1 / 46

Web Security Kevin Curran

Web Security Kevin Curran. Vigenère cipher. A technique which stood defiant for centuries - Vigenère cipher . Its beauty in key is simply a single word, such as LIBERTY. Any unauthorised interceptor, will have greatest difficulty unravelling code without secret word .

sebastian-sykes
Download Presentation

Web Security Kevin Curran

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web Security Kevin Curran

  2. Vigenère cipher • A technique which stood defiant for centuries - Vigenère cipher. • Its beauty in key is simply a single word, such as LIBERTY. Any unauthorised interceptor, will have greatest difficulty unravelling code without secret word. • …….. Thiscould be any string of letters at all so system looked secure • Each letter of the key word, which is written vertically, represents the first letter in a simple Caesar cipher. • We then encipher the first letter of the message using the first cipher, the second using the second, and so on, repeating cycle of Caesar ciphers • For example, suppose our plain text message is • A MAN A PLAN A CANAL PANAMA

  3. Vigenère Table . Vigenère cipher table based on LIBERTY.

  4. Vigenère cipher – how it works • Using LIBERTY as our watch word, the sender and legitimate receiver of the message would set up a cipher table as in previous slide. • The initial A is then enciphered as L; the word MAN is enciphered using the 13th letter of the second cipher, the first of the third, and the 14th of the fourth respectively, giving the encoded form of the word as UBR. • Continuing, we discover the full enciphered message as shown below. • We repeat the key word above plaintext message as a reminder of which of the seven shifted alphabets to use in the encoding for each letter.

  5. Cryptography • Most cryptanalysis techniques exploit patterns found in the plain text code in order to crack the cipher; however compression of the data can reduce these patterns and hence enhance the resistance to cryptanalysis Cryptanalysis is the study of methods for obtaining the plain text of encrypted information without access to the key that is usually required to decrypt. In lay-man's terms it is the practice of code breaking or cracking code. The dictionary defines cryptanalysis as the analysis and deciphering of cryptographic writings/systems, or the branch of cryptography concerned with decoding encrypted messages.

  6. Code Breaking Jobs

  7. Unbreakable Codes • Is it possible to devise a code so strong that it is absolutely unbreakable? • The Short Answer is Yes….but….

  8. Code Talkers • Code talkers was a term used to describe people who talk using a coded language. • It is frequently used to describe 400 Native American Marines who served in the United States Marine Corps whose primary job was the transmission of secret tactical messages. • Code talkers transmitted these messages over military telephone or radio communications nets using formal or informally developed codes built upon their native languages. • Because Navajo has a complex grammar, it is not nearly mutually intelligible enough with even its closest relatives within the Na-Dene family to provide meaningful information, and was at this time an unwritten language…..Navajo answered the military requirement for an undecipherable code.

  9. Code Talkers • Using a substitution method similar to the Navajo, the Comanche code word for tank was "turtle", bomber was "pregnant airplane", machine gun was "sewing machine" and Adolf Hitler became "crazy white man". • Two Comanche code-talkers were assigned to each regiment, the rest to 4th Infantry Division headquarters. • Shortly after landing on Utah Beach on June 6, 1944, the Comanches began transmitting messages

  10. One Time Pads • The sender and receiver each need identical copies of the one- time pad, which consists of no more than a very long totally random string of letters from the alphabet. • Only they possess this super key word. The secret message is then sent in whatever way convenient using the one-time pad in the Vigenère fashion. • Since the key word never ends (or more precisely does not end before the message is concluded) there is no cycle of ciphers. • Since each individual letter in the key word is random, and bears no relation to any other letter, the string that is transmitted is itself a totally random string. After the message is transmitted the sender destroys the pad, as does the receiver after he has deciphered the message. • Even the lengths of individual words can be masked, symbols like punctuation marks and spaces can themselves be given a symbol in an augmented alphabet.

  11. Book Ciphers • A very secure cipher that can be produced without too much difficulty is a book cipher. This involves both parties holding copies of a very long piece of text, a book perhaps. • The book is the key to the whole cipher and this must remain secret. • For this reason, it would be best if the ‘book’ is written by the code makers themselves—no literary merit is required, indeed the more arbitrary and nonsensical the better.

  12. Amazon Reviews • “I had a hard time getting into this book. The profanity was jarring and stilted, not at all how people really talk.” • “Once you get about halfway in, the rest of the story is pretty predictable.” • “I would have given it five stars, but sadly there were too many distracting typos. For example: 46453 13987.” • “I really liked the ’10034 56429 234088′ part.” • “Frankly the sex scenes were awkward and clumsily written, adding very little of value to the plot.” • “For a supposedly serious reference work the omission of an index is a major impediment. I hope this will be corrected in the next edition.” • The average customer gives it four stars.

