Password Cracking

The best way to get into a system is to “trick” the system into thinking you’re an authorized user. In many cases, you can do this simply by using a valid account name and password. This method is called password cracking. In this section, we will look at the tools and resources hackers use to obtain and/or crack passwords. Security administrators need to be aware of all the techniques and tools that can be used to impersonate a legitimate user, and how they work. Understanding how a crack was accomplished provides valuable clues to the cracker’s skill level and how determined he is to get into a particular network, as well as other characteristics that can help track down the culprit.

In computer security, there are three basic ways to validate user identity: the “what you know” method (with the password being what you know); the “what you have” method mentioned, which requires physical possession of some object such as a smart card; and the “what you are” method, which uses biometrics data such as a fingerprint or retinal or iris scan.

It’s important to know that the vast majority of networks rely solely on the first method, so anyone who knows or can guess the correct password that goes with a valid username can get in. Password cracking involves acquiring valid passwords. This can be done in several ways, including the following:

■ Brute force attacks Brute force might not be the most elegant solution for a hacker in search of a password, but it can be very effective—especially if strong password policies aren’t enforced. In its simplest form, a brute force attacker tries one possible password after another until she hits on the right one. Although someone can perform this process manually with a lot of time and patience, in practice it is usually done (much more efficiently) using a program that runs through all the words in a dictionary file, which is simply a large list of words (in what is sometimes called a dictionary attack) and other possible character combinations. Some of these cracking programs are very sophisticated and allow the cracker to implement rules or criteria. For example, if the cracker is able to obtain some information about the password—for example, the cracker knows that it consists of five alpha characters and three numeric—she can create a rule that will limit the program’s attempts to passwords that fit the criteria (apple123, seven890, and so on). This strategy narrows the number of possible passwords and speeds the cracking process. Also note that newer password-cracking tools and programs grow more and more sophisticated—an entire attack can be launched from one program with multiple dictionary files, the program can intelligently append numbers and special characters to the equation in hopes of gaining access. Remember, Brute Force means just that—through brute force and nonstop checking, the password will eventually be cracked. The only way to defend against a brute force attack is to periodically change your password to a new and evenly secure one.

■ Interception of passwords Another means of intercepting passwords is to use a keystroke logger. A keystroke logger is a hardware device or software program that captures and records every character that is typed— including passwords. It is often possible to detect an unauthorized packet sniffer on the wire using a device called a time domain reflectometer (TDR), which sends a pulse down the cable and creates a graph of the reflections that are returned. Users who know how to read the graph can tell whether and where unauthorized devices are attached to the cable.

■ Social engineering Unlike the other attack types, social engineering does not refer to technological manipulation of computer hardware or software vulnerabilities, and it does not require much in the way of technical skills. Instead, this type of attack exploits human weaknesses—such as carelessness or the desire to be cooperative—to gain access to legitimate network credentials. The talents that are most useful to the intruder who relies on social engineering techniques are the so-called “people skills,” such as a charming or persuasive personality or a commanding, authoritative presence. Social engineering is, in many cases, the easiest way to gain unauthorized access to a computer network.

Rootkits

Despite its name, a rootkit attack is not a method of obtaining root account privileges—at least, not directly. It is a group of programs that install a Trojan logon replacement with a backdoor, along with a packet sniffer, on UNIX systems as well as Windows systems. The sniffer can then be used to capture network traffic, including user credentials, thus giving the user access to the root account by logging on with legitimate credentials.

Rootkits come in all shapes and sizes. For example, a rootkit can be hidden within any Trojan horse, or other form of malware. Four types of rootkits can cause you numerous headaches: persistent, memory-based, user-mode, and kernel-mode.

Persistent rootkits are launched every time the system is rebooted. If your system has a rootkit on it, if it’s persistent, every time you restart the system the rootkit will reappear, even after you think you may have cleaned it off your system. Persistent rootkits are commonly found deep within the file system or in the system Registry. Memory-based rootkits resides only in memory (RAM), and when the system is rebooted after it’s cleaned, the rootkit should be gone. User-mode rootkits are very tricky because they try to evade detection by antimalware programs. By intercepting system calls, the rootkit is able to trick the system into believing that it is no longer installed. Kernel-mode rootkits are quite possibly the worst, because like user-mode rootkits, they evade detection and directly manipulate the system’s kernel. This means that the rootkit could take itself out of a running process and not appear in the Task Manager, for example.

Kerberos

Kerberos is a logon authentication protocol that is based on secret key (symmetric) cryptography. It usually uses the DES or Triple-DES (3DES) encryption algorithm, although with the latest version, Kerberos v5, algorithms other than DES can be used. Kerberos uses a system of “tickets” to provide verification of identity to multiple servers throughout the network. Vista was also released with enhancements to the base Kerebos protocol so that it can now work with AES.

