Hackers Beware

After the sessions, not only did users come up to me and explain that they always thought security people were annoying, but now they understood what a key role we play in the success of the company. I even had the unthinkable happen: difficult users came up to me and apologized for giving us a hard time and promised to do their part. If that last sentence does not make a believer out of you, the percentages will. After I gave the sessions to most of the employees, we ran the cracking program again and only cracked 18 percent of the passwords in ten minutes.

If you decide to do hold security awareness sessions, here are some tips to make them successful:

•Hold the session on a Thursday or Friday.

•Serve food.

•Have it during lunch or in the afternoon.

•Limit it to no more than two hours with questions.

•Make it interesting and involve the users.

I usually like to hold the sessions at noon on Friday and serve pizza—what works even better is 2:30 on Friday and serve ice cream. It is amazing what you can get people to sit through if you give them food. If you serve hot fudge with the ice cream, you can even get the CIO to show up!

I knew that user awareness sessions were a good thing to do, but I did not realize the importance until after the sessions. Table 8.1 is a chart comparing the different methods of raising user awareness.

Table 8.1. Methods of Raising User Awareness on Passwords

I am now a firm believer that the only way to have strong passwords and good security is to have educated users. Don’t take this the wrong way, but if you have user awareness sessions and it does not improve your security, you did it wrong. Let the users fill out feedback forms so that you know what areas you should change the next time you give these sessions. Also, limit them to

around 30 people so that you can have good interaction. Even if your security does not improve, you will be known companywide as the cool dude that gives out ice cream, which isn’t a bad thing.

Password Management

Now that you have an understanding of the current problems, let’s look at password management issues. Most companies require users to come up with random passwords, but have no policies to support this requirement. Let’s look at why you need passwords and corresponding policies and what exactly I mean when I say you need strong passwords.

Why Do We Need Passwords?

The answer to this question might seem obvious, but believe it or not there are a lot of people that think passwords are a nuisance and should not be used. One common question users ask is “Why do we need passwords? Don’t we trust everyone?” The answer to that question is unfortunately “No, we do not trust everyone.”

Trust me, I have a long list of companies that had no passwords because they trusted everyone. There is only one problem with the list, most of the companies are no longer in business! Trust your friends and family, not your employees.

Another argument for trusting employees is, “We trust them everyday by giving them access to buildings and equipment, and they rarely steal computers. What makes us think they would steal information?” The answer to that is a little tricky. We trust users to a point. Most users would not steal computers because it is not easily done, is fairly easy to trace, and usually companies quickly realize the equipment is missing. Computers also have an obvious value. On the other hand, it is hard to tell if someone takes an unauthorized copy of a document home, and for most people, putting a value on a document is difficult.

Based on the fact that it is hard to control access to electronic information, passwords are very important, not only to protect individual privacy but also to protect sensitive information and track who has access to it. Therefore, passwords provide a nice mechanism to uniquely identify individuals and only give them access to the information they need. Just like most houses have keys so people can secure their belongings, passwords provide the keys to protect corporate information.

Why Do You Need a Password Policy?

Even though password policies do not cause all users to have strong passwords, they are still important. One of the problems with security is

that people are always looking for the silver bullet. They want one thing that will fix all of their security issues. Security policies, and more specific password policies, sometimes fall into this category. Administrators feel that if they have a strong password policy, they will never have to worry about weak passwords. That is far from the truth, but the policies are still necessary. Whenever you are implementing a new security measure, it is always important to have proper expectations. This way, you can tell how successful it is.

Password policies are important for several reasons. First, it explains to users what is expected of them and what the rules of the company are in regard to passwords. Security professionals might take it for granted that a strong password contains letters, numbers, and special characters and is very hard to guess, but an average user probably does not know that. The security policy lets users know what passwords should contain and why passwords are important and gives hints for picking good passwords. If you just send out a policy stating that all passwords must contain certain letters and be hard to guess, most users will get frustrated and try to work around it. If you explain to them why this is important and give them hints, they are more likely to follow the policy.

Another key aspect of the policy is enforcement. On one hand, your policy should state what action the company can take if a user does not follow the policy. For example, failure to adhere to the policy can result in termination of the employee. On the other hand, you do not want users to take it as a threat, because they get very defensive. If you have not figured it out, defensive users are very bad from a security standpoint. If you tend to have a large number of defensive and irate users, you might want to put a bulletproof vest in your security budget. (I actually did that once; unfortunately, the budget was not approved, but I tried.)

You also want to make sure the policy can be consistently enforced. If the policy states that any employee who does not follow the policy will have a security violation put in her permanent record, this must be followed for any employee that has a weak password. Too often, companies use strong wording but only enforce the policy for some employees. In those cases, the employees that did not follow it have a strong case against the company. Consistency and precedence are key.

