400 likes | 470 Views
You are what they say you are. pRSET5a::20STa::6xHis aQyd4m, yt-9+weWm Dxk&2+15^N CanYouGuessMe. Identification & Authentication. Vishal Midha Feb 25, 2003. A Poem of Evil Systems Administration
E N D
You are what they say you are. pRSET5a::20STa::6xHis aQyd4m, yt-9+weWm Dxk&2+15^N CanYouGuessMe
Identification &Authentication Vishal Midha Feb 25, 2003
A Poem of Evil Systems Administration rr: flicker! flicker! little modem light! madprof: see you shine, so neat, so bright! madprof: i wonder why you flicker so? madprof: is it cos you're 'effing slow? Ford prefect: transmitting packets through the night... rr: slinging porno byte by byte... rr: watch the monitor's pink glow... rr: as the image starts to grow... madprof: ping it! ping it! watch it die! rr: hear the hard disk crash and fry! madprof:see the user weep and cry, crusader: reboot again and wonder why?
Abuse Statistics • The CERT/CC (Computer Emergency Response Team / Coordination Center), a federally funded organization based at Carnegie Mellon University, estimates that 80% of all network security problems are caused by bad passwords. • In a study of the FBI Computer Intrusion Squad, 40% of 538 surveyed companies detected system penetration resulting in an average loss of $2M per company per year • There were 25,000 categorized attempts to break into U.S. government computer systems in 2001 of which 245 were successful. • IDC market projections predict that IT security expenditure will increase from $2.8B in 2000 to $7.7B in 2004, with the fastest growing component being administration and authentication being second fastest growing, $562M in 2000 to $1.7B in 2004, a compound growth rate of 32%. • According to the U.S. Office of the Comptroller of the Currency, there were over half a million people affected by identity thefts in the year 2000. • The identity theft line at the Identify Theft Resource Center of the Federal Trade Commission receives over 3,000 calls per week. Instances of this crime are growing at 30 to 40% per year.
Definitions • Human authentication is performed to verify that the claimed identity of a person is the true identity and, by implication, that the true identity is authorized for the requested task. Human authentication is also termed end-user authentication, or simply, user authentication • The term password may be used for passwords, pass-phrases and PINs. The term, security token, or token, loosely include any physical object that facilitates security. This includes an electronic security token, a smart card, and a magnetic stripe card such as an ATM card. A security device consisting of a protected/private string of characters known only to the authorized user/s and the system. It is used to authenticate the authorized user of a computer or data file • Password attack is an attempt to obtain or decrypt the legitimate user's password key into the system. Readily available password dictionaries, cracking programs, and password sniffers combine to make passwords very vulnerable.
Definitions contd. • Brute Force attack: A type of attack in which each possible key is attempted until the correct key is found. Cipher text is deciphered under different keys until recognizable plaintext is discovered. On average, this will take half as many attempts as there are keys in the keyspace • Password sniffing:The use of a sniffer to capture passwords as they pass across a network. The network could be a local area network, or the Internet itself. A favorite method for 'installing' a password sniffer onto a local area network would be through the use of a Trojan Horse • Birthday paradox: A standard statistics problem. It would need 183 people in a single room for there to be a more than even chance that one of them has the same birthday as you. But it would require only 23 people for there to be a more than even chance that at least two share the same birthday. Use of this characteristics to attack a one-way hash is commonly described as a Birthday Attack.
Authenticators • Secrets(passwords) Single sign-on • Tokens (physical devices) Passive : The passive storage device is usually a magnetic stripe or smart card in which a static codeword is stored Active : The active device usually contains a processor that computes a one-time password, either by time-synchronization or challenge-response Downsides to security tokens are: • The user must remember to physically possess it to authenticate. • Most security tokens require the user to memorize a PIN, so this effectively adds the memorization drawbacks as for passwords. • Most tokens require a port or reader to convey information to the machine, for instance a smart card reader, USB port, etc. These may not be widely available or available across different access modes such as computers and telephones.
