Objectives
This presentation is the property of its rightful owner.
Sponsored Links
1 / 46

Objectives PowerPoint PPT Presentation


  • 84 Views
  • Uploaded on
  • Presentation posted in: General

Objectives. Explore the current authentication problem Explain current anatomy and security of traditional single factor authentication Demonstrate Tools, Techniques, and Strategies for recovering encrypted passwords Discuss password recovery resistance methodology

Download Presentation

Objectives

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Objectives

Objectives

  • Explore the current authentication problem

  • Explain current anatomy and security of traditional single factor authentication

  • Demonstrate Tools, Techniques, and Strategies for recovering encrypted passwords

  • Discuss password recovery resistance methodology

  • Discuss new authentication alternatives and technologies


Recent enterprise password fails

Recent Enterprise Password Fails

LinkedIn/E-Harmony (June 6th 2012)

  • Passwords believed to be leaked by Russian Hacker

  • 165,000 passwords cracked in first week

  • Most used passwords: link, 1234, work, god, job

    Yahoo (July 11th 2012)

  • Password leaked by group called D33Ds

  • Usernames and Passwords in clear text

  • Over 100,000 Gmail addresses included with leak

    Twitter (Feb 1st 2013)

  • usernames, email addresses, session tokens, and the encrypted and salted versions of passwords where compromised

  • Attack was reported to be sophisticated and hinted to Java plug-in exploit


2013 verizon dbir findings

2013 Verizon *DBIR Findings

*Data Breach Investigation Report


The historic password problem

The Historic Password Problem

Access Control Using Single Factor Authentication

  • Passwords exist to deter unauthorized access

  • Passwords stored locally to ensure access

  • Passwords traditional keys to the kingdom

  • Accidental access or authentication bypass put passwords at risk

  • Originally passwords kept in clear text file

  • Encryption added to make password file pillaging less effective


How modern passwords work

How Modern Passwords Work

Passwords are stored in an Encrypted Hash Format

  • There is a guaranteed 1-to-1 correlation between password and encrypted hash

  • The hashing algorithm is irreversible

  • Vulnerable to password guessing and brute force attacks

    Some Password Hashing Examples:

    The SHA1 for Bsides is = 8215350dfd7b6a15af09798f1d3e754da1e3c2fe

    The MD5 for Bsides is = 474c302dd6c73aeb2bfbeccef0da8adf


How access is granted for a user

How Access is Granted for a User

Type in Username and Password->Press “Enter”

  • The Computer will generate an encrypted hash of the password typed

  • Then compares this hash with the one stored on the machine for the specific user

  • If they match access is granted

  • If they are different user is asked to try again

Type Password

Ex. Bsides

Calculate Hash (MD5)

Bsides = 474c302dd6c73aeb2bfbeccef0da8adf

No

Does Hash Match?

Yes

Access Granted


How password complexity works

How Password Complexity Works

Password authentication results from a subset of

combinations from the following characters

Lowercase = 26 Characters (abc….xyz)

Uppercase = 26 Characters (ABC…XYZ)

Numbers = 10 Characters (123…890)

Special characters < ~33 Characters (!@#...^&*)

(26 + 26 + 10 + 33) = 95 Character Total


How password length works

How Password Length Works

Let:T = total combinations of possible passwords

L = length of the password

C = number of unique character keys that can be used

The total number of possible passwords can be modeled by:

T=CL

Entropy(max)Permutations:

7675309 = 107+ 106+ 105+ 104+ 103+ 102+ 101 = 11,111,110

bsides = 266 + 265 +264 + 263 + 262 + 261 = 8,353,082,582

Bsides = 526 + 525 +524 + 523 + 522 + 521 = 1,048,229,971,204

Bs!des = 956 + 955 +954 + 953 + 952 + 951 = 65,545,047,154,954


How passwords are compromised

How Passwords Are Compromised

Some Tools of the Trade

Cain and Abel – Windows GUI based Password Cracker

John the Ripper – Multiplatform command line Cracker

HashCat – Multi-platform, GUI, Multi-GPU Cracker

THC Hydra - A fast network authentication cracker

PWDump - extracts NTLM and LanMan hashes

Many….many…more!


