Cyber security fundamentals, principals, and applications

National Institute of Standards and Technology Three substantial changes (June 2017)

1- Do not require that memorized secrets be changed arbitrarily (e.g., periodically) unless there is a user request or evidence of authenticator compromise. 2- No more arbitrary password complexity requirements needing mixtures of upper case letters, symbols and numbers. - Like frequent password changes, it's been shown repeatedly that these types of restrictions often result in worse passwords. - Keystroke logging, phishing, and social engineering attacks are equally effective on lengthy, complex passwords as simple ones. 3- Require screening of new passwords against lists of commonly used or compromised passwords.

Vulnerability

A weakness that allows a threat to be realized or to have an effect on an asset

Threat

Any action that could damage an asset

Dictionary Attack

Brute force attack in which passwords are guessed from a list of dictionary words •Most systems lock an account after n (3-5) incorrect password attempts. •Hackers steal password files for offsite attacks. Lots of variations of dictionaries and lots of tools use automated mangling algorithms to defeat simple variations. Salt is stored as plaintext in the password file.es

Information system

Hardware, operating system, and application software that work together to collect, process, and store data for individuals and organizations

Using passwords over a network

How is the password transmitted. In a nutshell. •Client -User enters password (x) -Client computer h(x|S) -transmit h(x|S) to server •Server -Compare h(x|S) to stored hash for user. NOTE: if building a password verification system, follow a standard not the template above. Above is for illustration only.

Risk

Likelihood that something bad will happen to an asset

What's wrong with NTLM?

No salt. Two accounts with same password have same hash. Based on MD4 which was compromised in 1995. •Collision attack. Can find two different messages m1 and m2 such that hash(m1) = hash(m2). Kept for backward compatibility.

Does salt defeat a dictionary attack

No. Salt is stored as plaintext in the password file.

Other Attacks

Pass the hash. •Authenticate with stolen hash rather than a password. Key logging. Phishing.

Password files

Passwords are stored on systems in files. Password files should be protected. They are a favorite target of hackers .General format: username:h(x):salt:uid:... h(x) hashed password

How are passwords stored?

Passwords should never be stored •As plaintext •With a reversible function Use a hash to hide the password •Hash = one way function -By definition X cannot be derived from H(X) -Where X is the plain text and H(X) is the hash of X. Salt the password •Defeat rainbow tables

Information system security

The collection of activities that protect the information system and the data stored in it

Mitigation of Password Risks

•Account lockout •Use "good" passwords •Protect one-way hashes •Protect syslogs, event logs •Good use of error messages

Microsoft Windows Passwords

•LANMAN (old hash, also called LM) -Still around for older computers. -Disabled in Windows 7. -14 character max. -Uses DES to encrypt fixed words with the 2 halves of the password. -These are the easiest passwords to crack. -No salt. •NTLM (LANMAN disabled) -127 character max .-Uses MD4 hash. -No salt. •L0phtCrack can generate 1,200,000 cracks per second (on a 900MHz computer) Jason:502:aad3c435b514a4eeaad3b935b51304fe:c46b9e588fa0d112de6f59fd6d58eae3::: Format: Username: UserID: LM: NTLM:::

Linux Passwords

•Linux Passwords -Can be longer than 8 characters -Uses the MD5/SHA256/SHA512 Checksum algorithm for encryption -There is a field in the shadow file to specify the hash algorithm. -Uses 8-character "salts" -John-the-Ripper can generate 118,000 cracks per second (on a 750 MHz computer)

Password Guidelines (Old)

•Should be at least 8-14 characters •Use characters from each of the following four classes: -English upper case letters -English lower case letters -Westernized Arabic numerals (0,1,2,...) -Non-alphanumeric (special) characters such as punctuation symbols .•Don't use any part of the account identifier •Don't use a proper name or any word in the dictionary without misspelling it in some way •Don't use a word with numbers before or after it •Don't use obvious phrases or sequences such as "GOEagles" or "123456" or "aaa111"

Risks with Passwords

•Social Engineering•Eavesdropping / shoulder surfing •Fake login prompt •Attacks on password storage •Attacks via audit trail •One-way encryption •Multi-use passwords