TABLE OF CONTENTS
1. INTRODUCTION..........................................................................................................2 1.1. TYPES OF PASSWORD THEFT………………………………………………… 2 1.2. WHAT IS HACKING……………………………………………………………... ……….3 2. METHODS & PREVENTIONS…………………………………………………….. 5 2.1. TRADITIONAL LOW-TECH TECHNIQUES…………………………………...5 2.2. MODERN HIGH-TECH TECHNIQUES………………………………………..10 3. PASSWORD CRACKING TOOLS………………………………………………...13 4. SOLUTIONS TO PASSWORD THEFT ...................................................................16 5. CONCLUSION ............................................................................................................18 6. REFERENCES .............................................................................................................19
1
�1. INTRODUCTION We live in a world of passwords. We use them for everything, to access our e-mail and credit cards or others authorization system. In same time, we have so many of them it can be easy to forget which password belongs to which service. Because of their ubiquity, we also tend to reuse our passwords. The ubiquity of passwords, however, has given rise to an entire criminal enterprise focused on acquiring them. Consequently, security experts have suggested for years that to increase security, computer users should vary their passwords frequently, and use different passwords for different services. Few take this advice, but not to some people that hard to memorized something especially password that had a combination of number and characters. Even so, in a world built on access and information, the password has become the ultimate skeleton key.
While stealing passwords is not a new crime, in the world of Internet theft, it has taken on new dimensions. The harm caused by password theft very often impairs of dignity right. Password theft, however, is not a unary crime; it comes in two forms, depending on the nature of the password. By most measures, incidence of password theft is rising, not declining.
1.1. TYPES OF PASSWORD THEFT 1.1.1. First-Party Password Theft Concerns crimes that are quite familiar are identity theft, monetary theft, mail theft and are clearly analogous to the common law crime of larceny. It is involves the theft of a user’s password that results in damage to that individual.
2
�1.1.2. Second-Party Password Theft Concerns crimes that are not as obvious as unauthorized access are password sharing, and the like. It is distinguished from first-party password theft in that ownership and possession of the password reside in two different individuals or entities. It also characterized by a party giving a password to another entrusted user for that user’s benefit.
Password theft causes pecuniary harm in rather obvious ways. The law has had a hard time detecting. Comprehensive programs of public education, flexible password usage contracts utilizing price discrimination models and targeted lawsuits need to be used to decreasing this issues as more people gain access to the Internet, and the Internet’s reach broadens, the importance of passwords in the daily lives of hundreds of Millions of Internet users is also likely to increase.
1.2. WHAT IS HACKING Are “hackers” bright, inquisitive young people who explore computer system for fun and intellectual challenge? Or are they irresponsible criminals who invade privacy, steal information and money, destroy file, and crash computer systems?
The answer is both. In the early days of computing, a “hacker” was a creative programmer who wrote very elegant or clever program. They tend to be outside the social mainstream, spending many hour learning as much as they could about computer system and making them do new things. As more computer become attached to network, hacker
3
�activities expanded to the network, hackers often breaking into computer with no authorize to access it. Some of them also have no ethical concern and use their skills to take revenge on people they dislike and commit acts of computer vandalism. Now that authorized access to computer system is against the law cases, almost all hackers commit illegal acts.
There are 2 types of Hackers: 1.2.1. Ethical Hackers Ethical hackers also known as white-hat hackers are doing a type of hacking that is called ethical hacking which also known as penetration testing or white-hat hacking involves the same tools, tricks, and techniques as other hackers use, but with one major difference. Ethical hacking is legal because it’s performed with the target’s permission. The intent of ethical hacking is to discover vulnerabilities from a hacker’s viewpoint so systems can be better secured. It’s part program that allows for ongoing security improvements. Ethical hacking can also ensure that vendors’ claims about the security of their products are legitimate.