  13. Passwords

  14. Passwords • One reason not to feel too guilty about your bad password behaviour is that it seems to be almost universal. An analysis of leaked pin numbers (2012) revealed that about one in 10 of us uses "1234“ • A recent security breach at Yahoo showed that thousands of users' passwords were either "password", "welcome", "123456" or "ninja". • People choose terrible passwords even when more is at stake than their savings: among military security specialists, • This is where the length of your password makes an almost unbelievable difference. • For a hacker with the computing power to make 1,000 guesses per second, a five-letter, purely random, all-lower-case password, such as "fpqzy", would take three and three-quarter hours to crack. • Increase the number of letters to 20, though, and the cracking time increases, just a little bit: it's 6.5 thousand trillion centuries…

  15. Passwords Then there's the question of predictability. Nobody thinks up passwords by combining truly random sequences of letters and numbers; instead they follow rules, like using real words and replacing the letter O with a zero, or using first names followed by a year. Hackers know this, so their software can incorporate these rules when generating guesses, vastly reducing the time it takes to hit on a correct one. And every time there's a new leak of millions of passwords, it effectively adds to a massive body of knowledge about how people create passwords, which makes things even easier. If you think you've got a clever system for coming up with passwords, the chances are that hackers are already familiar with it….lets examine further… Average Web user has 25 separate accounts but uses just 6.5 passwords to protect them. Such password reuse, combined with the frequent use of e-mail addresses as user names, means that once hackers have plucked login credentials from one site, they often have the means to compromise dozens of other accounts, too.

  16. Passwords https://www.cloudcracker.com/

  17. Passwords A PC running a single AMD Radeon HD7970 GPU, for instance, can try on average an astounding 8.2 billion password combinations each second, depending on the algorithm used to scramble them. Only a decade ago, such speeds were possible only when using pricey supercomputers. The advances do not stop there. PCs equipped with two or more $500 GPUs can achieve speeds two, three, or more times faster, and free password cracking programs such as oclHashcat-plus will run on many of them with little or no tinkering. Hackers running such gear also work in tandem in online forums (e.g. http://forum.insidepro.com ), which allow them to pool resources and know-how to crack lists of 100,000 or more passwords in just hours.

  18. Passwords • Password hacking takes many different forms, but one crucial thing to understand is that it's often not a matter of devilish cunning but of bludgeoning with brute force. • Take the example of a hacker who sneaks on to a company's servers and steals a file containing a few million passwords. • These will (hopefully) be encrypted, so he cannot just log into your account: if your password is "hello“ it might be recorded like "$1$r6T8SUB9$Qxe41yFuvKOQ90". • Nor can he simply decode the gobbledegook, providing "one-way encryption" was used. What he can do, though, is feed millions of password guesses through the same encryption algorithm until one of them – bingo! – results in a matching string of gobbledegook. • …….Then he knows he's found a password. • (An additional encryption technique, known as "salting", renders this kind of attack impractical, but it's unclear how many firms actually use it.)

  19. Passwords The 100m+ passwords that have collectively been exposed bring to light a plethora of techniques employed to protect passcodes from traditional dictionary attacks. One is adding numbers or non-alphanumeric characters such as "!!!" to them, usually at the end, but sometimes at the beginning. Another, known as "mangling," transforms words such as "super" or "princess" into "sup34" and "prince$$." Still others append a mirror image of the chosen word, so "book" becomes "bookkoob" and "password" becomes "passworddrowssap.“ One promising technique therefore is to use programs such as the open-source Passpal to reduce cracking time by identifying patterns exhibited in a statistically significant percentage of intercepted passwords. Users tend to append years to proper names, words, or other strings of text that contain a single capital letter at the beginning.

  20. Passwords Using features built into password-cracking apps such as Hashcat and Extreme GPU Bruteforcer, seemingly complex passwords can be recovered in about 90 seconds by performing what's known as a mask attack. It works by reducing the keyspace to only those guesses likely to match a given pattern. Rather than trying aaaaa0000, ZZZZZ9999 & every possible combination in between, it tries a lower- or upper-case letter only for the first char, and tries only lower-case characters for the next 4 chars &then appends all possible 4 digit numbers to the end. The result is a drastically reduced keyspace of about 237.6 billion, or 52 * 26 * 26 * 26 * 26 * 10 * 10 * 10 * 10. An even more powerful technique is a hybrid attack. It combines a word list with rules to greatly expand the number of passwords those lists can crack. Rather than brute-forcing the five letters in Julia1984, hackers simply compile a list of first names for every single Facebook user and add them to a medium-sized dictionary of, say, 100 million words. While the attack requires more combinations than the mask attack above—specifically about 1 trillion (100 million * 104) possible strings—it is still a manageable number that takes only about two minutes using the same AMD 7970 card.