Having a strong password policy is also beneficial for legal reasons. If a company wants to take a strong stance on security and be able to take legal action against an individual, it needs clearly documented policies. For example, let’s say that an attacker breaks into the company and compromises a large amount of information because of an employee’s weak password. To take action against the person with the weak password, the company needs a clear password policy that everyone is aware of and is signed and clearly enforced. Most users are not aware of

this point, or this liability. If your company has a clear policy on passwords that it enforces and you (the employee) have a weak password that an attacker uses to compromise the system, you could be in some legal trouble.

What Is a Strong Password?

I keep talking about strong versus weak passwords, but what actually constitutes a strong password? Before I tell you what I consider a strong password, it is important to point out that the definition of a strong password can change drastically based on the type of business a company is in, its location, the people that work for the company, and so on. I stress this because the information I provide for what constitutes a strong password can change drastically based on your environment.

This definition also changes as technology increases. What was considered a strong password five years ago is now considered a weak password. The main reason for this change is the speed of computers. A state-of-the-art computer system today is considerably faster and cheaper than what was state-of-the-art five years ago. A password that took several years to crack with the fastest computer five years ago can be cracked today in under an hour. So, as technology changes and computers become faster and cheaper, passwords must become stronger.

Based on current technology, the following characteristics identify what I believe to be a strong password:

•Changes every 45 days.

•Minimum length of ten characters.

•Must contain at least one alpha, one number, and one special character.

•Alpha, number, and special characters must be mixed up and not appended to the end. For example, abdheus#7 is bad, but fg#g3s^hs5gw is good.

•Cannot contain dictionary words.

•Cannot reuse the previous five passwords.

•Minimum password age of ten days.

•After five failed logon attempts, password is locked for several hours.

As you read this, you probably can come up with arguments on why some of the items are invalid, but the thing to remember is that there is no perfect solution. When you come up with a password policy, tradeoffs have to be made with the goal of finding the right mix that fits best with a particular company (and its users).

How Do You Pick Strong Passwords?

Most users have weak passwords because they don’t know what constitutes a strong password and therefore don’t know how to create strong passwords for their accounts. I recommend educating users to use phrases as their passwords instead of words. Picking a password that is easy to remember, contains no dictionary words, and has numbers and special characters is no easy task. Remembering a phrase, however, is fairly easy; you simply use the first letter of each word as your password. If I tell you that your password is WismtIs!@#$%5t, you would probably say, “There is no way that I can remember that password!” But if I ask you to remember the phrase, “When I stub my toe I say ‘!@#$%’ five times,” you could probably remember it. Simply take the first letter of each word in the phrase, and you have your password.

I tell most people to pick a phrase that relates to their family or personal interests. You cannot use just a word that relates to family or personal interests, because it would be too easy for an attacker to guess; but because your are using phrases, it is okay to pick something related to your family or personal interests. For example, you will never forget when or where your child was born. So, one possible phrase is, “My 1st child was born at Oakridge Hospital on 7/14.” Now my password would be M1cwb@Oho7/14. That password would be extremely difficult for an attacker to guess, even if he knows when and where your child was born, because there are so many different combinations and phrases that you can use.

I have found that educating users and explaining to them how to pick phrases instead of words has a tremendous impact on the overall strength of passwords for a corporation.

How Are Passwords Protected?

So far in this chapter, we have covered a lot about passwords from a user’s perspective and things users can do to make their passwords harder to crack. Basically, if a user has a weak or blank password, there is no need to crack the password—an attacker would just guess it. In cases where a password cannot be easily guessed, an attacker has to crack the password. To do this, he must know how passwords are stored on the system.

Let’s look at it from a system perspective. What does the system do to keep passwords secure? Basically, any password stored on a system must be protected from unauthorized disclosure, unauthorized modification, and unauthorized removal.

Unauthorized disclosure plays a key role in password security. If an attacker can obtain a copy of your password and read it, he can gain access to the system. This is why it is important that users do not write down their passwords or reveal them to co-workers. If an attacker can obtain a copy of a user’s password, he can become that user, and everything the attacker does could be traced back to that user.

Unauthorized modification is important, because even if an attacker cannot read your password, he still might be able to modify it by overwriting the password with a word that he knows. This, in essence, changes your password to a value that the attacker knows, and he can do this without knowing the user’s actual password.

