520 likes | 687 Views
ET4085ET5085 Keamanan Jaringan Telekomunikasi ET4085/ET5085 Telecommunication Network Security. Tutun Juhana Telecommunication engineering School of electrical engineering & informatics Institut teknologi bandung http://telecommunication.itb.ac.id/~tutun/ET4085. All About Password.
E N D
ET4085ET5085 KeamananJaringanTelekomunikasiET4085/ET5085 Telecommunication Network Security Tutun Juhana Telecommunication engineering School of electrical engineering & informatics Institut teknologi bandung http://telecommunication.itb.ac.id/~tutun/ET4085 All About Password
Password Vulnerabilities • Organizational or end-user vulnerabilities • Lack of passwordawareness on the part of end users • Lack of password policiesthat are enforced within the organization • Technical vulnerabilities • Weak encryption methods • Insecure storage of passwords on computer systems http://wp.me/P29YQz-k
Organizational password vulnerabilities • User’spassword usually: • Weak and easy to guess. • Jarang diganti • Digunakan untuk beberapa macam sistem • Menuliskannya di tempat yang tidak aman • Password yang susah ditebak pun bisa dicuri http://wp.me/P29YQz-k
Technical password vulnerabilities Weak password-encryption schemes Software that stores passwords in memory and easily accessed databases. End-user applications that display passwords on the screen while typing ICAT Metabase (an index of computer vulnerabilities) currently identifies more than 460 technical password vulnerabilities(icat.nist.gov/icat.cfm) http://wp.me/P29YQz-k
Cracking Passwords the old-fashioned way http://wp.me/P29YQz-k
Shoulder Surfing http://wp.me/P29YQz-k
Inference Guessing passwords from information you know aboutusers - such as their date of birth, favorite television show, and phone numbers 8 http://wp.me/P29YQz-k
Weak authentication Like in the old Windows 9x and Me http://wp.me/P29YQz-k
Social Engineering • Examples • False support personnel claim that they need to install a patch or newversion of software on a user’s computer, • talk the user into downloadingthe software • and obtain remote control of the system. http://wp.me/P29YQz-k
False vendors claim to need to make updates to the organization’saccounting package or phone system, • ask for the administrator password, • and obtain full access. http://wp.me/P29YQz-k
False contest • Web sites run by hackers gather user IDs and passwordsof unsuspecting contestants. • The hackers then try those passwords onother Web sites, such as Yahoo! and Amazon.com, and steal personal orcorporate information http://wp.me/P29YQz-k
False employees notify the security desk that they have lost their keysto the computer room, are given a set of keys, and obtain unauthorizedaccess to physical and electronic information http://wp.me/P29YQz-k
Performing Social-Engineering Attacks • Perform research • Build trust • Exploit relationship for information through words, actions, ortechnology • Use the information gathered for malicious purposes. http://wp.me/P29YQz-k
Fishing for information • Social engineers typically start by gathering public information about theirvictim • Using the Internet • Dumpster diving http://wp.me/P29YQz-k
Building trust • Likability • Believability http://wp.me/P29YQz-k
Exploiting the relationship • Deceit through words and actions • Acting overly friendly or eager • Mentioning names of prominent people within the organization • Bragging about authority within the organization • Threatening reprimands if requests aren’t honored • Acting nervous when questioned (pursing the lips and fidgeting - especially the hands and feet, because more conscious effort is requiredto control body parts that are farther from the face) • Overemphasizing details • Physiological changes, such as dilated pupils or changes in voice pitch • Appearing rushed • Refusing to give information • Volunteering information and answering unasked questions • Knowing information that an outsider should not have • A known outsider using insider speech or slang • Asking strange questions • Misspelling words in written communications http://wp.me/P29YQz-k
Sending e-mail for criticalinformation • Such e-mail usually provides a link that directs victims to a professional-and legitimate-looking Web site that “updates” such account informationas user IDs, passwords, and Social Security numbers • Anytime you need to go to a website for your bank, credit card companies or other personal, financial or confidential information; do not follow a link in an email; just type their address in your browser directly Deceit through technology http://wp.me/P29YQz-k