This system works a little like the payment system at some amusement parks and fairs where, instead of paying to ride each individual ride, customers must buy tickets at a central location and then use those tickets to access the rides. Similarly, with Kerberos, a client who wants to access resources on network servers is not authenticated by each server; instead, all the servers rely on “tickets” issued by a central server, called the Key Distribution Center (KDC). The client sends a request for a ticket (encrypted with the client’s key) to the KDC. The KDC issues a ticket called a Ticket-Granting Ticket (TGT), which is encrypted and submitted to the Ticket-Granting Service (TGS). The TGS can be running on the same physical machine that is running the KDC. The TGS issues a session ticket to the client for accessing the particular network resource that was requested (which is usually on a different server). The session ticket is presented to the server that hosts the resource, and access is granted. The session key is valid only for that particular session and is set to expire after a specific amount of time. Kerberos allows mutual authentication; that is, the identities of both the client and the server can be verified.

SSH

SSH was designed to replace the use of Telnet, an IPv4 based protocol found on the application layer of the TCP/IP based OSI model. Telnet is used to gain remote access into systems and provide for a terminal in which text characters can be sent to and from a client to a server. Because this protocol is extremely old, it is easily exploited. Telnet sends data back and forth in cleartext. This includes the “credentials,” such as the username and password. Because Telnet can be easily sniffed by a sniffer or acquired in a Man-in-the-Middle attack, using Telnet should be avoided at all costs.

SSH allows users to log on to UNIX systems remotely. Both ends of the connection (client and server) are authenticated, and data—as well as passwords—can be encrypted. 3DES, Blowfish, and Twofish are encryption algorithms that are supported by SSHv2, which also allows the use of smart cards.

Smart Card Authentication

The term smart card has several different meanings. In a broad sense, it refers to any plastic credit-card-size card that has a computer chip (a memory chip and/or a tiny microprocessor) embedded in it to hold information that can be changed (as opposed to less “smart” cards that use a magnetic strip that holds static information). A smart card reader—a hardware device—is needed to write to and read the information on the card. Smart cards can be used for different purposes, but one of the most popular is for authentication. Satellite television services use smart cards in the SATV receiver to identify the subscriber and that subscriber’s service level. Banks use smart cards for conducting transactions. These cards are especially popular in Europe.

Smart cards can also be used for network logon authentication. This provides an extra level of security, the “something you have” factor. The cards are generally resistant to tampering and relatively difficult for a hacker to compromise, because they are self-contained. They’re also inexpensive in comparison with biometrics authentication devices.

Smart cards used for logon authentication generally store a digital certificate that contains user identification information, the user’s public key, and the signature of the trusted third party that issued the certificate, as well as a time for which the certificate is valid. The certificates are stored on the cards by an authorized administrator. To log on with a smart card, a user must insert the card in the reader or swipe it through and enter a PIN that is associated with the card. If the PIN is compromised, an administrator can change it or issue a new card. To use smart cards for network logon, the computer must run an OS that supports smart card authentication, such as Windows 2000, Windows XP, or Windows Vista.

A number of companies manufacture smart cards and readers. Some vendors make keyboards that have built-in smart card readers, and there are combination fingerprint scanner/smart card readers for providing both card-based and biometrics security. Although smart cards provide for extra security, they (like all authentication methods) are not foolproof. Many cryptographers have been able to “break” smart card encryption. In general, there are two methods for defeating smart cards: logical and physical. An example of a logical attack is erasing parts of the data on the embedded microchip by raising or dropping the voltage; in some cases, this activity “unlocks” the security without deleting the data. A physical attack might involve actually cutting the chip out of the card and using a laser-cutter microscope to examine it. Although a determined attacker might be able to crack the smart card in this way, these methods are not easy and they don’t always work.

Biometrics Authentication

Biometrics authentication devices rely on physical characteristics such as a fingerprint, facial patterns, or iris or retinal patterns to verify user identity. Biometrics authentication is becoming popular for many purposes, including network logon. A biometrics template or identifier (a sample known to be from the authorized user) must be stored in a database for the device to compare to a new sample given during the logon process. Biometrics are often used in conjunction with smart cards in high-security environments. The most popular types of biometrics devices are the following:

■ Fingerprint scanners These are widely available for both desktop and portable computers from a variety of vendors, connecting via a USB or Personal Computer Memory Card International Association (PCMCIA, or PC Card) interface.

■ Facial pattern recognition devices These devices use facial geometry analysis to verify identity.

■ Hand geometry recognition devices These are similar to facial pattern devices but analyze hand geometry.

■ Iris scan identification devices Iris scanners analyze the trabecular meshwork tissue in the iris, which is permanently formed during the eighth month of human gestation.