Authenticators contd. • Biometric IDs Physical or Static biometric: A static biometric signal has the property that the pertinent information used to match and differentiate is a biometric template that derives directly from the fixed body characteristics. e.g. fingerprint, iris, retina, face, hand geometry Behavioral or Alterable biometric: has two components. One is the underlying body characteristic, which should be fairly stable such as to serve as a good measure for authentication. The other is a variable that alters the biometric. e.g. voice, and handwriting
end lines bifurcations ARCH LOOP WHORL Patterns for fingerprints based biometrics An advantage of fingerprint systems is their ease of use. A disadvantage is their variability with dirty, sweaty, or dry skin, sometimes causing false rejections of the legitimate user
Eye-based Biometrics An advantage of both of these eye biometrics is their very high accuracy in matching users. A disadvantage has been cost, traditionally much higher than for fingerprints
formants P(f) f3 f f0 f1 f2 Voice biometric systems • Measure the signal characteristics of a vocalized phrase. A vocalized phrase is an alterable biometric signal because the same speaker can vocalize different phrases. • An advantage of biometric systems that rely on alterable biometric signals. If a fingerprint, or iris, or face is “stolen” – or compromised – the legitimate user cannot easily change it and will have to abandon that biometric. However, if a spoken pass phrase is stolen such as by audio recording, compromise recovery is as simple as changing the pass phrase. • The downside of speaker verification is that, although relatively accurate under ideal conditions, background noise and variability in a user’s voice (such as a result of a laryngitis) prevent consistently high recognition results.
Other Biometric ID’s • Finger Imaging • Hand Geometry • Face Recognition • Signature Recognition • Vein Measurement • Keyboard Dynamics • Chemical Odor Analysis
Drawbacks of Biometrics Some of the fears that have been cited include : • that people will be de-humanized by being reduced to codes • that the system will enhance the power over individuals of particular organizations and the State • that high-integrity identification embodies an inversion of the appropriate relationship between the citizen and the State • that the system is a hostile symbol of authority • that society is becoming driven by technology-assisted bureaucracy, rather than by elected government • that exemptions and exceptions will exist for powerful individuals and organizations, and that the system will entrench fraud and criminality • that such identification schemes are the mechanism foretold in religious prophecy (e.g. 'the Mark of the Beast').
Drawbackscontd. Privacy Issues • Medical Information • Personal Privacy • The Loss of Anonymity Usability Issues • User Psychology • Reliability & Performance • Individuals With Special Needs Security Issues 1. Information Theft
Future Trends • Graphical passwords are claimed to be more memorable to users. • The Déjà vu project at the University of California at Berkeley displays an array of abstract images to a user, who chooses the ones she has memorized. • The HumanAut project at Carnegie Mellon University requires the user to choose the pictures he has memorized from a sequence of memorized and other pictures. • The Draw-a-Secret project at Bell Labs, AT&T Labs, and NYU requires the user to make a line drawing in the same shape and sequence within an invisible grid pattern. • Enhanced tokens include multi-function smart cards that store multiple passwords on a single token and can perform other tasks, such as employee identification (employee badge) or cafeteria debit. For wireless convenience, new security tokens will contain an RFID or Bluetooth chip, both for wireless detection in the proximity of a reader. This will contribute to a concept called presence, where machines can sense when you are close to them with no action from you. PDAs will also be enhanced with hardware and software to securely store passwords and other secure or private information.
Future Trendscontd.NIST Automated Password Generator (APG) • The standard describes an automated password generation algorithm that randomly creates simple pronounceable syllables as passwords. • The password generator accepts input from a random number generator based on the Data Encryption Standard (DES) cryptographic algorithm defined in Federal Information Processing Standard 46-1 (FIPS PUB 46-1)
Future Trendscontd. • New and Multi-modal biometrics attempt to address some of the shortcomings of current biometric solutions. Multi-modal biometrics combine different biometric modalities to strengthen security, reduce false rejections, and provide alternatives to the user. New biometrics includes gait recognition, infrared capture of blood vessel patterns, and implantable chips. • Personal Q&A schemes are advancing past the stereotypical mother’s maiden name. Often, users are invited to create their own questions and answers that are most memorable to them. Many corporate security systems for password reset use specific knowledge held by that system. For instance, an airline might ask about recent flights, and a brokerage might ask about mutual funds owned.. The terms “obscure knowledge” and “out of wallet” are also used to describe this approach. These allude to the fact that the information is obscure, but not secret, something that may appear on cards carried within one’s wallet or purse
Don'ts What Not to Use • Don't use your login name in any form (as-is, reversed, capitalized, doubled, etc.). • Don't use your first or last name in any form. • Don't use use your spouse's or child's name. • Don't use other information easily obtained about you. This includes license plate numbers, telephone numbers, social security numbers, the brand of your automobile, the name of the street you live on, etc. • Don't use a password of all digits, or all the same letter. This significantly decreases the search time for a cracker. • Don't use a word contained in (English or foreign language) dictionaries, spelling lists, or other lists of words. • Don't use a password shorter than six characters.
