free page hit counter
Click the banner for the site map of NoticeBored.com, the information security awareness service
User authentication resources

Noone wants security

Login/logout process & passwords

Hot link added Feb 11 th 2006 Perusing this comprehensive set of links to security papers and statistical research relating to user passwords should quickly convince most of you that user ID + password is a broken authentication mechanism. It’s hard to find a more convincing argument for biometrics, other than the sheer convenience factor of being able to login securely with a fingerprint or iris scan. 

Hot link added Feb 11 th 2006 If you ever wondered why information security experts recommend not clicking on the ‘remember my login details’ or similar options, then check out Protected Storage Explorer. This free Windows tool decrypts and displays usernames, passwords, credit card numbers etc. stored by programs such as Internet Explorer and Outlook Express in so-called protected storage on your PC. Now that’s what I call a misnomer! PassView is a similar freeware utility that, thankfully, also allows you to delete entries that you wish you hadn’t stored. And KeePass is a freeware utility to save passwords in a proper encrypted database (provided you trust the software developer to do that). RoboForm is a reasonably-priced commercial tool for the same purpose that comes in desktop and USB/portable versions, both of which use AES encryption considered by security experts to be ‘somewhat better’ than Post-Its.

Authentication book 150

Recommended reading Rick Smith’s book Authentication: From Passwords to Public Keys (~$36 from Amazon) is recommended Click me to buy me!reading. The author’s website includes a sample chapter. The associated Center for Password Sanity has many useful links. 

 

Digital Identity by Phil Windley (~$23 from Amazon) describes digital identity in relation to broader issues of trust and governance. The author’s website provides a set of identity policy templates.

 

Obtaining and cracking password files is a typical hacker technique for expanding their control of a compromised network. A video by Scott Pinzon explains that weak passwords (such as short words or plain words from a dictionary) are particularly vulnerable to crackers. The presentation is intended to be shown to an audience by an information security professional who then demonstrates techniques for choosing strong passwords or passphrases.

VIGILANTe has published a note concerning a brute force attack on usernames and passwords controlling access to a CISCO wireless access point. The device gives a different password error message when the username is correct. 

Password cracking programs such as Cain&Able and RainbowCrack are powerful tools in the armory of crackers, hackers and information security professionals, though for different reasons. The former use them to obtain unauthorized access to your systems. The latter use them to demonstrate how weak passwords often are.

The US Secret Service uses a network of 4,000 computers for brute-force attacks on encrypted forensic evidence obtained from target systems, using plaintext snippets and information from the user’s browsed websites as cribs or clues to possible passwords. The system is somewhat reminiscent of the dedicated DES cracker built in 1999 by the Electronic Frontier Foundation, but uses spare cycles on desktop PCs rather like the SETI@home project.

The Cryzip Trojan encrypts files on an infected computer and then demands a $300 ransom for the decryption password.

An interesting white paper discusses vulnerabilities in Oracle’s crude password management function that opens the possibility of brute force guessing since there are limits on complexity, and ‘rainbow tables’ since there is no salt value to make the password hashes different on each machine (authentication 101).

Microsoft’s advice on Strong passwords: How to create and use them recommends “Do not type passwords on computers that you do not control. Computers such as those in Internet cafes, computer labs, shared systems, kiosk systems, conferences, and airport lounges should be considered unsafe for any personal use other than anonymous Internet browsing.

A well-researched and well-written article about online banking user authentication discusses the range of authentication methods being used or trialed at a number of primarily US banks. User authentication is crucial to the issue of accountability: a customer cannot be held totally accountable for dubious transactions on his bank account if the bank cannot prove that the customer, rather than ‘someone else’ (normally a fraudster), logged in and submitted or authorized the transactions. The IT Governance Institute publishes lots of useful information on these topics.

Password crackers allegedly have legitimate uses e.g. recovering lost administrator passwords.

The SMTP user authentication mechanism used by MS Exchange is vulnerable to brute-force username and password guessing attacks. Spammers use the attack as a prelude to sending spoofed-header email through compromised servers, just as they use open relays to have spam originate from the server rather than their own system. More info here. [Beware using the same password for POP3 email and other systems.]

User IDs with weak passwords are easy targets for hackers - and this includes voicemail systems. Once a box is compromised, it’s an easy hack to change the autoreply voice message to “Yes, I’ll accept the call” and use the number to authorize billing for collect calls. Having dialed in, phone phreaks may find ways to make outbound calls, with both calls being charged to the organization that owns the system. Alternatively, the voice drop may be used for other types of social engineering attacks.

A study by Novell reported that over half of the UK workforce would consider accessing a former employer’s systems using their old ID and password if they were unhappy at losing their job. Organizations that don’t disable login IDs for former employees are asking for trouble.

A privilege escalation vulnerability in the Cisco Intrusion Protection System exploited a backdoor - an undocumented user ID with a default password giving access to the root fully-privileged administrator ID. 

I doubt anyone reading this is naive enough to think that shared public web access points (e.g. hotel LANs and Wi-Fi hotspots) are secure, so how do we explain that plaintext passwords are easily sniffed, even at information security conferences?