  21. Why Bits matter….. It is all down to ! Factorial…… see here for why each bit doesn’t just double the keyspace….

  22. Rainbow tables Rather than asking a computer to enumerate each possible password in real-time and compare it against a targeted hash, precalculated data is stored in memory or on disk in a highly compressed form to speed up the process to brute force huge numbers of hashes. The breakthrough was not just the speed with which the tables could crack passwords; it was also their ability to crack almost every possible password as long as it did not fall outside the targeted keyspace. Rainbow tables are believed to get their name because each chain link uses a different reduction function, but all chains follow the same pattern—much as each color in a rainbow is different but all rainbows follow the ROYGBIV pattern. The space savings alone are huge. Storing a table of every possible 10-character password with only lowercase letters, along with its corresponding MD5 hash, would require about 3,108 terabytes of disk space. A rainbow table expressing 99.9 percent of those combinations, by contrast, requires just 167 gigabytes.

  23. Rainbow Tables The huge advances in GPU-assisted password cracking have diminished much of the advantages of rainbow tables, however. Passwords with 6 or fewer characters can be brute-force cracked with less fuss using GPU-powered computers, while passwords longer than 9or 10 characters require rainbow tables with unwieldy file sizes. That leaves only a small sweet spot of 7or 8 characters where rainbow tables are especially useful these days. Still, the tables maintain their status as a useful, if niche, tool for some hackers. Witness Free Rainbow Tables, a project that allows volunteers to donate computer cycles to generate public tables that crack hashes including SHA1, MD5, and NTLM. With the participation of more than 3,900 volunteer computers, Free Rainbow Tables adds an estimated 36 megabits of table data every second… In 2003, hackers released Ophcrack program that used rainbow tables to crack most Windows passwords in minutes. CloudCracker also is a service that takes about 20 minutes to check a WiFi password against 300 million possible words.

  24. Salting Salting appends several unique characters to each account password before running it though a cryptographic function, a process that blunts the value of rainbow tables and other types of precomputed attacks. A 16-bit salt, for example, requires 65,535—or 216—separate tables to be defeated. A random salt of 32 bits makes rainbow table attacks even more impractical by pushing the no of tables required to more than four billion. Salt is rarely kept apart from the hash. Even when known, its virtue lies in its uniqueness defeating pre-computation of results.) Salting can also add to resources required to carry out more traditional cracking attacks, since it ensures that each stored hash is unique even if 2 users choose same passcode. That, in turn, requires each hash in a compromised table to be cracked separately, even if they mask one or more identical plaintext passwords. To the detriment of millions of users, going without salt is only one of the many sins that popular websites routinely commit against password security.

  25. Wrong Algorithms A large percentage of the sites that fall prey to password breaches commit another error that further diminishes the protection of hashes: they use algorithms that were never designed to protect passwords. That is because SHA1, DES, and MD5 were designed to convert plaintext into hashes extremely quickly using minimal computing resources, and this is exactly what people running password cracking programs want! (NTLM, still uses MD4 - highly susceptible). By contrast, algorithms specifically designed to protect passwords are engineered to require significantly more time and computation to convert plaintext into hashes. For instance, SHA512crypt passes text through 5,000 iterations, a hurdle that would have limited Gosney to slightly less than 2,600 guesses per second. The Bcrypt algorithm is even more computationally expensive, in large part because it subjects text to multiple iterations of the Blowfish cipher that was deliberately modified to increase the time required to generate a hash. PBKDF2, a function built into Microsoft's .Net software developer framework, offers similar benefits.

  26. Brute Force Wall Even powerful computation engines have trouble brute forcing longer passwords. Assuming checks for all 95 letters, numbers, and symbols – hours for desktop computer with an Intel Core i7 980x processor to brute-force crack any five character password. Increasing the password length by just one character requires about a day; bumping the length by one more character, though, dramatically increases the cracking time to more than 10 days. This limitation is known as the "exponential wall of brute-force cracking."