This has been a problem with various operating systems. In early versions of UNIX, there were attacks where an attacker could not read someone’s password, but would just overwrite the encrypted password with an encrypted password that the attacker knew. On early UNIX systems, the user IDs and passwords were stored in a readable text file called /etc/passwd. An attacker would create an account and give it a password that he knew. He would then try to gain writable access to /etc/passwd and if he could, he would copy the encrypted password of the account he just set up and overwrite the encrypted password of root. Then he could log in as root, without ever knowing the original password of root.

A similar modification attack is available with Windows NT. There is a program called LinNT, which creates a Linux bootable floppy for NT. An attacker could boot off the floppy, which would boot the system into Linux. This allows the attacker to list the user accounts on the NT system and overwrite any of the passwords with a password he chooses. This allows an attacker to perform an unauthorized modification of a password, without ever knowing the user’s original password.

Unauthorized removal is also important because if an attacker can delete an account, he can either cause a Denial of Service attack or recreate the account with a password of his choosing. Denial of Service attacks are a class of attacks where the goal is to deny legitimate users access to the system. For example, if over the weekend I broke into your system and deleted every user account, I would cause a Denial of Service attack because when everyone came in on Monday, they could not log on to the system and they would be denied access. Chapter 6, “Denial of Service Attacks,” covers these attacks in detail.

To protect passwords from unauthorized disclosure, modification, and removal, passwords cannot be stored in plain text on the system. Think about this for a minute. If there is a text file on the system that contains all of the passwords, it would be trivial for someone to just read the file and get everyone’s password. To defeat this, there needs to be a more

secure way to store passwords on a system, and the solution is encryption. Encryption basically hides the original content, so if someone gets the encrypted password, he cannot determine what the original or plaintext password is.

Encryption

To understand why encryption is the solution, you need to understand what encryption is and how it works from a high level. This is not meant to be a complete explanation or description of encryption. Entire books have been written on encryption that cover this material in more depth. For a detailed description of encryption, I highly recommend the book Applied Cryptography by Bruce Schneier. This section is meant to give you enough information to better understand password cracking. In essence, it gives you enough information to be dangerous.

In its most basic form, encryption is the process of converting plain text into ciphertext, with the goal of making it unreadable. In this context, plain text is the original message or readable password, and ciphertext is the encrypted or unreadable version. For our purpose, encryption is garbled text. To give you an example, the following is a plain text message:

This is a plaintext message.Here is the corresponding message encrypted with

Pretty Good Protection (PGP):

qANQR1DBwU4DoGKRq+lZHbYQB/0dgBvp6axtoP9zu2A6yB964CJcqZ5Ci9NlW/

6B

pBU3qitff/M9IldSoNtFuMcQMvxK5c7R4+qmPM7pgsXaRYEBjuA9cDEI2qp4bO hl kJRaM/cCRLBWdBP8UUocfRk3jHxg6cwy9QwVVwCZ7LL+6rQT9kohdbAlVENY/X nL 9wP4QcJ3k1yjznxB0t9yF1Dnshpzvs0HcdxK3CTl9Ulk8n+Sw0J+MV0EoV3uqb Ra Cuyo5Z3zZeyGttfYaDBXBIPq6qouNIaxz+9cRtA7y5jNfLPdYmPzrwVsz0IGfM zA 1Bf3ByMieQt/QSdMFhkihI89AT2qVSeyosIgWpCXFaB468bXCADtN7h6BWaCNE V0 hSsJo6O9uv8v1OlKfXBpdnXvsMZxrA4yTATfO3xnxmRp4kXMlmPElPxSzBId2V qr IJZ/HZfxbyWKZG5UQuG62228xDPWhYQBeKvyACUXzguHgddTO3+XYFxWgUdV8m Ni 4twA2hdapuAUZSyuIsnGa0yhpXFQzEUrYwKV/hxL4cUkzxVzr9Hf9qTbVd/TrF qF 0wrbFvb2m65i++H2w73w3PlnKvKNiPyJ8iFsLLXyfZgmOtF6QYaeBqBIp31Hd3 s+

GAqJxs07jxm+ba+slJgLzZDJpc/hyn6dpjyD0Ww6myfGaZuN4a6W3JIr8xlBlO

/e

+saFwexnyTNwySfcL6sOQQN3Rs0ucws3ORJKlEqxJnfcXwfoSILZYFwZ2ucrTZ MS

hEnBTMCuW

As you can see, the encrypted message is very hard to read. Notice that the size of the encrypted message is considerably longer than the original plain text message.

Now that you know what encryption is, let’s look at the different types of encryption. There are basically three types of encryption:

•Symmetric or single key encryption

•Asymmetric or two key encryption

•Hash or no key encryption

Symmetric Encryption

Symmetric encryption uses a single key to both encrypt and decrypt the text. If I encrypt a message and want you to be able to decrypt it, you have to have the same key that I used to encrypt it. This is similar to a typical lock on a door. If I lock the door with a key, you must have either the same key or a copy to unlock the door. The advantage of symmetric encryption is that it is very fast. The disadvantage is that you need a secure way to exchange the key prior to communicating.