The Nigerian 419 e-mail fraud scheme attempts to access unsuspectingpeople’s bank accounts and money. • These social engineers - scamsters - offer to transfer millions of dollars to the victim to repatriate a deceasedclient’s funds to the United States • All the victim must provide is personalbank-account information and a little money up front to cover the transferexpenses • Victims have ended up having their bank accounts emptied http://wp.me/P29YQz-k
Social-Engineering Countermeasures • Policies • Classifying data • Hiring employees and contractors and setting up user IDs • Terminating employees and contractors, and removing user IDs • Setting and resetting passwords • Handling proprietary and confidential information • Escorting guests http://wp.me/P29YQz-k
User awareness • Treat security awareness and training as a business investment. • Train users on an ongoing basis to keep security fresh in their minds. • Tailor your training content to your audience whenever possible. • Create a social-engineering awareness program for your business functionsand user roles. • Keep your messages as nontechnical as possible. • Develop incentive programs for preventing and reporting incidents. • Lead by example http://wp.me/P29YQz-k
Never divulge any information unless you can validate that the personrequesting the information needs it and is who he says he is • If a requestis made over the telephone, verify the caller’s identity, and call back. • Never click an e-mail link that supposedly loads a page with informationthat needs updating. This is especially true for unsolicited e-mails. http://wp.me/P29YQz-k
Escort all guests within a building. Never send or open files from strangers. Never give out passwords. http://wp.me/P29YQz-k
Never let a stranger connect to one of your network jacks — even for afew seconds. • A hacker can place a network analyzer, Trojan-horse program,or other malware directly onto your network. • Classify your information assets, both hard-copy and electronic. Trainall employees to handle each asset type. http://wp.me/P29YQz-k
Develop and enforce computer media and document destruction policiesthat help ensure data is handled carefully and stays where it should. Use cross-shredding paper shredders. Never allow anonymous File Transfer Protocol (FTP) access into yourFTP servers if you don’t have to. http://wp.me/P29YQz-k
High-tech password cracking Password cracking software Dictionary attacks Brute-force attacks http://wp.me/P29YQz-k
Password cracking software • NetBIOS Auditing Tool (NAT) specializes in network-based passwordattacks. Go to www.securityfocus.com/tools/543 • Chknull(www.phreak.org/archives/exploits/novell) for NovellNetWare password testing • These tools require physical access on the tested computer: • John the Ripper (www.openwall.com/john) • pwdump2 (razor.bindview.com/tools/desc/pwdump2_readme.html) • Crack (coast.cs.purdue.edu/pub/tools/unix/pwdutils/crack) • Brutus (www.hoobie.net/brutus) • Pandora (www.nmrc.org/project/pandora) • NTFSDOS Professional (www.winternals.com) • Cain and Abel for capturing, cracking, and even calculating varioustypes of passwords on a plethora of systems (www.oxid.it/cain.html) http://wp.me/P29YQz-k
Dictionary attacks • Dictionary Attackdilakukan dengan cara membandingkan password dengan suatu dictionary • Password Crackersakan mencoba setiap kata yang ada di dalam dictionarysebagai password • Suatu dictionary (biasa disebut juga sebagai word list) yang baik lebih daripada sekedar kamus • Contoh: di dalam kamus pasti tidak ada kata-kata "qwerty" tapi di dalam word list yang baik, “qwerty” pasti akan dimasukkan • Beberapa contoh wordlist dapat diperoleh di: • packetstormsecurity.nl/Crackers/wordlists • www.outpost9.com/files/WordLists.html http://wp.me/P29YQz-k
Brute-force attacks Brute-forceattacks try every combination of numbers, letters, and special charactersuntil the password is discovered http://wp.me/P29YQz-k
General password-hacking countermeasures • Instruct users to create different passwords for differentsystems, especially on the systems that protect more sensitive information • Strong passwords are important, but balance security and convenience: • You can’t expect users to memorize passwords that are insanely complexand changed every week. • You can’t afford weak passwords or no passwords at all. http://wp.me/P29YQz-k
John the Ripper password cracker http://www.openwall.com/john/f/john171w.zip http://wp.me/P29YQz-k
