8.Password & PIN Security

 Password & PIN Security 

Contents

Purpose and Scope

Introduction

Technical Discussion

Identity Management

Lightweight Directory Access Protocol (LDAP)

Unique Identities

Password Protocols

Password Compromises

Password Security Strategies

Password Administration

Default Passwords and Password Distribution

Special Privilege Accounts

End-User Education

Purpose and Scope

This white paper is intended to be an accompaniment to Ohio IT Policy IT-B.3, “Password and Personal Identification Number Security.” The policy document describes the state’s overall requirements regarding the selection, use and management of authentication technologies and strategies. This educational white paper is designed to provide a deeper understanding of the most commonly used authentication strategies and assist state of Ohio personnel who may be responsible for acquiring, implementing or monitoring passwords and personal identification numbers (PIN) in understanding the technology and strategies available.

Introduction

One of the most important elements of network security is authentication. Making sure “you are who you say you are” helps prevent the unauthorized use of the network and IT resources as well as preserving the appropriate level of confidentiality for all of the data. 

There are several ways to perform the authentication function, but the most common is a password or PIN. There is nothing that demands that a password has to be a word or that a PIN has to be a number. To the technology used to confirm them, they are the same thing. 

The origin of password use cannot be cited definitely. One of the earliest recorded uses of pre-arranged “passwords” was by Roman sentries of Julius Caesar’s 10th Legion on duty in Gaul to verify that those approaching their defenses at night were actually part of the Legion. Today, passwords are used every day to authenticate us not only into our personal computers but into our employer’s network and into our bank account.Technical Discussion

Identity Management

Passwords and authentication are a part of a larger security strategy known as identity management. This is composed of a set of technologies and practices that allow us to control access to resources and data to a very fine degree and for the entire “lifecycle.” 

Lifecycle means the length of time that a device is in the network or a person is a part of the organization. According to IT policy, the lifecycle process is usually maintained by an administrator from the time of registration on the network to the time an account or identity is closed. Keeping track of user identities and of closed accounts and device identities is important since these can be used to compromise the networks.

Lightweight Directory Access Protocol (LDAP)

The Lightweight Directory Access Protocol (LDAP) is used by most of today’s networks to manage user identities. LDAP provides a method of storing user names, locations, access rights and other information in a special database known as a directory. In a predominantly Microsoft Windows environment, the proprietary version of LDAP, known as active directory, will almost certainly have all the user information required to allow you to get e-mail, surf the Web, access files and perform any other actions on your computer and network that are associated with your job function. 

Using a part of the LDAP protocol known as Bind, a user’s password is authenticated against a password repository (database), and then against the LDAP listing for the user. This confirms that the correct password has been presented and allows access to the resources for which the LDAP listing is authorized.

Unique Identities

One characteristic of identity management is that it forces us to create unique identities for every user in the network. This means that no two users can have the same identification (usually referred to as a user ID) and their identity information must be uniquely theirs (user rights and permissions, etc.) 

This is much like having a unique key to a lock. Only your key can open the lock, just as your identity information is the only way to access your authorized applications and resources on the network. (See Ohio IT Policy ITP-B.3, “Password and Personal Identification Number Security.”)

Password Protocols

The earliest, simplest and one of the most effective protocols used to transmit and authenticate passwords across a network is the Password Authentication Protocol (PAP). PAP was originally designed to be used over simple, point-to-point connections (like modem to modem) using the point-to-point protocol (PPP). Simply put, in PAP you send your password in clear text to a server or host (or even the modem), and if you are in the host’s database, then an acknowledgement is sent back allowing you to access the host. 

A more secure version of PAP, called CHAP, or Challenge-Handshake Authentication Protocol, keeps re-authenticating the connection during the session to prevent someone from capturing the information and “highjacking” the session to compromise the network.