1.2.2. Unethical Hackers These types of hackers or also known as black-hats hackers put law out of their side by performing unauthorized permission and try to compromise with the computer. Most had no intention of disrupting service and they frowned on doing damage. Thus “hacker” is now used to describe people who explore the intricacies of computer and telephone network and carry out mild pranks. They are also known as people who intentionally
4
�destroy files, release computer viruses, change credit files, expose personal information, and even steal money
2. METHODS & PREVENTIONS Password theft is achieved by a hack called password cracking. Password cracking is considered as one of the most popular and enjoyable hacks among hackers. There are many reason of why password cracking occurred. Security analysts or also known as white hats are doing password cracking to check or test a system password or a network password security level. In contrast, malicious hackers or also called black hats are cracking password as a sheer challenge to exploit or manipulate computer systems or networks.
Password cracking is done using a copy of the system file that stores account passwords, which is presumably stored in encrypted form. It can be done by implementing either a traditional low-tech method or a modern high-tech method. By studying the methods, a countermeasure can be imposed to sustain the attacks.
2.1. TRADITIONAL LOW-TECH TECHNIQUES 2.1.1. Social Engineering Social engineering is generally a hacker’s clever manipulation of the natural human tendency to trust. The basic goals of social engineering are the same as hacking in general: to gain unauthorized access to systems or information in order to commit fraud, network intrusion, industrial espionage, identity theft, or simply to disrupt the system or
5
�network.
2.1.1.1. Phone The widespread used type of social engineering attack is conducted by phone. A hacker will call up and impersonate someone in a position of authority or relevance and gradually pull information out of the user. Help desks are particularly prone to this type of attack.
Countermeasures This can be prevented by instituting policies that disallow transfers, controlling overseas and long-distance calls, and by tracing suspicious calls from impersonators. All users should be made aware of this so that they are not susceptible to any dirty tactics and are trained to never give out passwords or other confidential info by phone
2.1.1.2. Dumpster diving Dumpster diving, also known as trashing is another popular method of social engineering. A huge amount of information can be collected through company dumpsters. Company phone books, organizational charts, memos, company policy manuals, calendars of meetings, events and vacations, system manuals, printouts of sensitive data or login names and passwords, printouts of source code, disks and tapes, company letterhead and memo forms, and outdated hardware can provide a rich vein of information for the hacker. Phone books can give the hackers names and numbers of people to target and impersonate.
6
�Countermeasures Keep all trash in secured, monitored areas, shred important data, and erase magnetic media.
2.1.2. Online Social Engineering The Internet is where the social engineers seek victims to harvest their passwords. The primary weakness is that many users often repeat the use of one simple password on every account: Yahoo, Hotmail etc. So once the hacker has one password, he or she can probably get into multiple accounts. They can send out some sort of sweepstakes information and ask the user to put in a name and password.
Another way hackers may obtain information on-line is by pretending to be the network administrator, sending e-mail through the network and asking for a user’s password or inserting mock software on intranet or internet to hack passwords.
Countermeasures Keep users trained on awareness of system and network changes. Password used should be something that is not easily inferred because of the simple pattern of the password.
2.1.3. Persuasion Basic methods of persuasion include: impersonation, ingratiation, conformity, diffusion of responsibility, and friendliness. Regardless of the method used, the main objective is to convince the person disclosing the information that the social engineer is in fact a person
7
�that they can trust with that sensitive information.
Countermeasures Keep users on their toes through continued awareness and training programs. All users should be trained on how to keep confidential data safe. Get them involved in the security policy. Require all new users to go through a security orientation. Annual classes provide refreshers and updated information.
2.1.4. Shoulder Surfing Shoulder surfing refers to using direct observation techniques, such as looking over someone's shoulder, to get information. Shoulder surfing is particularly effective in crowded places because it's relatively easy to stand next to someone and watch as they fill out a form, enter their PIN at an automated teller machine, use a calling card at a public pay phone, or enter passwords at a cyber cafe, public and university libraries, or airport kiosks.
Shoulder surfing can also be done at a distance with the aid of binoculars, or other visionenhancing devices. Inexpensive, miniature closed-circuit television cameras (CCTV) can be concealed in ceilings or walls to observe data entry by users.
