. • 8+ chars, upper/lower/numeric/punctuation • may not suffice • password cracker • time and space issues • Bloom Filter • use to build table based on dictionary using hashes • check proposed password against this table

  21. Use of Hashed Passwords

  22. Salt + Password Salt : prevents identical passwords from giving the same encrypted value. increases length of password without requiring user to remember additional characters

  23. UNIX Implementation • original scheme • 8 character password form 56-bit key • 12-bit salt used to modify DES encryption into a one-way hash function • 0 value repeatedly encrypted 25 times • output translated to 11 character sequence • now regarded as woefully insecure • e.g. supercomputer, 50 million tests, 80 min • sometimes still used for compatibility

  24. Improved Implementations • have other, stronger, hash/salt variants • many systems now use MD5 • with 48-bit salt • password length is unlimited • is hashed with 1000 times inner loop • produces 128-bit hash • OpenBSD uses Blowfish block cipher based hash algorithm called Bcrypt • uses 128-bit salt to create 192-bit hash value

  25. Password File Access Control • can block offline guessing attacks by denying access to encrypted passwords • make available only to privileged users • often using a separate shadow password file • still have vulnerabilities • exploit O/S bug • accident with permissions making it readable • users with same password on other systems • access from unprotected backup media • sniff passwords in unprotected network traffic

  26. Token Authentication • object user possesses to authenticate, e.g. • embossed card • magnetic stripe card • memory card • smartcard

  27. Memory Card • store but do not process data • magnetic stripe card, e.g. bank card • electronic memory card • used alone for physical access • with password/PIN for computer use • drawbacks of memory cards include: • need special reader • loss of token issues • user dissatisfaction

  28. Smartcard • credit-card like • has own processor, memory, I/O ports • wired or wireless access by reader • may have crypto co-processor • executes protocol to authenticate with reader/computer • also have USB dongles

  29. Remote User Authentication • authentication over network more complex • problems of eavesdropping, replay • generally use challenge-response • protects against a number of attacks User System Identity Random Challenge [Calculate] [Calculate] Reply Accept or reject

  30. Biometric Authentication • authenticate user based on one of their physical characteristics

  31. Biometric Accuracy • never get identical templates • problems of false match / false non-match

  32. Countermeasures - Admin • Establish the Administrator account as having no or few privileges • Use admin (root) account only when necessary (e.g., not to read email) • Use longer passwords for admin accounts • For any system, never retain default passwords! • Name Administrator account something else • Set an account lockout threshold • ensure it applies to Administrator particularly for remote access

  33. Countermeasures - User Check for and remove invalid accounts (e.g., accounts not used in 30 days) Enforce strong password policy Enable audit account logon failures and review event logs regularly Implement training & enforcement of policies Enable automatic workstation logout

  34. Countermeasures – User Access Apply Principle of Least Privilege: Grant minimum Permissions necessary Provide access to files and database segments only as necessary Specify as limited permissions (rwx) as possible Limit use of admin accounts – no email Separation of Duties in System Administration – the Administrator and separate log reader

  35. Countermeasures - Computer Do not allow boots from floppy or CDs Lock up servers to prevent physical access Do not use the same password from one machine to the next. (Minimally compartmentalize passwords) Stop unauthorized access to password file

  36. Countermeasures - Network Restrict access or disable SMB services on TCP port 139 & 445 at firewalls Monitor with intrusion detection Counter sniffing with encrypted network links: e.g., IPSec Avoid software which sends passwords or operate in the clear: rlogin, telnet, POP3, alerter, clipbook, … Limit permission on Windows shares (from Everyone – Full Control or Read) Eliminate or reduce anonymous or guest access Use mail packages that check for viruses.

  37. Summary:Security in Layers When one layer fails, other layers work

More Related