Password Compromises

There are several strategies that a hacker or someone with malicious intent toward a network could use to figure out passwords. Most of these involve some type of automated software tool that assists the hacker. Some of these techniques are: 

• Brute force password cracking. This type of an attack is just what it sounds like. The hacker starts feeding many different combinations of letters, numbers and special characters against a password authentication screen in an attempt to get the “right” combination. These usually start with simple phrases like “password” and “Administrator” or “mom,” and then progress through more complicated combinations. This type of attack forced a limitation on the number of “tries” before the password prompt timed out. The software gets around that now by waiting for the timeout and starting again.
• Dictionary attack. This is similar to the brute force attack except that it concentrates on words found in Webster’s Unabridged New World Dictionary. Because most people feel they can’t remember a random combination of characters and use regular words as passwords, this has proven very effective. It also circumvents the time-out (attempt limit) in the same way as the brute force tool.·         Automated “logical” hacking software. There are many good password hacking applications, such as L0phtcrack, that have legitimate use in an IT environment when employees forget their self-generated passwords.  Unfortunately, these can be used for unethical purposes as well. L0phtcrack is a tool that “hackers” have successfully used as a password cracker for several years.  It has been modified over time by the hacker community so that it has many variants that are based upon its original capabilities or some combination with other hacking programs.  Some variants of this software will employ logic about how people develop personal passwords against a specific operating system’s (OS) password rules. For example, if it’s known that the OS forces a user to not repeat the same password within a year, some password cracking variants check six of the eight characters of a previously compromised password to see if they’ve remained the same. Another password rule that some password crackers check for and attempt to exploit, especially in Microsoft Windows, is one that forces the use of numbers or “special” ASCII characters in the password’s composition. The variant tool uses standard and logically-derived password combinations and inserts special characters into the “forced” password attempt. Thus the user may follow the rules correctly, but with the smart logic of such tools, the password becomes vulnerableSome “pirate” variants of password cracking software, originally based on L0phtcrack and other successful hacker tools, will attempt to bypass the OS limit on the number of attempts permitted during log-in. During this type of attack it uses only what it deems to be the “most promising” passwords. It forces passwords, and if it is unsuccessful and “locks out” the account, it stores the number of attempts for lock out in that system. The OS logs the number of attempts and can configure the account to “reset” after a pre-set waiting period, or after a legitimate user works through the proper channels to get the account unlocked. Some of these variants can monitor this “reset” information and use it for the next attack. The cycle continues until it successfully compromises the system. This is why it is important to examine logs or configure the IDS to look for failed log-ins even if they do not lock out the account.

Password Security Strategies

If a hacker can guess or discover your password through any of the methods noted above, he or she can perform any function or see any information on the network for which you are authorized. 

The simplest and best password security strategy, of course, is don’t write it down! 

Other strategies to improve password effectiveness and make the use of automated hacking tools less effective are as follows: 

·         Length and composition. As we noted earlier, a password and a PIN are actually the same thing. A PIN is usually shorter in length than a password or is characterized as a “smaller secret.” Usually this means that it’s easier to remember. The amount of time required to “crack” a password is directly related to the number and type of characters it contains. 

For example, if you have a password policy requiring eight characters, all of which must be uppercase, you will provide your users with a potential total of 208,827,064,576 (nearly 209 billion) passwords. It would take only one PC with a utility such as L0phtcrack just over six hours to crack. 

If you require users to have an eight-character password that must employ any of the 94 printable ASCII characters, there are 6,095,689,385,410,820 (about 6x10¹⁵ or 6 quadrillion) potential combinations, which would take more than 7,300 days to crack using a single PC and more than 175 hours using a distributed network of 1,000 PCs. Most hackers won't be that patient, and they aren’t going to have that kind of power at their disposal. 