SecureEnvoy uses an interesting authentication scheme for their secure email offering. Recipients of secure emails receive the passwords via SMS text messages on their mobile phones. Emails are stored on SecureEnvoy’s servers and are accessed via HTTPS (although it is not clear from their sales literature whether SecureEnvoy has access to unencrypted emails on their server). Some banks use SMS messaging to authenticate their online banking customers.

Passfaces is a program to supplement the standard username+password Windows login process. It presents the user with a gallery of photographs of faces, asking the user to pick out the faces the person recognizes. An impostor is presumably unlikely to to pick out the specific faces that the real user can so easily identify.

A range of advice on choosing good passwords is available from Microsoft, Sarah Granger and MIT

A Processor Magazine editorial on managing passwords refers to a helpful example password policy published by the US National Center for Educational Statistics.

Search engines such as Google routinely index files published on the web, sometimes indexing and caching those which were never intended for publication (including some containing passwords).

Passwords are near the breaking point is a Gartner report predicting the demise of passwords as an authentication technique.

Restricting the characters that can be used in passwords (e.g. preventing the use of spaces or symbols) reduces password entropy and therefore weakens security, yet is quite common on the web in practice. It could be argued that it encourages people not to use their standard (strong) passwords on all sites, but unfortunately it also encourages them to write down the special passwords needed on some websites.

Biometrics, tokens and smartcards

Ouch so hot it almost hurts Click here for an excellent, if somewhat technical article from SecurityFocus on choosing strong passwords e.g. did you know Windows allows spaces in passwords - in other words, long passphrases are fine in Windows? Click here to visit my Amazon page

 

 

Biometrics by John Woodward et al. (~$23 from Amazon) is a collection of essays by some of the leading authorities in this field. This leads to some duplication between chapters but more depth than most other books on this topic.

 

 

 

The UK Government is preparing the ground to introduce compulsory ID cards with integrated biometrics. The Register’s “pub bore’s guide” gives more than enough details to bore the pants off the landlord.

NIST’s Information Technology Laboratory (ITL) Biometrics Resource Center has research papers, standards and other resources on biometrics.

Biometric methods of user authentication may be better than passwords but are certainly not infallible. Extremetech successfully defeated a number of biometric devices in the course of preparing a survey report.

BioLock is an interesting application-specific implementation of biometrics purely for SAP. Having authenticated to the system by their fingerprints, audit records are unequivocally tied to the corresponding individuals ... or at least, those who originally authenticated at login time: the system cannot automatically stop someone using a logged-in terminal left unattended by the legitimate user. Nevertheless, with suitable policies in place, the logged-in user should be held to account for any use of their user IDs, even if they can prove they were taking a tea break or whatever at the time.

Former White House security advisor Richard Clarke claims “We go into a lot of buildings and sign-in and most of the time no one knows who we are. I sign my name Benjamin Franklin most of the time and no one notices.” [Personally, I prefer Michael Mouse, as does an infosec colleague whose surname, coincidentally, is Disney.]

NIST ran a project to define recommendations for Personal Identity Verification (PIV) of federal employees and contractors. 

RSA’s SecureID token is the market leading means of two-factor user authentication. This comes in the form of a key-fob with an LCD display showing a numeric code that changes every minute and is synchronized with an authentication server installed on customer networks. Other hardware and software versions are under development or recently released. Vasco is another popular two-factor-authentication supplier.

The Federal Financial Institutions Examination Council (FFIEC) has an FAQ about the requirement for US banks to improve user authentication for Internet banking customers. The FAQ ‘clarifies’ issues such as multifactor authentication and tokens.

Other authentication resources

Password/key management is a significant issue for organizations wishing to encrypt their laptops and/or desktops, whether encrypting the whole drive or individual volumes, directories or files, and whether encrypted in hardware or software. 

The ATA3 specification for hard drives allows the disk platters to be locked out by the HD controller hardware until the correct user or master password is entered - namely when the drive is initially accessed by the PC BIOS during bootup. This method does NOT encrypt data stored on the platter but, if configured in the highest security mode, the controller wipes the drive if the master password has to be used to reset the user password. Specialist data recovery techniques (such as moving the platters to a different controller, perhaps) may still recover the original data, and due to implementation issues on some machines, denial of service physical or malware attacks may be possible.

AuthenticationWorld provides white papers on a variety of authentication-related topics and offers a 4-minute Flash-based security awareness video.

Pete Finnegan has published a fascinating set of papers on Oracle (in)security on his website.

Identity cards that have been used for decades in many countries are gradually being updated with biometrics and smartcards being high on the feature-list. Several European countries are actively designing or implementing electronic ID cards and they are already in use in Hong Kong and elsewhere. The UK’s proposed National Identity Card scheme has suffered a great deal of adverse publicity and political mumbo-jumbo. On the theory that there’s no smoke without fire, the chances of this project reaching implementation looks remote but, in the best tradition of runaway projects, it is already eating up budget at an increasingly alarming rate and various politicians are publicly committing themselves to the cause making it ever harder to stop (regardless of how far off the rails it ends up). [Personally, as a former UK taxpayer, I’d like to see the business case for this project. Does it even have one?]

Related NoticeBored links collections

Phishing, identity theft, IT fraud and trust

NB: we do not necessarily endorse or agree with the third party websites accessible through the links. Use at your own risk. Please let us know about new or broken links.
NB homeLinks collection > Authentication >

Copyright © 2008 IsecT Ltd.