Asymmetric Encryption

Asymmetric encryption overcomes the shortfalls of symmetric encryption by using two keys: a public and a private key. The private key is known only by the owner and is not shared with anyone else. The public key is given to anyone that would possibly want to communicate with you. The keys are set up so that they are the inverse of each other. Anything encrypted with your public key can only be decrypted with your private key, so this arrangement works out nicely. Someone who wants to send you a message encrypts it with your public key, and only the person with the private key can decrypt it and use it. The advantage of public key encryption is that you do not need a secure way to exchange the keys prior to communication. The disadvantage is that it is very slow.

For secure communications, most systems combine symmetric and asymmetric encryption to get the best of both worlds. You use asymmetric encryption to initiate the session and to exchange a session key. Because the session key is encrypted with public keys and decrypted with private keys, it can be sent in a secure fashion. After it is exchanged, the session key is used with symmetric encryption for the remainder of the session, because it is much quicker.

Hash Functions

Hash functions are considered one-way functions because they perform a one-way transformation of the information that is irreversible. Given an input string, the hash function produces a fixed length output string, and from the output string, there is no way to determine the original input string.

Looking at the preceding options, a hash function seems like the best way to store a password on a system because there is no key to worry about. Also, because it is irreversible, there is no way to get the original password. You are probably thinking, “If it is irreversible, how do you ever get back the original password so that you can verify someone’s password each time he logs on?” The answer is simple. Each time a user logs on to the system and types her password, the system takes the plain text password she enters, computes the hash, and compares it with the stored hash. If they are the same, the user entered the correct password. If they are not the same, the user entered the wrong password.

There is one possible limitation to hash functions, which is a by-product of how hash functions work. To use hashes to verify a user’s password, two passwords that are the same will hash to the same value. The weakness behind using hash functions is that if I have a password of pass1234 and you have a password of pass1234, we both have the same encrypted passwords. This enables a password cracker to crack both of our passwords at the same time, speeding up the process. To overcome this, a salt is often combined with a password before running it through the hash function.

The sole purpose of a salt is to randomize a password. By using a salt, two users with the same password will have different encrypted passwords. A salt is a random number that is combined with a password before it is run through the hash function. The salt is then stored with the encrypted password. Because the salt is random, two users do not have the same salt. So even if the passwords are the same, because the salts are different, two users will never have the same encrypted password.

Now that you know what a salt is, let’s discuss what occurs when a user tries to authenticate to a server. The user enters her password. Based on the user account, the system looks up the user and finds her salt and encrypted password. The system takes the password that the user entered, combines it with the salt, and runs it through the hash function. The system then takes the output and compares it to the stored encrypted string. If there is a match, the user is given access. If there is not a match, the user is denied access

Password Attacks

Now that we have covered the foundation of passwords, let’s look at what password cracking is and the different types of attacks. In this section, we will compare password guessing and password cracking. We will also look at schemes like password lockout, which most companies use to increase their security, and show how it can actually allow an attacker to launch a Denial of Service attack against a company.

What Is Password Cracking?

Let’s delve into password cracking and what it entails. In its simplest sense, password cracking is guessing someone’s plain text password when you only have the encrypted password. There are a couple of ways this can be accomplished. The first is a manual method, where an attacker tries to guess a password and type it in. To accomplish this, you need to know a user ID and have access to a logon prompt for the network you are trying to get into. In most cases, this information is easy to acquire because most user IDs are comprised of a first initial and last name. Also, most companies have dialup connections to their network, and by using a war dialer you can identify the modem lines.

The following is the general algorithm that is used for manual password cracking:

1.Find a valid user ID.

2.Create a list of possible passwords.

3.Rank the passwords from high probability to low.

4.Type in each password.

5.If the system allows you in—success!

6.If not, try again, being careful not to exceed password lockout (the number of times you can guess a wrong password before the system shuts down and won’t let you try any more).

In terms of complexity, this is easy to accomplish but very timeconsuming, because an attacker would have type in every password. If the attacker does not have any idea of someone’s password, this does not really pay off because most companies have account lockouts set for their accounts. Account lockout is a setting that locks the account after a predefined number of failed logon attempts. A typical setting is after five failed logon attempts within two hours, the account is locked for three hours. Locking a password account disables the account so that it is not active and cannot be used to gain access to the system.

Some companies have a permanent lockout. After five failed logon attempts within two hours, the account is permanently disabled until it is reactivated by an administrator. This can be advantageous. If someone is