Some Facts For passwords on a UNIX system: • Password based on own name or login name (theoretical) Very small fraction of a second. Never, ever do this!. • Dictionary word, lower case only (theoretical) less than 4 seconds per language. • Dictionary word, first letter (only) capitalized (theoretical) less than 4 seconds per language. Some password programs require at least one capital letter in any new password. Most people choose to capitalize the first letter and no others. • Two shorter words together, lower case only (theoretical) less than 1 min 30 secs per language. This is a common way for people to ``get round'' a password program that does not allow dictionary words. • Dictionary word with number at end or beginning (empirical) approximately 10 mins. These are the most common passwords on systems where the password program refuses to accept a password without at least one number or special character.
Some Factscontd. • Two shorter words, first letter of each word (only) may be capitalized (theoretical) less than 5 mins. • Dictionary word with random capitalization (theoretical) less than 16 mins. This case is only 2^8, or 256, times more complicated than a lowercase only dictionary word. • Any combination of letters that is pronounceable (conforms to certain rules) (empirical) approximately 1 to 2 hours. • Password based on a word with lower or uppercase letters and one or two numbers (empirical) approximately 1 to 2 days. • Any combination of letters (lowercase only) (theoretical) less than 10 days. • Any combination of letters (lower or uppercase) (theoretical) less than 100 days.
Record Breaking DES Key Search Completed • Paul Kocher: The DES algorithm uses a 56-bit encryption key, meaning that there are 72,057,594,037,927,936 possible keys. The DES Key Search Project developed specially designed hardware and software to search 90 billion keys per second, determining the key and winning the $10,000 RSA DES Challenge after searching for 56 hours. (The six cabinets house 29 boards each holding 64 custom search microchips)
Do’s What to Use • Do use a password with mixed-case alphabetic characters. • Do use a password with non-alphabetic characters, e.g., digits or punctuation. • Do use a password that is easy to remember, so you don't have to write it down. • Do use a password that you can type quickly, without having to look at the keyboard. This makes it harder for someone to steal your password by watching over your shoulder. Method to Choose Secure and Easy to Remember Passwords • Choose a line or two from a song or poem, and use the first letter of each word. For example, ``In Xanadu did Kubla Kahn a stately pleasure dome decree'' becomes ``IXdKKaspdd.'' • Alternate between one consonant and one or two vowels, up to eight characters. This provides nonsense words that are usually pronounceable, and thus easily remembered. Examples include ``routboo,'' ``quadpop,'' and so on. • Choose two short words and concatenate them together with a punctuation character between them. For example: ``dog;rain,'' ``book+mug,'' ``kid?goat.''
Managing multiple accounts It is not practical to have a different password for every account, nor is it desirable from a security standpoint. The more passwords you have, the more likely it is that you will have to write them down, which is insecure. On the other hand, it is not a good idea to use the same password for all accounts. If you do and your password is cracked on one system, all your accounts are exposed. A chain is only as strong as its weakest link.A good solution is to separate your accounts into two to four groups based on the consequences of someone misusing the account. • Level 1 accounts(highest consequences).These are accounts that, if compromised, could cause you to lose a lot of money, lose your job or suffer major inconveniences. e.g. company accounts, online stock trading accounts and online bank accounts. • Level 2 accounts (medium consequences). These are accounts that, if compromised, could cause you to lose small amounts of money or suffer minor inconveniences. e.g. online auction accounts (e.g., Ebay), accounts containing your credit card number (e.g., Amazon), and mail account. • Level 3 accounts (lowest consequences).These are accounts that, if compromised, would have little or no consequences for you. e.g. web sites such as job search sites (e.g., HotJobs), web sites for periodicals (e.g., New York Times, Forbes), and web sites for gaming (e.g., bridge, fantasy football).