Obtain and dump windows credentials into password cracking program

Obtain and Dump Windows Credentials into Password Cracking Program

  • NT hash - Full 95 Characters

  • LM hash - Not Case sensitive, 14 Char Max (2 blocks of 7 characters)


Inherent password problems

Inherent Password Problems

  • LM hashes store up to 14 character passwords by concatenating two groups of 7 characters


Recovery sequencing

Recovery Sequencing

Minimizing Time to Recover (Fastest to Slowest)

1) Dictionary Attack/Password Guessing

2) Brute force (Least Energy Calculation Sequencing)

2.1) Numbers (10)

2.2) Lowercase (26)

2.3) Lowercase + Numbers (36)

2.4) Lowercase + Uppercase (52)

2.5) Lowercase + Uppercase + Numbers (62)

2.6) Lowercase + Uppercase + Numbers + Special Characters (95)


Dictionary attack dynamics

Dictionary Attack Dynamics


Dictionary recovery tricks

Dictionary Recovery Tricks

Millions of users passwords are aggregated and studied for use and frequency patterns

  • Dictionary are built on password popularity instead of ordering for (A to Z)

  • Specialized word lists available via the web

  • These patterns then can be automated to increase the likelihood of cracking a password.

  • Here are some of Cain and Abel’s Advance Dictionary Attack techniques for success.


Dictionary attack finds 4 passwords in less than 60 seconds

Dictionary Attack Finds 4 Passwords in less than 60 Seconds


Advance dictionary techniques

Advance Dictionary Techniques

Online Services: Cloud-based Dictionary Attack for Fee

  • Moxie Marlinspike’s Cloud Cracker

  • Dictionary LM/NTLM = 385,000,000,000,000 words


Brute force recovery 10

Brute Force Recovery (10)

  • 8 Digits – 20 seconds or less (Ex. Birthday)

  • 9 Digits – 2 minutes or less (Ex. SSN)

  • 10 Digits – 20 minutes or less (Ex. Phone # with Area code)

  • 11 Digits – 4 hours or less


Brute force lowercase 26

Brute Force Lowercase (26)

  • 7 Characters - 17 minutes or less

  • 8 Characters - 7 hours or less

  • 9 Characters - 7 days or less

  • 10 Characters - 220 days or less


More brute force calculations

More Brute Force Calculations

Uppercase + Lowercase

  • 7 Characters – 1.4 days or less

  • 8 Characters - 85 days or less

  • 9 Characters – 10 years or less

  • 10 Characters - 570 years or less

    Upper + Lower + Numbers

  • 7 Characters – 5 days or less

  • 8 Characters - 300 days or less

  • 9 Characters – 53 years or less

  • 10 Characters - 3000 years or less


Even more brute force calculations

Even More Brute Force Calculations

Brute Force Upper + Lower + Numbers + Special Characters

  • 7 Characters – 5 days or less

  • 8 Characters - 300 days or less

  • 9 Characters – 53 years or less

  • 10 Characters - 3000 years or less


Brute force advance techniques

Brute Force Advance Techniques

Rainbow Tables:

  • Pre-calculated hash values kept in Dictionary for Speed

  • Time/Space Trade off

    • Larger searches increase in size exponentially


Removing restricted password lengths

Removing Restricted Password Lengths

- Corporate Password Policy states minimum password must be 8 characters or greater. 62 Chars Min

  • = 221,919,451,578,090

  • = 218, 340,105,584,896

    __________________

    A reduction of 3,579,345,993,194 possibilities

    However this is only 2% overall


Brute force advance techniques1

Brute Force Advance Techniques

  • Key Casting:

    • Studies by August Dvorak as far back as the 1936 noted that some keys are used more than others:

      Here was the order of most used letter to least used letters:

      E T A O I H N S R D L U W G C Y M F P B K V Q X J Z


Reducing the key space wheel of fortune recovery methodology

Reducing the Key SpaceWheel of Fortune Recovery Methodology

  • abcdefghijklmnopqrstuvwxyz

    • 8 Characters

    • 217,180,147,158

      acdefghilmnorstuwy removed pbkvqxjz

    • 9 Characters

    • 210,027,483,918


Floor vs ceiling key space complexity

Floor vs. Ceiling Key Space Complexity

mississippi - Lower Case

Maximum Characters Space = 26 keys

(2611+… 261) = 3,817,158,266,467,286 Combinations

Minimum Character Space = 4 Characters = “MISP”

(411+… 41) = 5592404 Combinations

Time To Crack = 1 Second!