Storing passwords If you have to choose between weak passwords that your users can memorizeand strong passwords that your users must write down, please choose having readers write down passwords and store the information securely. http://wp.me/P29YQz-k
Train users to store their written passwords in a secure place - not on keyboardsor in easily cracked password-protected computer files (such asspreadsheets) http://wp.me/P29YQz-k
Users should store a written password in either of theselocations: • A locked file cabinet or office safe • An encrypted file or database, using such tools as • PGP • Open-source Password Safe, originally developed by Counterpane(passwordsafe.sourceforge.net) http://wp.me/P29YQz-k
You can store your password using Password Safe (http://passwordsafe.sourceforge.net/) It’s free!! http://wp.me/P29YQz-k
Policy considerations • Enforce (or encourage the use of) a strong password-creation policy: • Use upper- and lowercase letters, special characters, and numbers.(Never use only numbers. These passwords can be cracked quickly.) • Misspell words or create acronyms from a quote or a sentence. • Use punctuation characters to separate words or acronyms. • Change passwords every 6 to 12 months. • Use different passwords for each system http://wp.me/P29YQz-k
Use variable-length passwords • Don’t use common slang words or words that are in a dictionary. • Don’t use similar-looking characters, such as 3 instead of E, 5 insteadof S, or ! instead of 1. • Password-cracking programs can check for this. http://wp.me/P29YQz-k
Don’t reuse the same password within 12 months. • Use password-protected screen savers. • Don’t share passwords. • Avoid storing user passwords in a central place, such as an unsecuredspreadsheet on a hard drive. • This is an invitation for disaster. • Use PGP,Password Safe, or a similar program to store user passwords. http://wp.me/P29YQz-k
Other considerations • Test your applications to make sure they aren’t storing passwords inmemory or writing them to disk. • Some password-cracking Trojan-horse applications are transmittedthrough worms or simple e-mail attachments, such as VBS.Network.B andPWSteal.SoapSpy. These applications can be lethal to your passwordprotectionmechanisms if they’re installed on your systems. • The bestdefense is malware protection software, such as antivirus protection http://wp.me/P29YQz-k
Keep your systems patched. • Passwords are reset or compromisedduring buffer overflows or other DoS conditions. • Know your user IDs • If an account has never been used, delete ordisable the account until it’s needed • As the security administrator in your organization, you canenable accountlockout to prevent password-cracking attempts. http://wp.me/P29YQz-k
Other ways to crack passwords • Keystroke logging • The use of software or hardware to record keystrokes as they’rebeing typed into the computer. • Logging tools example: Actual Spy (http://www.actualkeylogger.com/download-free-key-logger.html) • Hardware-based tools fit between the keyboard and the computer orreplace the keyboard altogether http://wp.me/P29YQz-k
Hardware Keylogger http://wp.me/P29YQz-k
Homemade hardware keylogger: http://www.keelog.com/diy.html http://wp.me/P29YQz-k
Countermeasures • The best defense against the installation of keystroke-logging software onyour systems is a spyware-detection program or popular antivirus products. • Consider lockingdown your desktops by setting the appropriate user rights through local orgroup security policy in Windows • Alternatively, you could use a commerciallock-down program, such as Fortres 101 (www.fortres.com) for Windows orDeep Freeze (www.deepfreezeusa.com) for Windows and Mac OS X. http://wp.me/P29YQz-k
Credit Card Skimmer 49 Skimming is the theft of credit card information used in an otherwise legitimate transaction http://wp.me/P29YQz-k http://telecommunication.itb.ac.id/~tutun/ET4085
First trick 50 • A credit card “skimmer” is mounted to the front of the normal ATM card slot which reads the ATM card number and either stores or transmits the number to the scammers. • Once in place it’s very difficult to tell that a skimmer is attached to the ATM machine. • Any cards used in this machine will have their magnetic strip recorded and the scammers will be able to use this information to create a “clone” of this card using a magnetic strip writer http://www.expandmywealth.com/category/credit-cards/ http://wp.me/P29YQz-k http://telecommunication.itb.ac.id/~tutun/ET4085