Coen 150: Intro to Information Security
Mary Le
Carol Reiley
Term Paper
Holliday
Table of Contents
Introduction 1
Trojan Horses 2
Buffer Overflow 6
Statistics On How Long it Takes to Crack Passwords 7
Login Scripting and Password Cracking 9
@stake’s LC4: A Password Cracking Program 10
John the Ripper: A Password Cracking Program 12
Password Sniffing: Dsniff 13
Bibliography
Introduction
Every system should require the user to identify and authenticate themselves. Passwords are the most common method and often the first authentication method that systems use. It is perhaps the most important yet most neglected method of authentication. Passwords should be protected as it is entered. Log in attempts must be limited to defeat password guessing. In cases when the attacker can only generate passwords and check them, two main methods exist - brute force attack and dictionary attack. Brute force attack is used when there is no additional information on the password and the attacker tries out all the different combinations. To resist this attack the system should encourage long mixed-characters passwords to make it more difficult for the user to use brute force.
If the cracker knows that the password is a certain word he may use dictionary attack. If the password uses only words from the dictionary, they are tested as password candidates. The dictionary contains less than 100,000 words so they can be tested very quickly. Running a program that does a dictionary attack takes only a few seconds.
A combination of the two is known as "syllable attack". It is used when a password is transformed into a nonexistent word and the cracker can combine the syllables to get such a word.
The most powerful attack is "rule-based attack". It can be used in any case when the cracker obtains some information about the password he wants to crack. For example, he knows that password consists of the word and one- or two-digit number. He writes the rule and the program generates only suitable passwords. Another example - he knows that the first letter is in upper case, the second is a vowel and the password length is not greater than 6. This information can decrease the number of possible passwords by 20-30 times. This method includes all - brute force, dictionary and syllable attacks.
To make your password harder to crack, choose software that uses strong cryptography and implements it correctly. Then always choose the passwords that are non-words, contain mixed-case letters and digits, and have reasonable lengths (normally 8 characters). The best way is to use a randomly generated password (if you can remember it). If you can't then it is better not to write the password down on your desktop but to choose more convenient one. You should not use the same password for different systems or for different internet sites.
Even after picking a strong password, it is crucial to realize that your password might still be figured out. This is essentially the heart of our paper as we consider different methods in which an attacker could obtain your password. The first method is using a trojan horse. This is where something harmful poses as something innocuous. What looks like your logon screen could actually be a trojan horse and when you input your user name and password, the information that you type in is freely given to the attacker. The next method an attacker could use is login scripting. This is where he evaluates the code and sees what the valid user names and passwords are. Buffer overflow is where a user might overwrite user code or data by spilling into a memory area being used by the OS. Someone can rewrite part of the OS to get it to do what they want. Password Sniffers works passively and don't generate any network traffic, therefore, it is very hard to be detected by others. You should not have to install any additional software on the target PCs or workstations. If your network is connected through a switch, you can run the sniffer on the gateway or proxy server, which can get all of the network traffic. This stealth-monitoring utility is useful in recovering your network passwords, to receive network passwords of children for parents, and to monitor passwords abuse for server administrators.
This paper also discusses important issues regarding statistics and addresses common questions.
Trojan Horses
Trojan horse attacks pose one of the most serious threats to computer security. The term comes from a story in Homer's Iliad, in which the Greeks give a giant wooden horse to their foes, the Trojans, ostensibly as a peace offering. According to legend, the Greeks won the Trojan war by hiding in a huge, hollow wooden horse to sneak into the fortified city of Troy.
In today's computer world, a Trojan horse is defined as a "malicious, security-breaking program that is disguised as something benign." It is a destructive program that masquerades as a benign application. Unlike viruses, Trojan horses do not replicate themselves but they can be just as destructive. Although applied to all operating systems, the most damage is done to Windows users due to its popularity and many vulnerabilities. Trojan horses rely on users to install them, or they can be installed by intruders who have gained unauthorized access by other means. Then, an intruder attempting to subvert a system using a Trojan horse relies on other users running the Trojan horse to be successful. Contrary to common backdoors, Trojan horses hook themselves into the victim’s operating system and always come packaged with two files – the client file and the server file. The server, as its name implies, is installed in the infected machine while the client is used by the intruder to control the compromised system. Some well known Trojan functions include: managing files on the victim computer, managing processes, remote activation of commands, intercepting keystrokes, watching screen images and also restarting and closing down infected hosts - just to name a few of their features. Some are even able to connect themselves to their originator. You must be certain of both the source AND content of each file you download.
Additionally, a Trojan horse, depending on the actions it takes, may implicate your site as the source of an attack and may expose your organization to liability. Users can be tricked into installing Trojan horses by being enticed or frightened. For example, a Trojan horse might arrive in an email described as a computer game. When the user receives the mail, they may be enticed by the description of the game to install it. Although it may in fact be a game, it may also be taking other action that is not readily apparent to the user, such as deleting files or mailing sensitive information to the attacker. As another example, an intruder may forge an advisory from a security organization, such as the CERT Coordination Center, that instructs system administrators to obtain and install a patch.