So passwords are weak now what

So Passwords are Weak….Now What?

Be Dictionary Recovery/Crack Resistant


Brute force password resistance

Brute Force Password Resistance

Improve Minimum Floor Combination Space

Maximum number of combinations (ie., strength of the password) happens when:

# of unique Characters = Length of the Password

when C = L for CL

This means passwords with no repeating characters are inherently harder to crack because they are more resistant to key space reduction techniques.

Ex. Floor combination space for utah(4) > Floor combination space for ohio(3)

44 >34


Length trumps complexity

Length Trumps Complexity

Recall that password strength, T, is modeled by: T = CL

where L is the length of the password and

C is the number of unique characters used

With this model, a slight change to the exponent, L, will have a much more significant impact on T than will a similar change to the base, C.

For example, compare the following changes:

103 =1000 but 104 =10000 compared to 103 = 1000 but 113 = 1331

Thus, it is always more advantageous to increase the length of the password over increasing the number of character options available.

10 Character password minimum

Special Characters

Unique Characters

15 Character passwords will break LM hashing


Establish multiple passwords

Establish Multiple Passwords

Develop an easy general rule to make passwords

unique to each of your accounts

TIP

- Incorporate the URL into each of your passwords.

- This will make each password unique

- Increase the length of your base word

- Also add Complex Noise

- Creates Enclave Protect Defense In Depth Practices

Examples:

Gmail account = gma##Fluffy1 or [email protected]#m#a

Yahoo account = hay##Fluffy1 or [email protected]#a#y


Consider a password vault service

Consider a Password Vault Service

One Password to rule them all

Here is a list of some of the most popular services:

- KeePass(Windows/Mac/Linux/Mobile, Free)

- Robofrom(Windows, Basic: Free/Pro: $29.95)

- LastPass (Windows/Mac/Linux/Mobile, Basic: Free/Premium: $1/month)

- SplashID (Windows/Mac/Mobile, Desktop: $19.95/Mobile:$9.95

- 1Password (Mac OS X/iPhone, Desktop: $39.95/iPhone:$14.95)


Fixing the problem

Fixing the Problem

Take the user out of the equation

Security GPO’s for Windows/

PAM for *nix(Linux/Unix)

  • (9-10) Min Char Length

  • Enforce Complexity

  • (90 -180) Day Password Expire

2012 Worst Passwords

1               password        2               123456            3               12345678        4               abc123            5               qwerty             6               monkey

7letmein8               dragon        9               111111            10             baseball          11             iloveyou12             trustno1          13             1234567          14             sunshine         15             master             


Salt and encrypt stored c redentials

Salt and Encrypt Stored Credentials

Bcrypt

  • A variant of Blowfish Encryption algorithm

  • Extremely slow to calculate hashes

    • This makes recovery/cracking slow

  • Implementations written in:

    • Java, Python, C, C#, Ruby, Perl, PHP 5.3+ and many other. languages


Compromise detection strategies

Compromise Detection Strategies

Honey Passwords

  • Seed the Cached Credentials with a few fake users with low privileges and easier to crack passwords for the fictitious users.

  • Create log rules for login or attempted logins from those users

  • If someone try’s to log in or does log in a “Mickey Mouse” you achieve a positive indicator or of possible compromise of stored credentials

    Warning: May be susceptible to privilege escalation…must monitor diligently


Strong multi factor authentication

Strong Multi-Factor Authentication

3 Types of Authentication

What You Have

-Wristband

-ID Card

-Security Token

-Software Token

- Phone

- Cell phone

What You Are

  • Fingerprint

  • Retinal Pattern

  • DNA Sequence

  • Signature

  • Face

  • Voice

  • Other biometric identifiers.

