Cyber Security

A. Avinash, Ph.D.,
Assistant Professor
School of Computer Science and Engineering (SCOPE)
Vellore Institute of Technology (VIT), Chennai
 Passwords
Why Are They Important?
• Passwords are cheap to deploy, but also act as the first
line of defense in a security.
– They are also often the weakest link.

• Examples:
– ATMs and bank accounts
– Nuclear power and other critical infrastructure systems
– Company proprietary information and systems
– Email accounts (Gmail, Hotmail, Yahoo, AOL, etc.)
– Student information (e.g. VTop Portal)
Passwords
Ten Common Mistakes

1. Leaving passwords blank or unchanged from default

value.
2. Using the letters p-a-s-s-w-o-r-d as the password.
3. Using a favorite movie star name as the password.
4. Using a spouse’s name as the password.
5. Using the same password for everything.
6. Writing passwords on post-it notes.
7. Pasting a list of passwords under the keyboard.
8. Storing all passwords in an Excel spreadsheet on a
PDA or inserting passwords into a rolodex.
9. Writing all passwords in a personal diary/notebook.
10. Giving the password to someone who claims to be the
system administrator.
 Passwords
Authentication
• Passwords have been used for centuries, e.g. guards and
sentries
• Passwords = secret authentication code used for access.

• Authentication methods:
– What you know (Passwords, Secret keys)
– Where you are (IP Addresses)
– What you are (Biometrics)
– What you have (Secure tokens)
Passwords
AAA of Password Security
• Authentication (& Identification)
– Establishes that the user is who they say they are
(credentials).

• Authorization
– The process used to decide if the authenticated person
is allowed to access specific information or functions.

• Access Control
– Restriction of access (includes authentication &
authorization)
Passwords
How Can Passwords Be Stored?

Filing System
Clear text

Dedicated Authentication Server

Clear text

Encrypted
Password + Encryption = bf4ee8HjaQkbw

Hashed
Password + Hash function =
aad3b435b51404eeaad3b435b51404ee

Salted Hash
(Username + Salt + Password) + Hash function =
e3ed2cb1f5e0162199be16b12419c012
Passwords
How Are Passwords Stored? - Hashing
• Usually stored as hashes (not plain text)
– Plain-text is converted into a message digest
through use of a hashing algorithm (i.e. MD5,
SHA)
Passwords
How Are Passwords Stored? - Hashing

• Hash function H must have some properties:

– One-way: given H(password), hard to find password
• No known algorithm better than trial and error

– Collision-resistant: given H(password1), hard to

find password2 such that: H(password1) = H(password2)
– It should even be hard to find any pair p1,p2 s.t.
H(p1)=H(p2)
Passwords
How Are Passwords Stored? – Early UNIX Systems
• In past UNIX systems, password used
modified DES (encryption algorithm) as if it
were a hash function
– Encrypts NULL string using password as the key (truncates
passwords to 8 characters!)
– Caused artificial slowdown: ran DES 25 times

• Also stored password file in directory:

/etc/passwd/
– World-readable (anyone who accessed the machine would
be able to copy the password file to crack at their leisure)
– Contained userIDs/groupIDs used by many system
programs
– Can instruct modern UNIXes to use MD5 hash function
Passwords
How Are Passwords Stored? - Newer UNIX Systems

• Password hashes stored in /etc/shadow directory (or

similar)
– only readable by system administrator (root)
• Less sensitive information still in /etc/password
• Added expiration dates for passwords

• Early “shadow” implementations on Linux called the

login program which had a buffer overflow!
Passwords
How Are Passwords Stored? – Windows NT/2k/XP/Vista
• Uses 2 functions for “hashing” passwords:
1. LAN Manager hash (LM hash)
– Password is padded with zeros until there are 14 characters.
– It is then converted to uppercase and split into two 7-character
pieces
– Each half is encrypted using an 8-byte DES (data encryption
standard) key
– Result is combined into a 16-byte, one way hash value
2. NT hash (NT hash)
– Converts password to Unicode and uses MD4 hash algorithm to
obtain a 16-byte value
• Hashes stored in Security Accounts Manager (SAM)
– Locked within system kernel when system is running.
– Location - C:\WINNT\SYSTEM32\CONFIG
• SYSKEY
– Utility which moves the encryption key for the SAM database off of the
computer
Passwords
Threats to Password Security, Part 1
• Disclosure
– Voluntary disclosure of information
– Inadequate guarding of system passwords
• Inference
– Known pattern to creation of passwords
– Use of generated passwords with predictable algorithm
• Exposure
– Accidental release of password
• Loss
– Forgetting to remember passwords
– Can lead to creation of easy passwords
Passwords
Threats to Password Security, Part 2