In this paper, we are discussing Trojan horses masquerading as a false page in order to obtain a users password. This fake page often looks like a login screen and once a person types in their user name and password, the Trojan horse relays that information back to the attacker. The worst part is that the user is unaware that he has just given his password out and has had his privacy violated. What the user sees is just a login error and assumes he had mistyped his password. A compromise of any system on your network, including a compromise through Trojan horses, may have consequences for the other systems on your network. Particularly vulnerable are systems that transmit authentication material, such as passwords, over shared networks in cleartext or in a trivially encrypted form. This is very common. If a system on such a network is compromised via a Trojan horse (or another method), the intruder may be able to install a network sniffer and record usernames and passwords or other sensitive information as it traverses the network.
Once receiving access to a password, trojan horses can do anything that the user executing the program has the privileges to do. This includes: deleting files that the user has access to, transmitting to the intruder any files that the user can read, changing any files the user can modify, installing other programs with the privileges of the user. An attacker executing the Trojan horse can attempt to exploit a vulnerability to increase the level of access beyond that of the user running the Trojan horse. If this is successful, the Trojan horse can operate with the increased privileges, installing viruses, installing other Trojan horses.
Other forms of "social engineering" can be used to trick users into installing or running Trojan horses. For example, an intruder might telephone a system administrator and pose as a legitimate user of the system who needs assistance of some kind. The system administrator might then be tricked into running a program of the intruder's design.
The best advice with respect to Trojan horses is to avoid them in the first place.
· System administrators should verify every piece of software that is installed. It should be from a trusted source remained unmodified in transit. Without a way to authenticate software, you may not be able to tell if a given piece of software is legitimate, regardless of the distribution media.
· It is strongly encouraged for software developers and software distributors to use cryptographically strong validation for all software they produce or distribute. Any popular technique based on algorithms that are widely believed to be strong will provide users a strong tool to defeat Trojan horses.
· Use the lowest priority necessary to do the tasks needed. Don’t use administrative privileges to do mundane tasks like checking email.
· Install and configure a tool such as Tripwire that will allow you to detect changes to system files in a cryptographically secure way.
· Bring awareness to your users
· Use firewalls and virus products that are aware of popular Trojan horses.
· Review the source code to any open source products you choose to install.
· Do not rely on timestamps, file sizes, or other file attributes when trying to determine if a file contains a Trojan horse.
· Exercise caution when downloading unauthenticated software.
Buffer Overflow
Overflow problems have always been associated with security vulnerabilities. In the past, lots of security breaches have occurred due to buffer overflow. We will explain what buffer overflow is, how it can be exploited and what can be done to avoid it.
Knowledge of C or any other high level language is essential. Basic knowledge of process memory layout is also helpful. The concept of buffer overflow is the same no matter what platform and operating system is used.
A buffer is a contiguous allocated chunk of memory, such as an array or a pointer in C. In C and C++, there are no automatic bounds checking on the buffer, which means a user can write past a buffer. For example:
int main () {
int buffer[10];
buffer[20] = 10;
}
The above C program is a valid program, and can compile it without any errors. However, the program attempts to write beyond the allocated memory for the buffer, which might result in unexpected behavior. Over the years, some bright people have used only this concept to create havoc in the computer industry. A process is a program in execution. An executable program on a disk contains a set of binary instructions to be executed by the processor. Function local variables are automatic variables created on the stack whenever functions execute, and they are cleaned up as the function terminates.
All the methods/tools described above are limited in one manner or another. No tool can solve completely the problem of buffer overflow, but they surely can decrease the probability of stack smashing attacks. However, writing secure code is still the best possible solution to these attacks. Programmers should be educated to prevent/minimize the use of standard unsafe functions.
Statistics On How Long it Takes to Crack Passwords
For someone guessing a randomly generated eight character password (=2,800,000,000,000), if your computer tried to guess the password with 1 million guesses per second, it would take on the average roughly 3 years. The more characters a password contains, the harder it is for an attacker using brute force to crack. Breaking a captured encrypted password could take from seconds to at most days. The longest single continuous crack run found in our research lasted a little under seven months non-stop on a little-used Sun 4/330. With faster CPUs available nowadays, things are less bad.
User passwords are not stored in plain or encrypted form. Only the hash of the password is kept and you can't reverse engineer the original password using this hash. For UNIX and Windows NT, only the brute-force attack is known. For Netware, you could find the collision very fast (collision is a string that will be accepted as right password).
Internet passwords or dial up passwords are easier to break into since regardless of the OS being used, most providers require password in plain text. Therefore it must be stored in plain or encrypted (not hashed) form and can be decrypted.
Among three most popular archivers - ARJ, ZIP and RAR - the RAR 2.x provides the strongest encryption, because it has the slowest brute-forcing speed and no "known-plaintext" methods are known. But the possible weakness of RAR 2.x is it's own proprietary algorithm. It was never tested by professional cryptographers. It is possible to crack un-encrypted files. Passwords of any length may be cracked. For ARJ files, by knowing the number of bytes of compressed files equals the password length. For ZIP files, you can figure it out if you know at least 13 bytes of the compressed file. It will take several hours on a modern PC or RAR 1.5x. However, once you know 3-4 bytes of the compressed file, it might take hours or days to crack it.
The best cracker is one that will find your password. To make it possible the password cracker should support different attack types and be as fast as possible. The benchmarks and features of different crackers can be found at Russian Password Crackers site. As stated in class, if someone with the right nudge really wants in, they can get in.