What You Know

  • Password

  • Passphrase

  • PIN

  • Challenge Response

  • Pattern


2step 2factor authentication

2Step != 2Factor Authentication

2-Factor Authentication

Must use at least two of the three authentication types

2-Step Verification

Can be the same type

of authentication


Hard tokens strongest most expensive protection

Hard Tokens – Strongest Most Expensive Protection

  • Hard Token is difficult to hack/compromise

  • Must have the token to sign in

  • High cost to purchase and maintain….must weigh security versus cost

  • Weakness is keeping the private certificate secure….onus on vendor

RSA SecureID Token

Smart Cards

Yubikey


Soft tokens good protection at a reasonable price

Soft Tokens – Good Protection at a Reasonable Price

  • Companies save money on purchasing hard tokens

  • Works well with BYOD and cellular environments

  • Cheaper than hard tokens to implement and maintain

  • Weakness is if both devices become compromised then credentials can be stolen.


2fa available from

2FA Available From:


2fa application development

2FA Application Development

Google Authenticator

  • An open source project

  • supports both the HOTP and TOTP

    • algorithms

      • *HMAC -Based One-time Password (HOTP) algorithm specified in RFC 4226

      • Time-based One-time Password (TOTP) algorithm specified in RFC 6238

  • Modules and Apps available for:

    • PC

    • Android

    • iOS

    • Blackberry

    • PAM Module

*Hash-based Message Authentication Code


The future of 2fa

The Future of 2FA?

  • MasterCard Piloting new credit card in Singapore referenced as the "next generation of payment cards."

  • Display Card has an LCD screen and

  • Touch-sensitive buttons for one-time password (OTP).

  • OTPs supplied by text messages or hardware token.


The future of 2fa1

The Future of 2FA?

PassThoughts

  • brainwave-based computer authentication

  • electroencephalograms (EEGs), or brainwave measurements, for computer authentication


Conclusion 2fa knowledge is power

Conclusion: 2FA - Knowledge Is Power!

*Data Breach Investigation Report


References

References

Background Photo obtained from - http://freestockphotos.com/

Graphics Created with – http://www.blender.org/

LinkedIn/E-Harmony breach http://articles.washingtonpost.com/2012-06-07/business/35462356_1_million-passwords-linkedin-passwords-linkedin-app

Most popular cracked LinkedIn passwords - http://mashable.com/2012/06/08/linkedin-stolen-passwords-list/

Yahoo breach - http://abcnews.go.com/blogs/technology/2012/07/yahoo-password-breach-includes-gmail-hotmail-and-aol-users/

Twitter breach - http://www.theregister.co.uk/2013/02/02/twitter_breach_leaks_user_data/

Verizon DBIR - http://www.verizonenterprise.com/DBIR/2013/

Cain and Abel - http://www.oxid.it/cain.html

John The Ripper - http://www.openwall.com/john/

THC Hydra - http://www.thc.org/thc-hydra/

HashCat - http://hashcat.net/oclhashcat-plus/

PWDump - http://www.foofus.net/~fizzgig/pwdump/

Numerous Eye Candy Photo Credit - http://www.freedigitalphotos.net

Cloud Cracker - https://www.cloudcracker.com

Downloadable RainbowTables – https://tbhost.eu/rt.php


References1

References

Keyboard Frequency Pic - http://img.gawkerassets.com/img/1854qtk80dduyjpg/original.jpg

August Dvorak Keyboard Studies - http://en.wikipedia.org/wiki/Dvorak_Simplified_Keyboard

2012 Worst Passwords - http://splashdata.com/press/PR121023.htm

Setting Windows Password Policy -http://technet.microsoft.com/en-us/library/cc875814.aspx

Two Factor Auth Wiki - https://en.wikipedia.org/wiki/Multi-factor_authentication

MasterCard 2FA Card - http://www.theage.com.au/technology/technology-news/new-credit-card-has-lcd-screen-touchsensitive-buttons-20121109-2923y.html

Brain wave Passwords - http://phys.org/news/2013-04-password-future-passthoughts.html

Google Authenticator - http://code.google.com/p/google-authenticator/


Thank you

Thank You!

Questions?

Email: [email protected]

Twitter: @rabidsecurity


  • Login