■ Retinal scan identification devices Retina scanners analyze the patterns of blood vessels on the retina.

Session 0

In Windows XP, Windows Server 2003, and earlier versions of the Windows OS, all services run in the same session as the first user who logs on to the console. This session is called Session 0. Running services and user applications together in Session 0 poses a security risk because services run at elevated privileges and therefore are targets for malicious agents who are looking for a way to elevate their own privilege level. Figure 3.1 shows how services and applications run within the same session. Each subsequent session is generated by a new logged-on user, as well as by remote users.

The Windows Vista OS mitigates this security risk by isolating services in Session 0 and making Session 0 noninteractive. In Windows Vista, only system processes and services run in Session 0, as shown in Figure 3.2.

The first user logs on to Session 1, and subsequent users log on to subsequent sessions. This means that services never run in the same session as users’ applications, and are therefore protected from attacks that originate in application code.

Within the session, you also have the Winlogon process, profile selection, the Shell, and the local security authority (LSA). The LSA is responsible for validation of credentials in Windows. This was the case with Windows XP and Windows Server 2003, but with Windows Vista, WinInit handles the LSA, Profiles, and Group Policy, and in other sessions, Winlogon handled each credential provider under the Logon User Interface (LogonUI).

Marking an Application

You can mark applications to run in an elevated fashion very easily by finding the application in which you want to configure and right-clicking it, selecting the Compatibility tab from the Properties dialog box, and under Privilege Level, selecting Run this program as an administrator. In Figure 3.5, we view the elevation of Regedit by modifying the privilege level to allow the program to run as an administrator.

Using the Local Security Policy to Configure UAC

You can disable Admin Approval Mode and UAC from prompting for credentials to install applications, and change the elevation prompt behavior, by changing the configuration within the Local Security Policy.

To disable Admin Approval Mode and UAC, click on the Start menu. When you open the menu, select All Programs | Accessories | Run. Type secpol.msc in the text area to open the Local Security Policy Microsoft Management Console (MMC), and click OK. The Local Security Policy MMC will open, as seen in Figure 3.6.

Once it is opened, drill down to the Security Options node in the MMC navigation pane. You can access this by going to Local Policies, and then clicking on the Security Options node. Scroll down until you find the User Account Control settings. Once there, you will find quite a few options you can adjust for UAC. Figure 3.7 shows disabling the Admin Approval Mode and UAC by selecting Disabled and clicking OK.

Disabling UAC When Installing Applications

You may want to disable UAC from prompting for credentials to install applications if you trust the users using the system to install applications without being prompted every time they do. For example, some users may be trusted to handle the installation of applications on their systems, or you may support a number of remote users that need to install applications remotely from time to time. In cases such as these, you may disable UAC from prompting each time someone needs to install an application.

From the Local Security Policy MMC, drill back down the UAC options in the Security Options node and select User Account Control: Detect application installations and prompt for elevation. As seen in Figure 3.8, you can enable or disable this option. Click OK for the settings to take place.

Changing the Prompt for UAC

You can also change how UAC will be invoked by changing the behavior of the elevation prompt for standard users. When standard users use the Vista system, either UAC can prompt them or you can configure it to automatically deny any elevation requests. You would do this to lock down the system completely and not allow users to even be prompted when privileges need to be elevated. The user can either be prompted for credentials (this setting requires username and password input before an application or task will run as elevated) or denied completely. Figure 3.9 shows the UAC settings you can adjust.

Sending an Invitation

There are three available options for sending the Remote Assistance invitation: Windows Messenger, e-mail, or saving the invitation as a file. Select one of the three options to send an invitation to an end user.

Access Control Fundamentals

☑ Understanding access control is vital to keeping any system secure. Ensuring physical access control means you will attempt to control physical access to the servers, networked workstations, network devices, and cabling connections. You also must be aware of other security considerations when working with wireless media, portable systems such as laptops and personal digital assistants (PDAs), and removable media such as Universal Serial Bus (USB) stick drives, CD-ROMs, and hard disks.

☑ An effective security plan does not rely on one technology or solution, but instead takes a multilayered approach.

☑ Although there are many, some of the most common attacks to access control come in the form of attempts to bypass your secure credentials, or getting software on the host machine that can do it for you from the inside, also known as a rootkit.

☑ Defense in depth is a multilayered approach to network security. By using firewalls, access control with secure credentials, a security policy, and so on, you apply a layered security posture that is hard to unravel.

Improving the Logon Architecture

☑ The new logon architecture in Windows Vista offers enhanced security benefits. Besides offering an improved, stable, and more reliable logon experience, Microsoft has completely rewritten the logon architecture to ensure that any services or functions not directly related to the logon process are now removed and used in other subsystems within Windows Vista.