• Snooping/Eavesdropping
– Keyloggers
– Network sniffing (intercepting of network
communication where a password is submitted)
• Guessing
– Limited amount of choices which can be figured
out through process of elimination
– Use of blank/common passwords, passwords
which can be figured out by knowing name of
relatives, pets, etc.
• Cracking
– Automated “guessing”
Passwords
Why Cracking is Possible

• Passwords are NOT truly random

– 52 upper/lowercase letters, 10 digits, and 32
punctuation symbols equals  6 quadrillion possible
8-character passwords
– People like to use dictionary words, relative and pet
names equaling  1 million common passwords
– On average, each person has 8-12 passwords:
– Different systems impose different password
requirements.
– Passwords need to be changed often.
– Some passwords are only used occasionally.
Passwords
Dictionary Attack
• Attacker can compute H(word) for every word in a
dictionary and see if the result is in the password file
• With 1,000,000-word dictionary and assuming 10
guesses per second, brute-force online attack takes
50,000 seconds (14 hours) on average
– This is very conservative; Offline attack is much
faster!
Passwords
Types of Password Cracking

• Dictionary Attack
– Quick technique that tries every word in a specific dictionary

• Hybrid Attack
– Adds numbers or symbols to the end of a word

• Brute Force Attack

– Tries all combinations of letters, numbers & symbols

• Popular programs for Windows password cracking

– LophtCrack (discontinued by Symantec when acquired @stake)
– Cain & Abel (UNIX)
– John the Ripper (UNIX)
– Sam Inside
Passwords
Cracking Protection - Salting
• Salting requires adding a random piece of data and to the password
before hashing it.
– This means that the same string will hash to different values at different
times
– Users with same password have different entries in the password file
– Salt is stored with the other data as a complete hash
• Hacker has to get the salt add it to each possible word and then
rehash the data prior to comparing with the stored password.
Passwords
Authentication Protocols
• TRANSFORMED PASSWORD
– Password transformed using
one way function before
transmission
– Prevents eavesdropping but
not replay
• CHALLENGE-RESPONSE
– Server sends a random value
(challenge) to the client along
with the authentication
request. This must be
included in the response
– Protects against replay
• TIME STAMP
– The authentication from the
client to server must have time-
stamp embedded
– Server checks if the time is
reasonable
– Protects against replay
– Depends on synchronization of
clocks on computers
• ONE-TIME PASSWORD
– New password obtained by
passing user-password
through one-way function n
times which keeps
incrementing
– Protects against replay as well
as eavesdropping
Passwords
Challenge Response
• User and system share a
secret key
• Challenge: system
presents user with some
string
• Response: user
computes response
based on secret key and
challenge
– Secrecy: difficult to recover
key from response
– One-way hashing or
symmetric encryption
work well
– Freshness: if challenge is
fresh and unpredictable,
attacker on the network
cannot replay an old
response
– For example, use a
fresh random number
for each challenge
• Good for systems with
pre-installed secret keys
– Car keys; military friend-or-
foe identification
Passwords
Personal Token Authentication
• Personal Tokens are
hardware devices that
generate unique strings that
are usually used in
conjunction with passwords
for authentication
• A variety of different physical
forms of tokens exist
– e.g. hand-held devices,
Smart Cards, PCMCIA
cards, USB tokens
• Different types of tokens
exist:
– Storage Token: A secret value
that is stored on a token and is
available after the token has been
unlocked using a PIN
– Synchronous One-time
Password Generator: Generate
a new password periodically (e.g.
each minute) based on time and a
secret code stored in the token
– Challenge-response: Token
computes a number based on a
challenge value sent by the server
– Digital Signature Token:
Contains the digital signature
private key and computes a
computes a digital signature on a
supplied data value
Passwords
Improving Security
• Password complexity • Single sign-on
– Case-sensitivity – User only has to remember
– Use of special characters, one password at a time and
numbers, and both upper and yet can access all/most of
lower-case letters their resources
– Minimum length requirements – AKA Enterprise Reduced
• Security questions Sign-On (almost impossible
to have one password used
– Ask personal questions which for everything due to
need to be verified integration issues)
– Some questions are very easy
to discover answers • Centralized password
• Virtual keyboard storage management
– Person clicks on-screen – Online sites accessible
keyboard to enter Single point through one password which
of failure, but contain all other passwords
password (prevents easier to
keylogging) remember
Passwords
Improving Security
• Graphical passwords
– Goal: increase the size of
memorable password space
• Rely on the difficulty of
computer vision
– Face recognition is easy for
humans, harder for machines • Reading graphical text
– Present user with a
sequence of faces, he must
pick the right face several
times in a row to log in
• Other examples
– Click on a series of pictures in
order
– Drawing a picture
– Clicking four correct points on
a picture
– Requires user to input text
based on what is seen in the
graphic. Attempts to curb
automated password
crackers due to difficulty in
distinguishing letters/numbers
– Scheme where users had to
input text based on graphics
shown to “undress” a picture
Passwords
Biometric/Behaviometric Authentication

