| Previous | Table of Contents | Next |
The most basic attack that can take several forms is brute force. First, the hacker can sit down at the terminal and perform an online attack. The adversary enters your username and tries to manually guess your password. Given unlimited opportunities, an adversary may be able to guess the password. Login guessing attacks are thwarted by configuring the operating system to limit the number of failed login attempts allowed for each user. After a threshold is reached, the account will be locked and that user will be unable to log in until the system administrator intervenes by resetting the password or unlocking the account in some other way.
Unfortunately, this defense policy allows for a denial of service attack. A malicious person could cycle through each user account on the system, exceed the failed login threshold, and lock out all of the accounts. The policy should be configured so that the root user, or another privileged user, is always able to access the system from a designated, physically secure console in order to correct the situation. To generalize, any authentication system should be resistant to denial of service attacks that lock out the system administrator. On computers with an external media device, such as a tape or a CD-ROM drive, the administrator can always boot the system from backup media, enter a limited computing environment known as single-user mode in UNIX, and take corrective actions. One can further deter manual guessing by injecting some randomness into the login procedure. For example, if an incorrect password is entered, the system can delay for a time interval before presenting the next login prompt. The time interval can be computed as an increasing function of the number of failed logins from that terminal device or might be configured as a constant value such as always delaying for two minutes after three failed login attempts for a single user. If increasing interval delays are used, another configuration value is needed to determine when to reset the interval to its initial state. A variation on the interval delay is to change the input time between keystrokes used to read the password.
Another defense involves locking the terminal itself after a configured number of failed login attempts. As in the preceding case, the terminal can be reset only by an authorized administrator. Some operating systems also provide an option for configuring which terminal devices individual users are able to use for login. A failed login attempt at an unauthorized terminal is usually not counted against the failed login threshold. With today’s ubiquitous networked computer environments, some operating systems extend the notion of “authorized terminal” to include a range of valid network addresses.
Notice that these attempts to defend against manual guessing attacks are used only to deter the hacker. Failed login thresholds, delay intervals, and other defenses will not prevent a brute force attack from occurring. However, they will discourage someone from instigating a brute force attack and increase the difficulty of successfully executing an attack. Preventing a brute force attack from happening is nearly impossible. It is highly probable, though, that one can prevent manual guessing attacks from succeeding.
To increase the sophistication of the online brute force attack, the hacker can write a program to carry out the manual guessing steps. A dictionary of passwords is compiled and perhaps even customized for the penetration attempt. The program consults the dictionary when attempting to crack an account. Heuristics can be used so that the program adapts to the targeted host. For example, guessing that the password is the same as the username is a plausible first attempt. The Internet Worm was able to crack a number of accounts throughout the Internet using the following heuristics for passwords (Ferbrache and Shearer, 1993):
You might think that a programmed attack like this works only if the attacker is trying to login via a network using one of the many built-in ways in which operating systems provide for network logins. However, it is just as easy to detach a terminal from its cable and directly attach the cable into the back of a personal computer programmed to emulate a terminal. From this configuration, the hacker can run an automated attack that appears like a user attempting to physically login.
A more dangerous brute force occurs when the attacker is able to gain a copy of the stored password values. With this additional knowledge, an offline attack is possible. Two approaches are possible. In the first, the attack is still centered on repeatedly trying to guess the password on a victim machine. Your system will be unaware of any attempts by the user to guess passwords because all efforts are made on another system. If a UNIX password file is obtained, the attacker could use any number of collaborators to achieve offline guessing in parallel. Portions of the password could even be divided among the cohorts. Victim machines are configured by attackers so that the defense mechanisms, such as failed login thresholds, are disabled.
A second offline attack depends on a matching strategy. Instead of guessing passwords, the attacker computes a number of hashed password values in advance. The attack succeeds when a user’s hashed password value matches one of the precalculated hash values. Tools to facilitate this approach are readily available for both UNIX and NT. Crack, developed by Alec Muffett, is widely relied upon by professional penetration testing teams to probe the suitability of user passwords on UNIX systems. Crack has been very successful at breaking many passwords. The arrival of L0phtCrack from Mudge (www.l0pht.com) showed that NT also was subject to the same kind of offline brute force attack. You might find it interesting that the infamous Internet Worm (which does not seem so infamous given the sensitivity of sites recently broken into) traveled with a mini-dicitionary and password cracker.
| Previous | Table of Contents | Next |