• Aging. The amount of time that a user is allowed to keep the same password is a value called aging. Generally, the longer you keep the same password, the easier it becomes for someone to either guess it or crack it. As you can see from the discussion of password length, a well-constructed password might take a long time to crack, but any password can potentially be cracked given enough time. The best way to limit the amount of time an attacker has to crack a particular password is to change it regularly — typically every 90 days. This also thwarts anyone who may have intercepted it or just observed you typing it in. Note that when setting password maximum age, it’s also important to use password history and to set a minimum age of one day. Otherwise, a user who wants to re-use the same password can simply change their password multiple times in a few minutes, and get back to the same password they had at the start of the day.
• History. The amount of time that must elapse before you can re-use a password is a value called history. It does not make sense for us to ask you to create a password that is hard to break, and then ask you to change it every 3 months to protect it, and then allow you to keep on using the same three or four passwords forever. Many organizations extend the history value to 18-24 months or as many as 15-20 previous passwords. It’s a lot harder to crack a set of 15 passwords than just two or three.
• Lockout / reactivation. One good way to deter someone who is trying to crack your account by guessing passwords or using an automated tool to compromise your log-in is to limit the number of times that an incorrect password can be entered before the account is locked-out or temporarily deactivated.
• Encryption. Locking out accounts when a certain number of incorrect passwords have been entered will deter even a good attacker. However, a determined, sophisticated hacker will probably not use the operating system or application log to try to access a system. Instead, he or she will “sniff” the network connection to capture the password’s encrypted hash as it travels over the network. (For more information on network sniffing, see the IT Security White Paper, “Intrusion Prevention and Detection.”) There are automated tools that a hacker can then use in an attempt to decrypt the password. At the end of the process, the hacker has the password and can just log-in.The level of encryption applied to the transmission of passwords should be strong enough to thwart this kind of attempt. Generally speaking, the encryption should be stronger (harder to crack) as the level of sensitivity or cost of compromise (liability, for example) increases. For most government systems, this is never less than the 128 bit version of the Advanced Encryption Standard.
• Display of passwords. It is common sense that if the most important way to protect your secret password is not to write it down, you also don’t want it to be visible to anyone who happens to glance at your screen while you type it in day after day. This is why most applications, operating systems, Web sites and other utilities that require passwords “mask” or do not display them. Instead, the most common method is to replace the actual character with an asterisk (*).
• Secure storage of passwords. As we discussed earlier in connection with identity management, user passwords are normally stored in a database against which log-in requests are compared.Obviously it would not do much good to implement a security policy requiring passwords of adequate length, aging passwords, and forcing a long history before reuse if we made it easy for a hacker to get on the network and see what everybody’s password was.For the most part, operating systems can do a pretty good job of hiding and encrypting these files, but there are applications that can be used in addition to normal storage to further safeguard your passwords. Examples are Wolff Software’s Password Keeper, Counterpane’s Password Safe, and iJEN’s PassMan.
• Password saving. Password saving is a function of many browsers and operating systems and is provided as a convenience to the end user. Unfortunately, if you have this feature enabled and have stored all of your passwords in the browser’s cache, then all a hacker would need to do is crack that file (which will not be encrypted, particularly on a browser) and your log-in/password information is compromised.Also, if you walk simply away from your computer for a short period of time, anyone can walk up to the computer (unless you have locked the screen) and log into any of your personal and business connections. For this reason, most organizations disable the “password save” functionality in their baseline configurations.

Password Administration

Most agencies designate an authority or administrator to oversee the aspects of identity management and password administration. In many cases, identity management is maintained by a human resources (HR) department since they most often process employees into and out of an organization and maintain the organizational information that is used to populate the LDAP or other IT identity management technology. 

Password administration, on the other hand, is almost always the domain of an IT system administrator — or network security administrator if your agency has a dedicated security staff. These individuals are responsible for the day-to-day maintenance of the password database and the setting up and deactivation of accounts based on information received from human resources. 

When an administrator is notified that an employee is no longer with the agency or that a user’s password has (or may potentially) become known to others, the administrator should immediately deactivate that user’s account. This is known as account revocation. By policy, most organizations set a time limit on revocation, requiring that an account be deactivated within a short time after notification has been received by the administrators. (See Ohio IT Policy ITP-B.3, “Password and Personal Identification Number Security,” for deactivation requirements.)Default Passwords and Password Distribution

Many applications and devices come “out of the box” configured with a standard or Default password. This is especially true of networking equipment.As soon as you power up a new computer or networking device, check to see if it has a default log-in and password. If so, immediately change this. Many agencies have specific policies regarding how this is done.Also, in many agencies the IT staff issues a temporary password when a new user is added to the network. Even though, by policy, IT staff members take the utmost care in preserving the security of temporary passwords, you should always log-in and change this password to your secret password (according to policy) as soon as possible. (See Ohio IT Policy ITP-B.3, “Password and Personal Identification Number Security.”)

Special Privilege Accounts

It is always bad when a user’s account is compromised by somehow obtaining a password. It is disastrous, however, if that password belongs to one of the privileged accounts. These are usually characterized as “administrator,” “super user,” or “Root” accounts, depending on whether you use Windows or some variety of UNIX. An administrator account is the equivalent of the “keys to the kingdom,” because these accounts allow access to virtually any information and functionality on the network or host that is compromised.