☑ The logon architecture has been completely redesigned to facilitate more secure forms of authentication, such as smart cards. Before Vista, many administrators and engineers held the responsibility of developing the GINA interface beyond what it was initially intended to do. Developers worked to supplement other forms of authentication, such as biometrics systems, and other forms of security, such as OTP.

☑ The Windows logon architecture provides two main components: Winlogon and the GINA DLL. A DLL allows one library of information to serve multiple executable programs that may all share the same information or library. Vista does not support a GINA; instead, Microsoft replaced it with Credential Providers.

☑ The Windows Vista logon architecture has been completely redesigned in order to accommodate new security features that will make malware and other forms of exploitation almost nonexistent. When you log on to a Vista system, your logon request is handled by three separate sections: the Access Control services, the Cryptography services, and the secure OS.

☑ In Windows XP, Windows Server 2003, and earlier versions of the Windows OS, all services run in the same session as the first user who logs on to the console. This session is called Session 0. Running services and user applications together in Session 0 poses a security risk because services run at elevated privileges and therefore are targets for malicious agents who are looking for a way to elevate their own privilege level. The Vista OS mitigates this security risk by isolating services in Session 0 and making Session 0 noninteractive.

☑ One of Windows Vista’s main enhancements is the development and use of smart cards as a way to access the system securely.

User Access Control

☑ UAC is used to secure access to administrative privileges by allowing only standard accounts to have limited functionality.

☑ Administrator accounts will run in Administrator Approval Mode by default, as will UAC. If changes need to be made, the “shield” icon will appear, marking the use of or need for administrative action. Unless turned off, UAC will be invoked when needed.

☑ User accounts should not be able to do things they do not need to do. All that does is leave the door wide open for malware (or other forms of attack) that could compromise these accounts and allow access to system resources. Users should have only the privileges they need, and nothing more. With Windows Vista, UAC is used to separate user privileges from those that would require administrative rights and access.

☑ UAC defines access security by first limiting the surface area for attack. Accounts have been redefined so that if they are compromised, they will pose no security threat, but at the same time will allow for nonthreatening tasks to be functional. When administrative privileges are needed (such as when installing an application), the user will be prompted for an administrator password. UAC makes user accounts safer by prompting the user for approval before allowing him to perform any administrative tasks.

☑ UAC is also easier to understand. Now, when users are prompted for credentials, UAC more clearly defines what process is invoking it.

☑ UAC will also help shield users from malware and other exploits by allowing each user defined to require an administrative password to be able to see and use content on the Web. With UAC and parental controls, users can now enjoy a safer Web surfing experience, and children will not so easily be duped into doing things that compromised security in the past.

Remote Assistance

☑ Remote Assistance is used to offer help to remote users working on systems with Remote Assistance available, such as Windows XP SP2, Windows Vista, and Windows Server 2007 (codenamed Longhorn).

☑ Remote Assistance has historically been used (or not used) to access user desktops and interact with end users. One of the major enhancements to Vista is simply the redevelopment of the communication architecture, which enables Remote Assistance to work more quickly and efficiently than past versions.

☑ When using Remote Assistance, an end user has to “grant” an administrator access and permission to connect to and manipulate his system.

☑ Vista will not be able to offer full assistance to someone who is running Windows XP. Therefore, if your organization’s help desk depends on Remote Assistance, you will probably want to make sure the help desk staff are the last ones upgraded to Windows Vista.

☑ When using Remote Assistance, XP SP2 will have incompatibility problems. For example, Windows Vista now allows you to pause a session, whereas XP does not.

☑ The newly developed Remote Assistance will allow for highly granular logging to an XML file stored on the local system.

Network Access Protection

☑ NAP is new to Windows Vista and Windows Server 2007. With NAP, a new level of security has been implemented to secure access and control the spread of malware.

☑ To join a network, a system must comply with a health policy, usually maintained on a health policy server. With NAP, if a client does not meet the rules of a healthy machine, the system will not be allowed to join the network until it has been updated.

☑ The NAP client in Windows Vista simplifies the enforcement of network health policies and protects against malicious network attacks by enabling organizations to establish requirements for client health status (such as current software updates and up-to-date virus scanner signatures) and enforcing those requirements when the client connects to the network. If a client machine does not meet the health requirements, NAP can automatically update the machine or direct it to a separate “quarantine” area until the user or administrator can fix the situation.

☑ NAP is an extensible platform that provides an infrastructure and API for health policy enforcement. Independent hardware and software vendors can plug their security solutions into NAP, so IT administrators can choose the security solutions that meet their unique needs—and NAP helps ensure that every machine on the network makes full use of those solutions.

☑ NAP requires functionality and support from the Windows Server 2007 OS. Although the NAP client for Windows Vista is included in the OS, Microsoft will also release NAP client support in Windows XP SP2.