Managing Multiple Accountscontd. The second management issue with multiple accounts is remembering the user-ids (login names) for all your accounts and which password is associated with each account. You may start with a few computer accounts, but if you use web sites the number quickly grows into the dozens. (I have about sixty.) Ideally you would have the same user-id for all accounts, but sometimes you are not allowed to choose your user-id.Suggestion: On your home computer system (not work), create a file in a subdirectory that contains a lot of other files. Give it an innocuous name like "data", "junk" or one of the existing files with _save appended. (Don't use a name of tmp or a suffix of .tmp - the file might be inadvertently deleted by disk cleanup utilities.) Disable the file's read and write permissions for other users. Edit the file and, for all accounts (except perhaps level one accounts), record (1) the system or web site associated with it, (2) the user-id (login name) associated with it and (3) the keyword (not password) for the account that you chose.The number of level one accounts is probably small, so it is best to not put them in this file. Do not put words like "account", "login", "user-id" or "password" anywhere in the file - crackers scan for files with words like these. If you back up the file to a floppy, give the floppy an innocuous label like "Misc files", not "Account info". Again, do not put passwords in this file, any other unencrypted file or on paper.
Passwords Crack Software’s • Create own script for known or common user-id • Authforce, which attempts to guess passwords for basic HTTP authentication by logging into a Web server. http://kapheine.hypa.net/authforce/index.php • Brute_ssl and brute_web, which guess passwords for HTTP and HTTPS authentication. www.packetstorm.security.org/Exploit_Code_Archive/brute_ssl.c & www.packetstorm.security.org/Exploit_Code_Archive/brute_web.c • Xavier, a flexible tool that supports guessing plaintext passwords for variety of applications. www.btinternet.com/~lithiumsoft/ • Hypnopedia, a password guesser for email using POP3 protocol. www.packetstorm.security.org/Crackers/hypno.zip • http://www.solarwinds.net/Tools/Security/SNMP_Dictionary_Attack/
Passwords Crack Software’s For: • Archives password recovery software • Microsoft Office 97/2000/XP and other Microsoft applications password recovery software • Instant messengers password recovery software • E-mail clients password recovery software • Corel WordPerfect Office password recovery software • Intuit password recovery software • And many more At: http://www.crackpassword.com
Advanced Archive Password RecoveryZIP (PKZip, WinZip), ARJ/WinARJ, RAR/WinRAR (2.0-2.8), ACE/WinACE The fastest ZIP cracker in the world! (according to independent reviewers and experts). Convenient user interface • Fifteen million passwords per second • PKZip 4.0 supported • Guaranteed decryption • Dictionary-based attack available • Non-English characters are supported • Maximum password length is not limited • No special virtual memory requirements • Can interrupt at any time, and restart from the same point later
Changing BIOS Password • Clear the BIOS by removing the jumper on the motherboard(On some motherboards, simply removing the jumper is not enough. In some cases, there are three pins and you must remove the jumper from 1 to 2, connect 2 to 3 for a few seconds, and then replace the jumper on 1 to 2) • Disconnect the motherboard from the power supply(Remove the motherboard from the power supply for an extended amount of time) • Flash the BIOS(If the boot sequence is C: drive first, A: drive second, then unplug the ribbon cable from your hard drive. Doing this will force the computer to boot from the floppy)
Changing BIOS Password • Starting diskette has any version of DOS (3.xx to 7.xx) with its DEBUG program. • You start the DEBUG, and DESTROY (change) some of CMOS clock registers: Under DEBUG you enter the commands: o70 25 ; #25 - register address o71 55 ; #55 - in fact - any value ... o70 26 ; #26 - another register ... o71 55 ; new value for reg. #26 ... q ; Quit and then RESET the computer. CMOS checksum does not fit, so the BIOS suggests to load default values - the passwords as well. • On most unbranded machines, it works OK with only two registers; on many BRANDED you need more registers destroyed (i.e. #00 to #60) (Instead of Q in the end you can execute RESET with command g=ffff:0 …)