One way to lessen the impact of compromise is to limit strictly the number of individuals who are issued root or administrative accounts. Another way is to divide the root or administrative functions among a group of individuals so that no one person has access to all of the functionality on the system or network. (See Ohio IT Policy ITP-B.3, ”Password and Personal Identification Number Security.”)

End-User Education

The best way to ensure that any policy is carried out daily is to educate your end-user community. The most successful agencies issue guidelines and other training material to new users to help make them aware of policies and known issues related to the network and applications typically used by the employee. This can be a part of a new-hire package or provided later as part of an IT package.

It is important to emphasize to end users that each employee is responsible for the security of their own passwords. All of the technology and practices we have outlined in this white paper will not help if you are careless in guarding your password. (See Ohio IT Policies ITP-B.3, “Password and Personal Identification Number Security,” and ITP-B.8, “Security Education and Awareness.”)

----------------------------------------Thank you for read------------------------------------------

7.How to hack applock pattern or password ?

How to hack applock pattern or password

this is only for Education purpose not a illegal hacking trick

See the step------

1.go to setting >>

2.find app[application] option

3.find the applock software and click on the app

4.click on the force stop button.

 5.click on the Ok.

6.and open your secured app.

you see this pattern or password is hacked

If you went secure yourself  so follow step---

1.lock your setting software by applock

Then don’t hack anybody your applock pattern or password

Please use this method only legally don’t use this method illegal

And safe yourself.

6.Introduction to Proxy Servers

    1.Introduction to Proxy Servers

Some home networks, corporate intranets, and Internet Service Providers (ISPs) use proxy servers (also known as proxies). Proxy servers act as a "middleman" or broker between the two ends of a client/server network connection by intercepting all requests to the real server to see if it can fulfill the requests itself. If not, it forwards the request to the real server. Proxy servers work well between Web browsers and servers, or other applications, by supporting underlying network protocols like HTTP.Proxy servers have two main purposes. One thing it can do is that it can dramatically improve performance for groups of users. This is because it saves the results of all requests for a certain amount of time. Consider the case where both user X and user Y access the World Wide Web through a proxy server. First user X requests a certain Web page, which will be called Page 1. Sometime later, user Y requests the same page. Instead of forwarding the request to the Web server where Page 1 resides, which can be a time-consuming operation, the proxy server simply returns the Page 1 that it already fetched for user X. Since the proxy server is often on the same network as the user, this is a much faster operation. Real proxy servers support hundreds or thousands of users. The major online services such as America Online, MSN and Yahoo, for example, employ an array of proxy servers.Another feature of proxy servers is that it can filter requests. For example, a company might use a proxy server to prevent its employees from accessing a specific set of Web sites.Proxies can do many other things. For example, they could translate multiple languages. They could shrink the size of a response so it fits on ones mobile phone webscreen. They could also filter nasty language or subjects.

 

Proxy Servers, Firewalling and Filtering

Proxy servers work at the Application layer (Layer 7) of the OSI model. As such, they aren't as popular as ordinary firewalls that work at lower layers and support application-independent filtering. Proxy servers are also more difficult to install and maintain than firewalls, as proxy functionality for each application protocol like HTTP, SMTP, or SOCKS must be configured individually. But, a properly configured proxy server improves network security and performance. Proxies have capability that ordinary firewalls simply cannot provide.Some network administrators deploy both firewalls and proxy servers to work in together. To do this, they install both firewall and proxy server software on a server gateway.Because they function at the OSI Application layer, the filtering capability of proxy servers is relatively intelligent compared to that of ordinary routers. For example, proxy Web servers can check the URL of outgoing requests for Web pages by inspecting HTTP GET and POST messages. Using this feature, network administrators can bar access to illegal domains but allow access to other sites. Ordinary firewalls, in contrast, cannot see Web domain names inside those messages. Likewise for incoming data traffic, ordinary routers can filter by port number or network address, but proxy servers can also filter based on application content inside the messages.

Connection Sharing with Proxy Servers

Various software products for connection sharing on small home networks have appeared in recent years. In medium- and large-sized networks, however, actual proxy servers offer a more scalable and cost-effective alternative for shared Internet access. Rather than give each client computer a direct Internet connection, all internal connections can be funneled through one or more proxies that in turn connect to the outside.

