Intrusion
"They're impossible to test because nobody knows what to test for." - Niels Ferguson & Bruce Schneier, regarding security systems.
There are 2 major computer security threats that exist: (1) Intrusion and (2) Viruses. Intrusion can range from the benign which consist of people exploring networks to the malign who are people that wish to disrupt processes, read highly sensitive information or modify data. The problem with determining the difference is that there's no way to know before the fact whether or not an intruder is benign or malign. Intrusion can consist of attempts to copy password files or suspicious RPC's (Remote Procedure Calls). Due to globalization, growing number of client/server apps and hacker's steep learning curves computer intrusion is still highly prevalent.
An example, was the case at Texas A&M University in August 1992. Certain computers at their computer center were being used to attack other computers via the Internet. Files were found containing multiple passwords, some of which were to important servers. The hackers actually had a 2 level hierarchy, one which consisted of a few highly technologically skilled people and a plethora of foot soldiers who used the supplied cracking programs, who didn't really understand how things worked but were willing to spend numerous hours probing for weaknesses. Additionally, hackers modified login software for capturing passwords of people logging on to systems, of which were ironically collected on a bulletin board located on one of the victim's machines.
Techniques
Stallings lists 8 techniques for learning passwords:
1. Try default passwords used with standard accounts that are shipped with the system. Many administrators do not bother to change these defaults.
2. Exhaustively try all short passwords (those of one to three characters).
3. Try words in the system's online dictionary or a list of likely passwords. Examples of the latter are readily available on the hacker bulletin boards.
4. Collect information about users, such as their full names, the names of their spouse and children, pictures in their office, and books in their office that related to hobbies.
5. Try users' phone numbers, social security numbers and room numbers.
6. Try all legitimate license plate numbers for this state.
7. Use a Trojan horse to bypass restrictions on access.
8. Tap the line between a remote user and the host system.
Guessing a password is tedious and usually systems reject login attempts after 3 tries. So intruders try other more automated ways to to get around this. A Trojan horse can live within another application. For instance, let's say that a system operator was bored and got lured into playing a computer game that actually reads system files in the background.
Prevention
Prevention is difficult because one strives for an absolute measure in that all possible areas of attack need to be thwarted. Ultimately, passwords are the focus of what hackers strive for. Let us exam UNIX password protection and vulnerabilities. A new user selects a password with a length of up to 8 characters which is converted to a 56 bit value. This value along with a "salt" value of 12 bits, which is randomly generated based on the time are provided as input into an encryption scheme such as DES. The resulting ciphertext password is then stored with the salt value and the user ID. The salt value prevents duplicate passwords from being visible, increases the password length by a factor of 4096 and prevents a hardware encryption process which eases brute force attacks.
There exists 2 threats to UNIX passwords. A user can gain access via a guest account and then run a password guessing program. With little resource consumption the cracker can check thousands of passwords. Ultimately, password cracking relies on the fact that some passwords are going to be easily guessable. A study was done at Purdue University that showed out of approximately 7000 users 3% had passwords sizes of 3 characters or less. Granted a system can require that the password length be a larger size such as 8 characters but we still have the guessing element to deal with. Which set of passwords are easier to remember: (i38sr4j3 s6b0pl3k qsd9y82t) or (william7 black873 2beornot)?
Another study was conducted by Klein where out of 14,000 UNIX encrypted passwords, 1/4 of them were guessed. The following strategy was used. Attempt personal information such as user's initials, account name, etc. Attempt words from a dictionary and various permutations of those words. Attempts at reversing a word, using upper cases, etc. A total of roughly 3 million words were accumulated and to encrypt these words with all possible salt values takes roughly an hour. Even though the rate of finding a match can be relatively low (not in this study, however) it only takes one. The following is a chart from that study:
|
Types
of Passwords
|
Search
Size
|
Number
of Matches
|
%
of Matched
|
| User/Account name |
130
|
368
|
2.7%
|
| Character Sequence |
866
|
22
|
0.2%
|
| Numbers |
427
|
9
|
0.1%
|
| Chinese |
392
|
56
|
0.4%
|
| Place names |
628
|
82
|
0.6%
|
| Common places |
2239
|
548
|
4.0%
|
| Female names |
4280
|
161
|
1.2%
|
| Male names |
2866
|
140
|
1.0%
|
| Uncommon names |
4955
|
130
|
0.9%
|
| Myths & legends |
1246
|
66
|
0.5%
|
| Shakespearean |
473
|
11
|
0.1%
|
| Sports terms |
238
|
32
|
0.2%
|
| Science fiction |
691
|
59
|
0.4%
|
| Movies and actors |
99
|
12
|
0.1%
|
| Cartoons |
92
|
9
|
0.1%
|
| Famous people |
290
|
55
|
0.4%
|
| Phrases and patterns |
933
|
253
|
0.8%
|
| Surnames |
33
|
9
|
0.1%
|
| Biology |
58
|
1
|
0.0%
|
| System dictionary |
19,683
|
1027
|
7.4%
|
| Machine names |
9018
|
132
|
1.0%
|
| Mnemonics |
14
|
2
|
0.0%
|
| King James Bible |
7525
|
83
|
0.6%
|
| Miscellaneous words |
3212
|
54
|
0.4%
|
| Yiddish words |
56
|
0
|
0.0%
|
|
Asteroids |
2407
|
19
|
0.1%
|
| Total |
62,727
|
3,340
|
24.2%
|
So it would suffice to say that if you have to choose a password, choose one that is at least semi random. Some current applications will even flag a weak or predictable password (based on statistics) and notify the user to choose another password.
Detection
A second line of defense is intrusion detection. The quicker an intrusion can be detected the less amount of damage can be done. However, the 64 thousand dollar question is how is an intruder properly detected as opposed to an authorized user? Granted behavioral patterns are slightly different but there exists a behavioral overlap. This can lead to false positives. Sometimes a more historical approach needs to occur such that audit trails are kept of actually all users so that there exists an additional basis for comparison.
Links
http://directory.google.com/Top/Computers/Hacking/
http://directory.google.com/Top/Society/Issues/Terrorism/Cyber_Terrorism/
http://www.bletchleypark.net/crypt/securitytips.html