Download
chapter 3 n.
Skip this Video
Loading SlideShow in 5 Seconds..
Chapter 3 PowerPoint Presentation

Chapter 3

79 Views Download Presentation
Download Presentation

Chapter 3

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Chapter 3 Passwords Principals Authenticate to systems

  2. Basics • Authenticate user to machine • What you have • Electronic device • What you know • Password • Who you are • Biometrics

  3. Password issues • Social Engineering • Secure passwords difficult to remember • Design errors • Mothers maiden name • Passwords - many passwords many sites • Re-use between sites can be issue • PINs 1/3 use a birthdate • Many default passwords remain in systems

  4. Specific threats • Targeted attack on specific account • Any account on a system • Any account on any system (in domain) • Service denial attack • Intrusion detection systems • Lock account after 3 failed attempts to login

  5. User training • Strong/Secure password training • Give them food • The passphrase method works well • You must stay 1 step ahead of password cracking tools • Dictionary cracks • With end characters • With special characters • Brute force and time • Password policy

  6. Password attacks • Eaves dropping • Shoulder surfing • In person • Via camera • Web cams very small and cheap • Electronically • Sniffing • Rogue programs during entry • Rogue hardware, keyboards ATMs

  7. Attacks on password storage • Attacks via logs • Unencrypted password files • Password cracking • Crack for UNIX • L0phtcrack for windows • Weak passwords • Spouses names • Change enough times to get around to original

  8. Attacks on hashes Distributed • Rainbow tables • Software • http://www.antsight.com/zsl/rainbowcrack/ • Tables • http://www.plain-text.info/index/ • Video • http://www.irongeek.com/i.php?page=videos/backtrackplaintext

  9. Consider • Password reuse • Training • Freeze accounts • How will attackers target • Any account, specific account • Snooped by • Shoulder • Network • False devices (software or hardware) • Current state of cracker programs

  10. Discussion articles • Current state of biometrics • Current password attacks • Current password crackers • Identity theft statistics and techniques

  11. Previous articles • This site is 2002 identity theft statistics: • http://www.creditinfocenter.com/identity/IDTheftStats.shtml • Types of identity theft, methods, and statistics: • http://www.irmi.com/Expert/Articles/2005/Olson07.aspx • Here's a FAQ article from the navy regarding Kerberos. • http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html • Here's an article from Microsoft on how they implement Kerberos • http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/pagexplained0001.asp • This article talks about developing strong passwords in detail, something which we were talking about in relation to password safety • http://insight.zdnet.co.uk/0,39020415,39249138,00.htm • This article lists many of the password cracking/hacking options for XP and NT Windows systems, and details them further • http://www.petri.co.il/forgot_administrator_password.htm • Talks about weak encryption of RFID: • http://www.networkworld.com/news/2005/0317rfidcrack.html?fsrc=rss-wirelesssec • RFID analysis and Hacks: • http://rfidanalysis.org/

  12. List of Resources • Authentication • http://en.wikipedia.org/wiki/Authentication • Password issues • http://www.mais.umich.edu/projects/2factor_passwords.html • http://www.informationweek.com/story/showArticle.jhtml?articleID=171201187

  13. List of Resources • Training • http://www.microsoft.com/midsizebusiness/securityrisk.mspx • http://www.comptechdoc.org/independent/security/policies/password-policy.html • http://www.comptechdoc.org/docs/ctdp/howtopass/

  14. List of Resources • Password attacks • http://www.windowsecurity.com/articles/Passwords-Attacks-Solutions.html • Kerberos • http://web.mit.edu/kerberos/ • Threat modeling • http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/tmwawalkthrough.asp