  27. Passwords The least hackable password, then, would be a long string of completely random letters, numbers, spaces and symbols – but you would never remember it. However, because length matters so much, the surprising truth is that a longish string of random English words, all in lower case – say, "awoken wheels angling ostrich" – is actually much more secure than a shorter password that follows your bank's annoying rules, such as "M@nch3st3r". And easier to remember: I have 68 different passwords," a Microsoft security specialist named Jesper Johansson told a conference several years ago. "If I am not allowed to write any of them down, guess what I am going to do? I am going to use the same password on every one of them.“ One problem with this however….. If somebody swipes money from your account, you will have a harder time getting it back if you are deemed to have been "grossly negligent" in protecting your passwords.

  28. Length Matters Using an Amazon EC2 cloud system that combines the horsepower of more than 1,000 individual GPUs, it still takes about 10 days to brute-force an 8 character password. The exponential wall rarely impedes most password crackers. As demonstrated by the RockYou dump, the typical person is notoriously sloppy when choosing a passcode. A full 70 percent of them contained eight characters or less. Therefore it is important that a password not already be a part of the corpus of the hundreds of millions of codes already compiled in crackers' word lists, that it be randomly generated by a computer, and that it have a minimum of nine characters to make brute-force cracks infeasible. Since it is not uncommon for people to have dozens of accounts these days, the easiest way to put this advice into practice is to use program such as 1Password or PasswordSafe. Both apps allow users to create long, randomly generated passwords and to store them securely in a cryptographically protected file that's unlocked with a single master password.

  29. Last Pass LastPass is a free online password manager and Form Filler that makes your web browsing easier and more secure. You can import from most major password storage vendors (such as RoboForm, 1Password, KeePass, Password Safe, MyPasswordSafe, TurboPasswords, and Passpack) and export too. LastPass captures passwords that other managers won’t including many AJAX forms, and allows you to make strong passwords easily. Your sensitive data is encrypted _locally_ before upload so even LastPass cannot get access to it. One Time Passwords, Screen Keyboard, and Grid multi-factor help protect your account. http://www.youtube.com/watch?v=tx8tnVX8z7w

  30. It's not a perfect solution. LastPass is secure to an almost problematic degree: since it conducts all its encryption and decryption on users' own computers, the master password is unknown to the company, which means no one will be able to help you should you forget it. (There's no recovery process based on security questions, either.) And so – yes – you may need to write it down, in coded form, on a scrap of paper, which you should carefully hidden. (but try to memorise it instead…..) Remember – There is no such thing as total security, let alone total security plus total convenience, but this feels like a workable compromise.

  31. .. Useful Sites/Software

  32. Microsoft Baseline Security Analyzer (MBSA) Software tool released by Microsoft to determine security state by assessing missing security updates and less-secure security settings within Windows, Windows components such as Internet Explorer, IIS web server, and products Microsoft SQL Server, and Microsoft Office macro settings. An example of a VA might be that permissions for one of the directories in the /www/root folder of IIS could be set at too low a level, allowing unwanted modification of files from outsiders. http://www.microsoft.com/en-us/download/details.aspx?id=7558

  33. Metasploit The Metasploit Project is a computer security project which provides information about security vulnerabilities and aids in penetration testing and IDS signature development. Its most well-known sub-project is the open-source Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. The Metasploit Project is also well known for anti-forensic and evasion tools, some of which are built into the Metasploit Framework. Metasploit can be used to test the vulnerability of computer systems to protect them or to break into remote systems.

  34. Armitage GUI Front-End for Metasploit

  35. Nessus • Nessus is a proprietary comprehensive vulnerability scanning program. Fee of charge for personal use in a non-enterprise environment. • Nessus allows scans for the following types of vulnerabilities: • Vulnerabilities that allow a remote hacker to access data on a system. • Misconfiguration (e.g. open mail relay, missing patches, etc.). • Default passwords, a few common passwords, and blank/absent passwords on some system accounts. Nessus can also launch a dictionary attack. • Denials of service against the TCP/IP stack by using mangled packets • Preparation for PCI DSS audits • In typical operation, Nessus begins by doing a port scan with one of its four internal portscanners (or it can optionally use Amap or Nmap) to determine which ports are open on the target and then tries various exploits on the open ports.