Proxy Servers and Caching

The caching of Web pages by proxy servers can improve a network's "quality of service" in three ways. First, caching may conserve bandwidth on the network, increasing scalability. Next, caching can improve response time experienced by clients. With an HTTP proxy cache, for example, Web pages can load more quickly into the browser. Finally, proxy server caches increase availability. Web pages or other files in the cache remain accessible even if the original source or an intermediate network link goes offline.

Types of Proxy servers

Web 

Proxies that attempt to block offensive web content are implemented as web proxies. Other web proxies reformat web pages for a specific purpose or audience; for example, Skweezer reformats web pages for cell phones and PDAs. Network operators can also deploy proxies to intercept computer viruses and other hostile content served from remote web pages.A special case of web proxies are "CGI proxies." These are web sites that allow a user to access a site through them. They generally use PHP or CGI to implement the proxying functionality. CGI proxies are frequently used to gain access to web sites blocked by corporate or school proxies. Since they also hide the user's own IP address from the web sites they access through the proxy, they are sometimes also used to gain a degree of anonymity, called "Proxy Avoidance."

Intercepting

Many organizations — including corporations, schools, and families — use a proxy server to enforce acceptable network use policies (see content-control software) or to provide security, anti-malware and/or caching services. A traditional web proxy is not transparent to the client application, which must be configured to use the proxy (manually or with a configuration script). In some cases, where alternative means of connection to the Internet are available (e.g. a SOCKS server or NAT connection), the user may be able to avoid policy control by simply resetting the client configuration and bypassing the proxy. Furthermore administration of browser configuration can be a burden for network administrators. 

An intercepting proxy, often incorrectly called transparent proxy (also known as a forced proxy) combines a proxy server with NAT. Connections made by client browsers through the NAT are intercepted and redirected to the proxy without client-side configuration (or often knowledge).Intercepting proxies are commonly used in businesses to prevent avoidance of acceptable use policy, and to ease administrative burden, since no client browser configuration is required.Intercepting proxies are also commonly used by Internet Service Providers in many countries in order to reduce upstream link bandwidth requirements by providing a shared cache to their customers.It is often possible to detect the use of an intercepting proxy server by comparing the external IP address to the address seen by an external web server, or by examining the HTTP headers on the server side.Some poorly implemented intercepting proxies have historically had certain downsides, e.g. an inability to use user authentication if the proxy does not recognize that the browser was not intending to talk to a proxy. Some problems are described in RFC 3143 (Known HTTP Proxy/Caching Problems). A well-implemented proxy should not inhibit browser authentication at all.The term transparent proxy, often incorrectly used instead of intercepting proxy to describe the same behavior, is defined in RFC 2616 (Hypertext Transfer Protocol -- HTTP/1.1) as: "[A] proxy that does not modify the request or response beyond what is required for proxy authentication and identification."

Open

An open proxy is a proxy server which will accept clientconnections from any IP address and make connections to any Internet resource. Abuse of open proxies is currently implicated in a significant portion of e-mail spam delivery. Spammers frequently install open proxies on unwitting end users' operating systems by means of computer viruses designed for this purpose. Internet Relay Chat (IRC) abusers also frequently use open proxies to cloak their identities.Because proxies might be used for abuse, system administrators have developed a number of ways to refuse service to open proxies. IRC networks such as the Blitzed network automatically test client systems for known types of open proxy. Likewise, an email server may be configured to automatically test e-mail senders for open proxies, using software such as Michael Tokarev's “proxycheck.” Groups of IRC and electronic mail operators run DNSBLs publishing lists of the IP addresses of known open proxies, such as AHBL, CBL, NJABL, and SORBS.The ethics of automatically testing clients for open proxies are controversial. Some experts, such as Vernon Schryver, consider such testing to be equivalent to an attacker portscanning the client host. Others consider the client to have solicited the scan by connecting to a server whose terms of service include testing.

Reverse

A reverse proxy is a proxy server that is installed in the neighborhood of one or more web servers. All traffic coming from the Internet and with a destination of one of the web servers goes through the proxy server. There are several reasons for installing reverse proxy servers: 

·   Security: the proxy server is

·   An additional layer of defense and therefore protects the web servers further up the chain. 

·   Encryption / SSL acceleration: when secure web sites are created, the SSL encryption is often not done by the web server itself, but by a reverse proxy that is equipped with SSL acceleration hardware. See Secure Sockets Layer. 