Countermeasures Shield paperwork or keypad from view by using body or cupping hands. Furthermore, users should be encouraged to be more aware of their surroundings without having
8
�anyone suspicious while entering password or logging in. Having accompanied by someone trusted is also highly encouraged while entering passwords/pin codes anywhere since he/she can guard the coast.
2.1.5. Weak Authentication Hackers can obtain passwords by taking advantage of older operating systems, such as Windows 9x and Me. These operating systems don’t require passwords to log in.
Countermeasures The keys to decrypting all of these authentication protocols and features are really multifold. First, we must understand what each protocol provides. Second, it must be clear as to which operating system supports which authentication protocol. Third, if an insecure authentication protocol is necessary, the methods to protect the password, password hash, and overall network security must be understood. The modern authentication systems are LAN Manager, NT LAN Manager, NT LAN Manager V2 and Kerberos.
2.1.6. Inference Inference is simply guessing passwords from information you know about users. It occurs when there is a pattern to the way the passwords are generated and thus can be inferred. For instance, knowing that someone uses the same password with a different last character for each machine allows passwords to be inferred, especially if coupled with disclosure of one. Another example is where generated passwords are employed and the generation algorithm is predictable.
9
�Countermeasures Users should be trained on how to create more secure passwords that do not include information that can be associated with them. Sound security policy and ongoing awareness training are also needed to remind users of the importance of secure password creation.
2.2. MODERN HIGH-TECH TECHNIQUES High-Tech methods of password cracking can be applied by using sophisticated password cracking tools. These tools can determined all combinations of passwords and it can encrypt a set of known password through password hashing algorithm. Some others just simply use a predefined set of usernames and passwords to break into a system.
Most common techniques used along with the tools are Dictionary Attacks, Hybrid Attacks and Brute-Force Attacks.
2.2.1. Dictionary Attacks Dictionary attack is a technique of comparing a set of words against a password database. It is an authentication mechanism searching for a password decryption key by searching a great numbers of possible combinations of words that are listed in a dictionary. This attack search through all the possibilities and will only use words that have probabilities that are most likely to match. Generally this attack works because people tend to have a simple password as it is easier to remember. Typically passwords are chosen from words that are used in every day life and come from their native language.
10
�Dictionaries that are used by this method can easily be created and found or downloaded from the internet. This method’s probability of success can be increased if bigger or larger dictionaries are used. Technical dictionaries or foreign language dictionaries can also be included to make it easier to decrypt. Even more success if a string manipulation is done on the dictionary. That way the dictionary can read the word backwards, detect common number-letter replacement and recognize mix capitalization within the word. But, using bigger dictionaries is time consuming. The smaller the dictionary the faster comparison can be done. Cracking tools that can be use with these attacks are LC5 (L0phtcrack), Crack by UNIX, Cain for Windows, John the Ripper etc.
However, dictionary attacks are good only for cracking weak, common and easily guessed password. This attack is less effective than brute-force attack, which is more discreet, thorough and precise. Therefore, to limit the effectiveness and as a precaution step towards dictionary attack is by limiting the number of authentication attempts that can be performed each minute, and even blocking further attempts after a threshold of failed authentication attempts is reached. Generally, three attempts are considered sufficient to cope with mistakes made by legitimate users, beyond that, most probably that the user is a malicious attacker.
2.2.2. Brute-Force Attacks Brute-Force attacks are stronger and more efficient than Dictionary attacks in terms of cracking much complex passwords. Given sufficient time, Brute-Force attacks can crack any password by using every combination of numbers, letters and special characters. It
11
�will exhaustively try a large number of possibilities to work through the entire possible key in order to decrypt the message. This method also required some cracking utility tools to help the cracking process such as John the Ripper. Most cracking tools allow specification of testing criteria such as specific password length to try.
