Access Control Attacks
Gaining access (getting through that hard and crunchy outside) to a system or network is an attacker’s first objective. Attackers commonly use several methods of attack against access control systems, including
Brute-force or dictionary attack: The attacker attempts every possible combination of letters, numbers, and characters to crack a password, passphrase, or PIN. A dictionary attack is essentially a more focused type of brute force attack in which the attacker uses a predefined word list. You can find such word lists or dictionaries, including foreign language and special-interest dictionaries, widely available on the Internet for use in password-cracking utilities such as L0phtCrack and John the Ripper. Attackers typically run these password-cracking utilities against a copy of the target system’s (or network’s) security accounts database or password file. The utility creates hashes of passwords contained in its dictionary or word list, and then compares the resulting hash to the password file. These types of programs work very quickly and effectively (see the sidebar “How much brute force does it take to crack your passwords?” in this chapter), even when organizations use complex passwords, so the key to defending against a brute-force or dictionary attack is to protect your security accounts databases and password files.
Buffer or stack overflow: Buffer or stack overflows constitute the most common and successful type of computer attacks today. Although often used in Denial of Service attacks, buffer overflows in certain systems or applications may enable an attacker to gain unauthorized access to a system or directory. An overflow occurs when an application or protocol attempts to store more information than the allotted resources will allow. This causes previously entered data to become corrupted, the protocol or application to crash, or other unexpected or erratic behavior to occur. A teardrop attack is a type of stack overflow attack that exploits vulnerabilities in the IP protocol. The best defense against buffer or stack overflow attacks is to identify and patch vulnerabilities in the system, network, and applications as quickly as possible after each vulnerability is identified (and ideally before the affected code or application is used in a production environment).
Man-in-the-Middle attacks: Here an attacker intercepts messages between two parties and forwards a modified version of the original message to the intended recipient. For example, an attacker may substitute his or her own public key during a public-key exchange between two parties. The two parties believe that they’re still communicating only with each other and unknowingly encrypt messages by using the attacker’s public key, rather than the intended recipient’s public key. The attacker can then decrypt secret messages between the two parties, modify their contents as desired, and send them on to the unwary recipient.
Packet (or password) sniffing: An attacker uses an application or device, known as a sniffer, to capture network packets and analyze their contents, such as usernames and passwords, and shared keys.
Session hijacking: Similar to a Man-in-the-Middle attack, except that the attacker impersonates the intended recipient, instead of modifying messages in transit.
Social engineering: This low-tech method is one of the most effective and easily perpetrated forms of attack. Common techniques involve phishing (see the sidebar “Gone phishin’,” in this chapter), dumpster diving, shoulder surfing, raiding cubicles (looking for passwords on monitors, under keyboards, and under mouse pads), and plain ol’ asking. This latter brazen technique can simply involve the attacker calling a user, pretending to be a system administrator and asking for the user’s password, or calling a help desk pretending to be a user and asking to have the password changed.
How much brute force does it take to crack your passwords?
Passwords remain the most ubiquitous form of access control used on systems and networks today. But password security is something of a misnomer. Assuming that an attacker has gained access to your system’s password file or security accounts database, how long would it take for him or her to crack your user’s passwords? One week? One day? One hour? Try 14 seconds! That’s the approximate average time it takes to crack a Windows password. Most attackers can crack a password in less than a minute by using commonly available tools such as John the Ripper or L0phtCrack.
So, why even bother with passwords? But wait — don’t be so quick to scuttle your passwords! You can still use passwords as an effective means of securing your systems and networks. Consider the following:
The time and effort it takes for an attacker to crack a password is relatively inconsequential compared to the time and effort it takes to gain access to your password file or security accounts database. After all, if an attacker has already gained access to your systems, you may already have bigger problems than compromised passwords!
Although attackers can usually crack most passwords in less than a minute, a security policy that requires a password of eight characters — using a mix of upper- and lowercase letters and numbers — yields more than 218 trillion possible passwords, which theoretically would take a maximum of 253 days for an attacker to crack.
You can achieve password security not only through the passwords themselves, but also through the combination of password policies and enforcement mechanisms. Consider your bank card’s PIN — which is nothing more than a four-digit password. A four-digit password yields only 10,000 possible combinations, and an attacker can crack it easily in less than one second! Yet PINs are reasonably effective for many reasons. First, the bank keeps the security accounts database very secure, which means an attacker would have to mount a brute-force attack on the database in the old-fashioned way — manually entering PIN combinations into an ATM. After three bad attempts, the ATM literally eats the bank card. This card confiscation demonstrates effective use of an account lockout and lockout duration policy (three bad attempts and forever, respectively), as well as two-factor authentication — something you have becomes something you had, and you get no more guesses!
When an organization implements passwords with an effective (and enforced) security policy, passwords can provide adequate internal security by preventing authorized users from logging in as other authorized users and establishing non-repudiation. Most users don’t attempt to run a password-cracking utility against their organization’s systems, but they might be tempted to log in with someone else’s credentials if that other person has his or her password taped to a computer monitor or hidden under a mouse pad, or he or she carelessly shared it with others.
A password policy that requires users to change their passwords frequently (such as every 30 days) can limit the damage — or, at least, the length of time that an attacker can do damage with a compromised account.
Organizations should employ various tactics and processes to counter access control attacks, including
Threat modeling. Ensures that security is a key design consideration early in the application development lifecycle. A security specification is created and tested during the design phase to identify likely threats, vulnerabilities and countermeasures for a specific application and its uses.
Asset valuation. The process of assigning a financial value to an organization’s information assets, thereby enabling an objective measure of the systems and data that require various levels of protection.
Vulnerability analysis. The process of identifying defining, identifying and prioritizing a system’s vulnerabilities.
Access aggregation. Combines all of a user’s access rights, privileges, and permissions in a single or multiple systems (for example, using single sign-on or SSO).