  36. Nessus Optionally, the results of the scan can be reported in various formats, such as plain text, XML, HTML and LaTeX. The results can also be saved in a knowledge base for debugging. On UNIX, scanning can be automated through the use of a command-line client. Nessus provides additional functionality beyond testing for known network vulnerabilities. E.g. use Windows credentials to examine patch levels on computers running the Windows operating system, and can perform password auditing using dictionary and brute force methods. Nessus 3 and later can also audit systems to make sure they have been configured per a specific policy, such as the NSA's guide for hardening Windows servers. Nessus is available for the iPhone, iPod Touch, and Android devices. You can start, stop, and pause vulnerability scans directly from a device.

  37. Snort.org Snort's open source network-based intrusion detection system (NIDS) has the ability to perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks. It can also be used to detect probes or attacks, including, but not limited to, operating system fingerprinting attempts, common gateway interface, buffer overflows, server message block probes, and stealth port scans. Snort can be configured in three main modes: sniffer, packet logger, and network intrusion detection. In sniffer mode, the program will read network packets and display them on the console. In packet logger mode, the program will log packets to the disk. In intrusion detection mode, the program will monitor network traffic and analyze it against a rule set defined by the user.

  38. NMAP Nmap (Network Mapper) is a security scanner used to discover hosts and services on a computer network, thus creating a "map" of the network. To accomplish its goal, Nmap sends specially crafted packets to the target host and then analyzes the responses. Unlike many simple port scanners that just send packets at a predefined constant rate, Nmap accounts for the network conditions (latency fluctuations, network congestion, the target interference with the scan) during the run. Owing to the large and active community providing feedback and contributing to its features, Nmap has been able to extend its discovery capabilities beyond simply figuring out whether a host is up or down & which ports are open; it can determine the target OS, names and versions of listening services, uptime, type of device, and presence of a firewall.

  39. NMAP • Nmap features include: • Host discovery - Identifying hosts on a network. For example, listing the hosts which respond to pings or have a particular port open. • Port scanning - Enumerating the open ports on one or more target hosts. • Version detection - Interrogating listening network services listening on remote devices to determine the application name and version number.[4] • OS detection - Remotely determining the operating system and hardware characteristics of network devices. • Typical uses of Nmap: • Auditing the security of a device by identifying the network connections which can be made to it.[citation needed] • Identifying open ports on a target host in preparation for auditing. • Network inventory, network mapping, maintenance, and asset management. • Auditing the security of a network by identifying unexpected new servers

  40. Ophcrack Ophcrack is a free open source program that cracks Windows passwords by using LM hashes through rainbow tables. The program includes the ability to import the hashes from a variety of formats, including dumping directly from the SAM files of Windows. On most computers, ophcrack can crack most passwords within a few minutes. Rainbow tables for LM hashes of alphanumeric passwords are provided for free by the developers. By default, ophcrack is bundled with tables that allows it to crack passwords no longer than 14 characters using only alphanumeric characters. Ophcrack is also available as Live CD distributions which automate the retrieval, decryption, and cracking of passwords from a Windows system. http://ophcrack.sourceforge.net/

  41. DiskDigger DiskDigger is a compact, self-contained utility that can recover lost, damaged, and deleted files from any media your PC can read, including hard, floppy, and optical disks, flash drives, and memory cards. It bypasses the Windows file system drivers, with built-in support for all file systems, so it can scan most media directly. It scans disks deep, including reformatted, badly formatted, and wiped disks. It even handles disks with bad sectors and other damage, though it is not a repair utility. it is an excellent file-recovery tool that happens to be free. The entire application resides in one executable file that can be run from any PC, so there is nothing to install, and it leaves no traces of its operation behind.

  42. BackTrack BackTrack is a distribution based on the Debian GNU/Linux distribution aimed at digital forensics and penetration testing use. It is named after backtracking, a search algorithm. The current version is BackTrack 5 R3.

  43. BackTrack Tools BackTrack arranges tools into 12 categories: Information gathering Vulnerability assessment Exploitation tools Privilege escalation Maintaining access Reverse engineering RFID tools Stress testing Forensics Reporting tools Services Miscellaneous

  44. SSL Server Test

  45. Conclusion • Never save passwords or sync browser data on other people’s computers. • Try to use different passwords for each site—at least for banking and other sensitive accounts. • Password-protect your Windows account. • Create separate Windows accounts for each user, or at least for those you don’t fully trust. • For extended family or friends, utilize the Guest Windows account. • Use a good antivirus program and keep it updated. • Think about fully encrypting laptops, netbooks, and mobile devices. • Look into third-party password-management services like LastPass or KeePass. • Download and burn an ISO such as Backtrack– very useful • Use Metasploit, Nexpose and Nessus for penetration testing • TNO

  46. Conclusion

More Related