The difficulty of a Brute-Force attack is the length of the key or the length of the password itself. This means that if the key or the password length is too long then BruteForce attacks will take quite a while to finish the cracking process. Eventually it will succeed but it may require billions of years to complete depending on the number of accounts, key length, password complexities and speed of the machine that will handle the process. Moreover, if the encryption is based on some kind of mathematical properties, Brute-Force attacks will surely be defeated as it can only identify possibilities of combinations.
Therefore, possibilities of being attacked by Brute-Force can be reduced by using longer password as it will take longer time to decrypt. Expiring password can also weaken hackers attack as it is useless. If a password has been changed then hackers have to start again the process to find all possible combination of the new password. This is another reason why password should be changed periodically. This action can reduce the risk of being attack of password cracking.
2.2.3. Hybrid Attacks Hybrid attack is a combination of Dictionary attack and Brute-Force attack. It attacks by
12
�adding or substituting other characters or numbers for certain letters in dictionary words. Many people changed their password just by appending additional word to the dictionary word as their new password. Even if they changed their password periodically to prevent attacks but the pattern of their password are obviously seen. For example, previous password was Jack01 and it has been changed to current password as Jack02 then, it’ll be changed to next password as Jack03.
The similarity between all passwords is one of the reasons that it can be easily cracked using tools that can detect substitution. That is why this method is a hybrid of Dictionary attack and Brute-Force attack. Hybrid attack is using both Dictionary attack method to find similar password in the dictionary and substitution method to crack the password. However, this method is more time consuming comparing to Dictionary attack.
Moreover, Hybrid attack has the same problem as Dictionary attack as it can’t crack complex, well-chosen and long password. Thus, a wise step to prevent this attack is to choose more complex word using combination of letters, numbers and special characters.
3. PASSWORD CRACKING TOOLS Password cracking utilities takes set of known password and run them through passwordhashing algorithm. The resulted hashes are then compared with known hash extracted from original password database. If there is a match between both of them, then the password has been cracked.
13
�Password cracking tools are widely available in the internet. Some are using hashing technique (as explained above) and some are just trying to logon as a predefined set of IDs or passwords. Here are some of the most popular cracking tools available:
3.1. John the Ripper John the Ripper is a free password cracking software tool. Initially developed for the UNIX operating system, it currently runs on fifteen different platforms (11 flavors of UNIX, DOS, Win32, BeOS, and OpenVMS). It is one of the most popular password testing/breaking programs as it combines a number of password crackers into one package, auto detects, and includes a customizable cracker. It is used in Dictionary and Brute-Force attack.
Basically, the purpose is to crack Windows and UNIX password. It can be run against various encrypted password formats including several crypt password hash types most commonly found on various UNIX flavors (based on DES, MD5, or Blowfish), Kerberos AFS, and Windows NT/2000/XP/2003 LM hash. Additional modules have extended its ability to include MD4-based password hashes and passwords stored in LDAP, MySQL and others.
3.2. LC5 (L0phtCrack) LC5 (L0phtCrack) is a password auditing and recovery application originally produced by Mudge from L0pht Heavy Industries. It is used to test password strength and sometimes to recover lost Microsoft Windows passwords by using Dictionary, Brute-
14
�Force, and Hybrid attacks. It was one of the crackers' tools of choice, although most use old versions because of its price and low availability.
The application was produced by @stake after the L0pht merged with @stake in 2000. @stake was acquired by Symantec in 2004. Symantec has since stopped selling this tool to new customers citing US Government export regulations, and has announced that they will discontinue support by the end of 2007. LC5 can still be found at SecTools.Org and other unofficial mirrors.
3.3. Crack Crack is a UNIX password cracking program designed to allow system administrators to locate users who may have weak passwords vulnerable to a dictionary attack.
Crack began in 1990 when Alec Muffett, a UNIX system administrator at the University of Wales Aberystwyth was trying to improve Dan Farmer's 'pwc' cracker in COPS and found that by re-engineering its memory management he got a noticeable performance increase. This led to a total rewrite which became "Crack v2.0" and further development to improve usability.