·   Load balancing: the reverse proxy can distribute the load to several web servers, each web server serving its own application area. In such a case, the reverse proxy may need to rewrite the URLs in each web page (translation from externally known URLs to the internal locations) 

·   Serve/cache static content: A reverse proxy can offload the web servers by caching static content like pictures and other static graphical content 

·   Compression: the proxy server can optimize and compress the content to speed up the load time. 

·   Spoon feeding: reduces resource usage caused by slow clients on the web servers by caching the content the web server sent and slowly "spoon feeds" it to the client. This especially benefits dynamically generated pages.

·   Extranet Publishing: a reverse proxy server facing the Internet can be used to communicate to a firewalled server internal to an organization, providing extranet access to some functions while keeping the servers behind the firewalls. 

Split

A split proxy is effectively a pair of proxies installed across two computers. Since they are effectively two parts of the same program, they can communicate with each other in a more efficient way than they can communicate with a more standard resource or tool such as a website or browser. This is ideal for compressing data over a slow link, such as a wireless or mobile data service and also for reducing the issues regarding high latency links (such as satellite internet) where establishing a TCP connection is

time consuming. Taking the example of web browsing, the user's browser is pointed to a local proxy which then communicates with its other half at some remote location. This remote server fetches the requisite data, repackages it and sends it back to the user's local proxy, which unpacks the data and presents it to the browser in the standard fashion.

Anonymous Proxy Servers 

Anonymous proxy servers hide ones IP address and thereby prevent unauthorized access to that computer through the Internet. They do not provide anyone with that IP address and effectively hide all information about the user at hand. Besides that, they don’t even let anyone know that you are surfing through a proxy server. Anonymous proxy servers can be used for all kinds of Web-services, such as Web-Mail (MSN Hot Mail, Yahoo mail), web-chat rooms, FTP archives, etc. ProxySite.com - a place where the huge list of public proxies is compiled. In a database you always can find the most modern lists, the Proxy is checked every minute, and the list is updated daily from various sources. The system uses the latest algorithm for set and sortings of servers by proxy, servers for anonymous access are checked. Results of Search always can be kept in file Excel.

Circumventor

     A circumventor is a web-based page that takes a site that is blocked and "circumvents" it through to an unblocked website, allowing the user to view blocked pages. A famous example is 'elgooG', which allowed users in China to use Google after it had been blocked there. elgooG differs from most circumventors in that it circumvents only one block.The most common use is in schools where many blocking programs block by site rather than by code; students are able to access blocked sites (games, chatrooms, messenger, weapons, racism, forbidden knowledge, etc.) through a circumventor. As fast as the filtering software blocks circumventors, others spring up. It should be noted, however, that in some cases the filter may still intercept traffic to the circumventor, thus the person who manages the filter can still see the sites that are being visited.Circumventors are also used by people who have been blocked from a website. Another use of a circumventor is to allow access to country-specific services, so that Internet users from other countries may also make use of them. An example is country-restricted reproduction of media and webcasting.The use of circumventors is usually safe with the exception that circumventor sites run by an untrusted third party can be run with hidden intentions, such as collecting personal information, and as a result users are typically advised against running personal data such as credit card numbers or passwords through a circumventor.

At Schools and in Offices

Many work places and schools are cracking down on the websites and online services that are made available in their buildings. Websites like Myspace, Yahoo Games, and other social websites have become targets of mass banning.Proxy Web server creators have become more clever allowing users to encrypt links, and any data going to and from other web servers. This allows users to access websites that would otherwise have been blocked. 

Case Study: Lander College for Men

A few years ago, a Touro College campus was built with the vision that one can combine Judaic and secular studies on a college level, called the Lander College for Men. Early on, the policy towards watching movies was that as long as it didn’t interfere with ones studies, one could do so in ones free time. But, the network back then was so primitive that there was no filter set up. Either this was because it was complex to set up, or that it was assumed that Yeshiva guys wouldn’t dare take advantage of this weakness (dumb mistake, but with Touro, anything’s possible), or both. In any case, it’s known that Touro has many campuses worldwide, known as Touro University International. Suffice to say, students in the dorm used programs like Kazaa and Bearshare to relentlessly download video games, movies, and music files through Touro’s T1 connection. They also shared movies through an outside server which ten or twenty people would chip in a total of five hundred dollars for. Soon it was discovered why students from other campuses were complaining about Touro’s computer network being so slow. A data analysis had revealed that 68% of Touro University’s bandwidth was being used up by the Lander College for Men campus alone. Some estimates actually were well over 80%. This may be broken down to, say, 42% consumed from actual student usage, and the rest being used up from one of Landers’ routers which reportedly had a virus in it from a student download. Keep in mind that this was with less than seventy five students on campus, a quarter of which actually had personal computers in their dorm.