• Uses certain biological • Biological Examples

or behavioral – Fingerprint, Iris, Retina,
characteristics for Face, & Hand
authentication Recognition
– Biometric reader • Behavioral Examples
measures physiological – Handwriting, Gait,
indicia and compares Typing Rhythm, Mouse
them to specified Gesture Recognition
values
– It is not capable of
securing information
over the network
Passwords
Protection/Detection

Protection:
– Disable storage of LAN Manager hashes.
– Configure both Local and Domain Account Policies
(Password & Account Lockout Policies).
– Audit access to important files.
– Implement SYSKEY security on all systems.
– Set BIOS to boot first from the hard drive.
– Password-protect the BIOS.
– Enforce strong passwords!
– Change your passwords frequently.
– Use two or three factor authentication.
– Use one time passwords.
Password cracking toolss

• password cracking tools:

– L0phtCrack
– John the Ripper
– Ophcrack
What is a brute force attack?

• A brute force attack involves an attacker

using automated software or scripts to
systematically guess login credentials by
trying various combinations of characters,
numbers, and symbols that grants access.
• It's a method of cracking passwords
through sheer trial-and-error and
computational power rather than using
more sophisticated techniques.
• Brute force attacks can be effective against
weak or simple passwords, but they
become increasingly difficult and time-
consuming as passwords become longer
and more complex.
Key components involved in brute
force attacks
• Target system: The system or application that the attacker
aims to compromise, such as a website, server, or database.
• Attack vector: The entry point or vulnerability that the attacker
attempts to exploit, such as a login page, encryption algorithm,
or authentication mechanism.
• Dictionary or wordlist: A pre-compiled list of common
passwords, words, or character combinations that the attacker
uses to generate potential solutions.
• Computing power: The computational resources available to
the attacker, such as CPU processing power, memory, and
storage capacity, which determine the speed and efficiency of
the brute force attack.
• Network connectivity: The ability to establish and maintain a
connection with the target system is essential for sending and
receiving data during the attack process.
 Types of brute force attacks
Simple brute force attack: This is the most basic type of brute force attack,
where an attacker uses automation and scripts to guess passwords by trying
every possible combination of characters. These attacks can make hundreds
of guesses per second, and simple passwords can be cracked in minutes.
Types of brute force attacks

Credential stuffing: This attack involves using stolen

login credentials (usernames and passwords) from
data breaches and attempting to access other
accounts where users have reused their credentials.
Types of brute force attacks

Dictionary
attack: It
involves
using
enormous
predefined
lists of
common
phrases or
words find in
a dictionary.
Types of brute force attacks

Hybrid brute force attack: This attack combines a

dictionary and brute force attacks. It first uses a
dictionary attack to provide common words, and then
a brute force attack is used to guess the additional
characters or numbers that users often add to their
passwords.
 Types of brute force attacks