3.4. pwdump2 pwdump2 is an application which dumps the password hashes from Windows NT's SAM database, whether or not SYSKEY is enabled on the system. NT Administrators will have the additional protection of SYSKEY, while still being able to check for weak users'
15
�passwords. The output can be used as input to l0phtcrack. pwdump2 need the SeDebugPrivilege for it to work. By default, only Administrators have this right, so this program does not compromise NT security.
4.1. SOLUTIONS TO PASSWORD THEFT 4.1.1. Using SSH as the Interconnection Method between the Servers. In computing, Secure Shell or SSH is a set of standards and an associated network protocol that allows establishing a secure channel between a local and a remote computer. It uses public-key cryptography to authenticate the remote computer and (optionally) to allow the remote computer to authenticate the user. SSH provides confidentiality and integrity of data exchanged between the two computers using encryption and message authentication codes (MACs).
SSH is typically used to log into a remote machine and execute commands, but it also supports tunneling, forwarding arbitrary TCP ports and X11 connections; it can transfer files using the associated SFTP or SCP protocols. As FTP serves simplicities to connect between servers, it’s major drawback is the passwords send via the protocol is not encrypted at all, meaning by using simple sniffing tools, hackers can get the user name and password of the server. As such, SSH is introduced to make the FTP environment secured from password theft.
4.1.2. Educating the Users about the Profiling Policy Let’s face it; the simplest way to get a password from a user is by asking it directly from
16
�them, right? The problem is, will you know whether the guy who asked for your confidential data is the one who authorized the system? Simple, the answer is no. Basically, no system administrator will asked the profile details from the user itself. It is because they actually have the rights directly to modify your profiling without you actually knowing it, depending on their privileges on the system. So if they want to make changes to the system, they don’t need to ask your personal data, they just do it.
4.1.3. Public Key Infrastructures For sending confidential data through the public network (webpage), encrypt the password and username by using the key system before sending it through the internet. This way, the confidential data will be safe from the theft because even if they can intercept it, it will be very hard or almost impossible for them to decrypt it.
Examples of widely used key system over the internet is Ron Rivest, Adi Shamir and Len Adleman (RSA) system, and Merkle-Hellman (MH) system, although hackers had manage to find a way to cryptanalyze the system.
4.1.4. Windows Firewall Sounds very simple but stupid. But for some of the end user, they don’t even know what a firewall is! Basically, what windows firewall does is to protects your computer by blocking communications that might actually be dangerous software trying to find a way to connect to your computer, rather than communications from a person or program you want to interact with.
17
�Windows Firewall is smart enough to allow connections from computers in your home and to block those connections from computers on the Internet. For example, Windows Firewall will allow you to share files or a printer between two computers, but it will block any attempts from people on the Internet to connect to your computer. This way, any attempt of spoofing by the hackers in order to sniff your data packets (including the login details) will be failed.
5. CONCLUSION Everyone has a different idea of what ``Password theft'' is, and what levels of risk are acceptable. The key for building a secure password name is to define what security means to the concerned person. Security is everybody's business, and only with everyone's cooperation, an intelligent policy, and consistent practices, will it be achievable.
18
�6. REFERENCES Beaver, K. and McClure, S., “Hacking For Dummies”, Wiley Publishing, Indiana, 2004,
Shimonski, R.J., “Hacking techniques: Introduction to Password Cracking”, IBM Corp., http://www-128.ibm.com/developerworks/library/s-crack/ Bon, G. and Van Loon, S., “Password Cracking in the Field”, University of Amsterdam, http://staff.science.uva.nl/~delaat/snb-2005-2006/p28/report.pdf
http://www.tech-faq.com/dictionary-attack.shtml
http://www.tech-faq.com/brute-force-attack.shtml
http://en.wikipedia.org/wiki/Brute_force_attack
http://en.wikipedia.org/wiki/Dictionary_attack
http://en.wikipedia.org/wiki/Phishing
http://www.takedown.com/bio/mitnick.html
http://www.niser.org.my/statistics.htm
http://www.antiphishing.org/
http://en.wikipedia.org/wiki/Public_key_infrastructure
19
