Page 67 - DCAP516_COMPUTER_SECURITY
P. 67
Unit 6: User Authentication
The ID determines whether the user is authorized to gain access to a system. In some Notes
systems, only those who already have an ID filed on the system are allowed to gain access.
The ID determines the privileges accorded to the user. A few users may have supervisory
or “super-user” status that enables them to read files and perform functions that are
especially protected by the operating system. Some systems have guest or anonymous
accounts and users of these accounts have more limited privileges than others.
The ID is used in what is referred to as discretionary access control. For example, by listing
the IDs of the other users, a sure may grant permission to them to read files owned by that
user.
Passwords are, by far, the most popular factor used for authentication. Therefore, protecting
passwords from compromise and unauthorized use is crucial.
Similar to a one-time pad in cryptography, a one-time password provides the highest level of
password security. Because a new password is required every time a user logs on to the network,
an attacker cannot use a previously compromised password.
A password that changes frequently is called a dynamic password. A password that is the same
for each logon is called a static password. An organization can require that passwords change
monthly, quarterly, or at other intervals, depending on the sensitivity of the protected information
and the password’s frequency of use.
In some instances, a passphrase can be used instead of a password. A passphrase is a sequence of
characters that is usually longer than the allotted number of characters for a password. The
passphrase is converted into a virtual password by the system.
Passwords can be generated automatically by credit card, sized memory cards, smart cards, or
devices resembling small calculators. Some of these devices are referred to as tokens.
6.3.1 Attacks on Password
To understand how to protect yourself from a password attack, you should become familiar
with the most commonly used types of attacks. With that information, you can use password
cracking tools and techniques to regularly audit your own organization’s passwords and
determine whether your defenses need bolstering. To that end, here’s a primer of the most
widely used types of attacks:
1. Password Guessing: The most common type of attack is password guessing. Attackers can
guess passwords locally or remotely using either a manual or automated approach.
Password guessing isn’t always as difficult as you’d expect. Most networks aren’t configured
to require long and complex passwords, and an attacker needs to find only one weak
password to gain access to a network. Not all authentication protocols are equally effective
against guessing attacks. For example, because LAN Manager authentication is case-
insensitive, a password guessing attack against it doesn’t need to consider whether letters
in the password are uppercase or lowercase.
Many tools can automate the process of typing password after password. Some common
password guessing tools are Hydra (see http://www.thc.org for links to the downloadable
tool), for guessing all sorts of passwords, including HTTP, Telnet, and Windows logons;
TSGrinder (http://www.hammerofgod.com/download.htm), for brute-force attacks
against Terminal Services and RDP connections; and SQLRecon (http://
www.sqlsecurity.com/DesktopDefault.aspx?tabid=26), for brute-force attacks against SQL
authentication.
LOVELY PROFESSIONAL UNIVERSITY 61