Botnets: Brute
force attacks
require significant
computing power,
and attackers often
employ botnets to
execute the attack
algorithm at a larger
scale.
Real-world examples of brute force
attacks
• Russian military targeting microsoft accounts (2020): In 2020,
members of the Russian military reportedly used brute force attacks to
target over 200 organisations, including advocacy groups, political
parties, and consultants, to gain access to their Microsoft Office 365
accounts. The targets included institutions like the German Marshall
Fund and the European People's Party.
• T-Mobile data breach (2021): A hacker used a combination of brute
force attacks and other techniques to gain access to T-Mobile's
servers, leading to a data breach that exposed the personal information
of around 40 million customers. The stolen data was first offered for
sale for 6 Bitcoins but was eventually sold for just $200.
• GitHub brute force attack (2013): In 2013, several GitHub users were
victims of a brute force attack due to weak passwords. The attackers
used nearly 40,000 individual IP addresses to carry out the attack
gradually and avoid detection by GitHub's security systems. Affected
users were required to update their passwords with stronger
combinations.
How to detect brute force attacks?

• Unusual patterns of failed login attempts: Keep an eye

out for a sudden increase in failed login attempts,
especially if they follow a repetitive pattern or originate
from multiple sources.
• Logging in from an unusual IP address: Monitor login
activity and avoid login attempts from unfamiliar or
suspicious IP addresses.
• Unusual user behaviour: Pay attention to any unusual
user behaviour, such as repeated password resets,
changes in access patterns, or unauthorised attempts to
escalate privileges.
• Increased internet use after login: Monitor network
activity for any significant spikes in Internet usage
following a login.
Strategies for preventing brute force
attacks
• Strong password policies: Enforce strong, unique, and complex passwords that are
difficult to crack.
• Account lockout mechanisms: Implement account lockout policies that temporarily
block or suspend accounts after a certain number of failed login attempts.
• Two-factor authentication: Implement an additional layer of security by requiring an
extra authentication factor, such as a one-time OTP sent to a user's registered device or
a hardware token.
• CAPTCHA implementation: Utilise CAPTCHA challenges on login pages to differentiate
between human users and automated bots or scripts.
• IP address restrictions: Limit access to sensitive areas, such as login pages or
administrative interfaces, by whitelisting trusted IP addresses or IP ranges.
• Monitoring and logging: Implement robust monitoring and logging mechanisms to
detect and analyse potential brute force attempts.
Tools and resources for brute force
attack mitigation
• BruteX: BruteX is an automated tool designed to brute-force various
services running on the target system, including open ports,
usernames, and passwords.
• Disreach: Disreach specialises in brute-forcing files and directories in
web servers, offering features like request delaying, user-agent
randomisation, and proxy support for thorough testing.
• Callow: Callow is a user-friendly brute force tool written in Python 3,
offering customisation options and an intuitive user interface suitable for
users of all levels.
• SSB (Secure Shell Bruteforcer): SSB prioritises brute-forcing SSH
servers, offering a fast and intuitive solution with a high accuracy rate in
detecting leaked databases and supporting popular accounts like
Instagram and Gmail.
• Burp Suite Professional: Burp Suite Professional is a versatile toolkit
for web security testing, automating tasks and providing comprehensive
reports on vulnerabilities.
Safe Sharing
• Protecting a single computer with one user is easy
– Prevent everybody else from having access
– Encrypt all data with a key only one person knows
• Sharing resources safely is hard
– Preventing some people from reading private data (e.g. grades)
– Prevent some people from using too many resources (e.g. disk
space)
– Prevent some people from interfering with other programs (e.g.
inserting key strokes / modifying displays)
Operating System
Security
Why is security hard?

• Security slows things down

• Security gets in the way
• Security adds no value if there are no
attacks
• Only the government used to pay for
security
– The Internet made us all potential victims
Trusted Computing Base (TCB)

• Think carefully about what you are trusting with your information
– if you type your password on a keyboard, you’re trusting:
• the keyboard manufacturer
• your computer manufacturer
• your operating system
• the password library
• the application that’s checking the password
– TCB = set of components (hardware, software, wetware) that
you trust your secrets with
• Public web kiosks should *not* be in your TCB
– should your OS?
• but what if it is promiscuous? (e.g., IE and active-X extensions)
– how about your compiler?
• A great read: “Reflections on Trusting Trust”.
Security Techniques

• Authentication – identifying users and

programs
• Authorization – determining what access
users and programs have to things
– Complete mediation: check every access to
every protected object
• Auditing – record what users and
programs are doing for later analysis
Authentication

• How does a computer know who I am?