Administrator Passwords • A quickie for read access: NTFSDOS.EXE • Make a boot floppy from Win98 computer • Get NTFSDOS.EXE from http://www.sysinternals.com and put the 40kB small EXE file on the boot floppy. • Boot from floppy , Run the program NTFSDOS and it will mount all NTFS partitions that it can find. • You can now read any file/ execute any console program, e.g. you can copy stuff over to your floppy disk or to a network drive, but no write access. • Read & write access with "NTFSDOS Pro" ($149) or better "ERD Commander" ($250 - $325) • Available at http://www.winternals.com • L0phtcrack from http://www.l0pht.com/l0phtcrack/ • Free
Windows/NT Passwords • L0phtcrack at www.@stake.com (CH p287-290)
Administrator Passwords contd. • Slip the system a command prompt Usually you can log in with a guest or regular user account. Do that and go to the directory \Windows\System32 and replace the login screensaver with the command line prompt.cd \Windows\System32ren logon.scr login.bakcopy cmd.exe logon.scr Then reboot, and just wait for the screensaver to come up. It will be the command line prompt and you'll have access to the computer. Full access!. You can run the user manager, create a new account and give it admin privileges or just change the admin password... Also don't forget to restore the original screen saver . • http://home.eunet.no/~pnordahl/ntpasswd/ Very useful tool
Toshiba NoteBooks BIOS Password Recovery Ingredients:1. Your notebook.2. An empty formatted diskette (720 kb or 1,44 mb).3. A second computer (e.g. a DOS desktop PC).4. A hex-editor (e.g. Norton DiskEdit or HexWorks). Procedure:1. Start the desktop PC and start the hex-editor.2. Put the disk in drive A:3. Change the first five bytes of sector 1 (boot sector is sector 0) to: 4B 45 59 00 00.4. Save it! Now you have a KEYDISK.5. Remove the disk from drive A:6. Put the disk in the notebook drive.7. Start the notebook in Boot Mode (push the reset button).8. Press Enter when asked for Password:9. You will be asked to Set Password again. Press Y and Enter.10. You now see the BIOS configuration where you can set a new password.
Advice For Administrators Advice for administrators who want to protect their computers: • Remove default passwords from systems. A huge database of default passwords for variety of platforms is available at security.nerdnet.com (currently not working) • Put a password on your BIOS and disable booting from floppy or CD-ROM. This rules out NTFSDOS and Co. • Maybe even physically lock your computer so that the hard disk cannot be removed and put in a different computer where the attacker can boot from floppy disk • Download l0phtcrack from www.l0pht.com and find out how good your password is. You will be surprised.Use strong passwords!Use Microsoft's syskey tool (comes with a service pack 6) and see the documentation athttp://support.microsoft.com/support/kb/articles/q143/4/75.asphttp://support.microsoft.com/support/kb/articles/q248/1/83.asp
References • http://www.itsecurity.com/glossary.htm • http://www.itl.nist.gov/fipspubs/fip181.htm • http://www.cs.usask.ca/undergrads/der850/project/biometrics/drawbacks.shtml • http://www.cryptography.com/resources/whitepapers/DES.html • http://www.computerworld.com/networkingtopics/networking/story/0,10801,67551,00.html • http://www.usatoday.com/money/biztravel/2001-09-25-biometrics.htm • http://www.crackpassword.com/ • http://www.epinions.com/book-review-65B4-11C49867-39925901-prod4 • http://www.securiteam.com/tools/5UP0F000CW.html • http://www.tyan.com/support/html/how_to_flash.html • http://www.motherboards.org/articlesd/how-to-guides/42_1.html
References contd. • Nicholas J. Hopper and Manuel Blum, " Secure Human Identification Protocols", In: Advances in Crypotology, Proceedings of Asiacrypt 2001 • R. Dhamija and A. Perrig, Déjà Vu: A User Study Using Images for Authentication, 9th Usenix Security Symposium, August 2000. • Counter Hack, 2002, by Ed Skoudis • Secrets & Lies, 2000, by Bruce Schneier