– User name / password
• How do it store the password?
• How do it check the password?
• How secure is a password?
– Public/Private Keys
– Biometrics
• What does the computer do with this information?
– Assign you an identifier
• Unix: 32 bit number stored in process structure
• Windows NT: 27 byte number, stored in an access token
in kernel
Aside on Encryption

• Encryption: takes a key and data and creates ciphertext

– {Attack at dawn}key=h8JkS! = 29vn&#9njs@a
• Decryption: takes cipertext and a key and recovers data
– {29vn&#9njs@a}key=h8JkS! = Attack at dawn
– Without key, can’t convert data into ciphertext or vice-versa

• Hashing: takes data and creates a fixed-size fingerprint, or hash

– H(Attack at Dawn) = 183870
– H(attack at dawn) = 465348
– Can’t determine data from hash or find two pieces of data
with same hash
More Storing Passwords

• Unix-style password file

– Password file not protected, because information in it can’t
be used to logon
– Doesn’t work for network authentication
• Doesn’t contain any secret information

• Windows-NT style password file

– Contains MD4 hash of passwords
– Hash must be protected because it can be used to log on
• Hidden from users
• Encrypted by random key
• Physical security required
Password Security
• 26 letters used, 7 letters long
– 8 billion passwords (33 bits)
– Checking 100,000/second breaks in 22 hours
• System should make checking passwords slow

• Adding symbols and numbers and longer passwords

– 95 characters, 14 characters long
– 1027 passwords = 91 bits
– Checking 100,000/second breaks in 1014 years

• SDSC computed 207 billion hashes for 50 million

passwords in 80 minutes.
– Hashing all passwords for one salt takes 20 minutes on
a P4
Do longer passwords work?

• People can’t remember 14-character

strings of random characters
• Random number generators aren’t
always that good.
• People write down difficult passwords
• People give out passwords to strangers
• Passwords can show up on disk
Authorization
• How does the system know what I’m allowed to do?
– Authorization matrix:
• Objects = things that can be accessed
• Subjects = things that can do the accessing (users or
programs)
– What are the limits?
• Time of day
• Ranges of values

Alice Bob Carl

/etc Read Read Read
Write
/homes Read Read Read
Write Write Write
/usr None None Read
Which one is better

• ACLs:
– Can have large numbers of objects
– Easy to grant access to many objects at once
– Require expensive operation on every access
• Capabilities
– Hard to manage huge number of capabilities
– They have to come from somewhere
– They are fast to use (just pointer dereferences)
• Most systems use both
– ACLs for opening an object (e.g. fopen())
– Capabilities for performing operations (e.g. read())
Protection Domain Concept

• A protection domain is the set of objects and permissions on

those objects that executing code may access
– e.g. a process
• memory
• files
• sockets
– also: a device driver, a user, a single procedure
• Capabilities:
– protection domain defined by what is in the capability list
• ACLs
– protection domain defined by the complete set of objects
code could access
How does this get implemented?

• Originally:
– every application had its own security checking code,
– Separate set of users
– Separate set of objects
– Separate kinds of ACLs, capabilities
• This makes the trusted computing base) huge!!!
– You have to trust all applications do to this correctly!
• Now: Reference monitor
– Manages identity
– Performs all access checks
– Small, well-tested piece of code
Modern security problems

• Confinement
– How do I run code that I don’t trust?
• E.g. RealPlayer, Flash
– How do I restrict the data it can communicate?
– What if trusted code has bugs?
• E.g. Internet Explorer
• Concepts:
– Least Privilege: programs should only run with the minimal amount
of privilege necessary
• Solutions:
– Restricted contexts - let the user divide their identity
– ActiveX – make code writer identify self
– Java – use a virtual machine that intercepts all calls
– Binary rewriting - modify the program to force it to be safe
Restricted Contexts

• Add extra identity information to an a process

– e.g. both username and program name
(mikesw:navigator)
• Use both identities for access checks
– Add extra security checks at system calls that use
program name
– Add extra ACLs on objects that grant/deny access to
the program
• Allows user to sub-class themselves for less-trusted
programs
Key Logger Tools
• Keylogger is a software that records each and every
keystroke you enter, including mouse clicks.
• There are many keyloggers available in market with
various features. Some examples of Software
Keyloggers are:
• Revealer Keylogger
• Ardamax Keylogger
• Winspy
• Invisible Keylogger