Once this was discovered, Touro’s MIS department sprang into action, hiring 8e6 technologies to clean up the mess with their filtering program to affect various key ports. Rabbinical faculty thereupon forbade students to watch movies or play video games in the dormitory, since incidentally students stopped attending “Night Seder,” a mandatory evening program where one independently studied Judaic topics. The result of this madness was that many legitimate students couldn’t get into various websites like Google, for example, to do academic research. This created uproar among the students. Some of the more knowledgeable decided to rebel and test out ports through a program, 

and once an open port was detected, they used a proxy server to reroute all HTTP and FTP, and P2P requests to that port, overflowing bandwidth on those ports. Whether a CGI, intercepting, or circumventor proxy, or any combination was used is anybody’sguess. Nobody thought they would be caught since Touro’s routers take in thousands of requests a day. Still, it was stupid to try, since enough requests through a specific port will turn some heads. Once that happened, all that MIS had to do was locate the MAC address of the computer’s Network Card, locate the router, and thereby locate the room the computer was in. Being that there are typically two students in a room, those two got narrowed, and more invasive procedures were able to be taken. One student in particular who exploited this technology was expelled and readmitted twice, suspended once, kicked out of the dorms, and other “nice things.” Suffice to say, he didn’t end up graduating since he was so obsessed with downloading stuff that his grades suffered tremendously.

References

Mitchell, Bradley. “Proxy Servers Tutorial - About Proxy Servers.” About.com: Wireless/Networking. 2007. <http://compnetworking.about.com/cs/proxyservers/a/proxyservers.htm>

“Proxy Servers.” Wikipedia. 2007. <http://en.wikipedia.org/wiki/Proxy_servers>

“Proxy Server.” Webopedia. 2007. <http://www.webopedia.com/TERM/p/proxy_server.html>

“Public Proxy Servers.”< http://www.publicproxyservers.com/index.html>

5.Bypassing Secure Web Transactions via DNS Corruption

1.Bypassing Secure Web Transactions via DNS Corruption

A man-in-the-middle attack 

This paper has been written to inform the general public in weaknesses of

secure communications via a secure socket layer, commonly referred to as a Secure Web Transactions. This paper addresses the most common configuration of a “secure transaction”. It is intended not to be a how-to on the subject, but to draw attention to the needs of improved security to protect people’s privacy on the Internet

People have often asked, “Is banking online a safe thing?” The normal response in an FAQ has been that if your system is using common US encryption (128-bits strong) that your transaction could not be intercepted and deciphered. This might be true (at this time 64 bit encryption took 2-days to break), but an intruder does not need to “break” the encryption to get your account information. A Domain Name Service (DNS) is a common Internet protocol that allows a user to type the URL (name) of the destination into their browser (telnet, ftp, you name it program) and receive the ambiguous IP address number to initiate a TCP/IP connection with a desired host. DNS is not unlike a telephone book where one can look up the name

of an individual and receive a phone number or address to contact someone. For example, when you connect to a bank online you type the name into the browser. The browser sends a domain request to the name server that returns the IP number to the browser software. The browser begins a TPC/IP connection using this IP. A message to the user is given that they are about to enter a secure connection. The two systems send their 128-bit strong public keys to each other. And then a

message conversation begins on the Internet that is impossible to crack within

a debatable 20 years. Once a secure communication is established, the bank then requests the user to authenticate who they are by using an bank account number and personal identification number (PIN). With these two items of information the

user can see their account, transfer money and pay bills. So what is the problem with this scheme? If this encryption takes so long to crack then is this not a safe

means of doing business on the Internet? The first weakness is that this encrypted

communication trusts the IP address received from the DNS to be correct.

The DNS is not in the control of the user or their bank. The fact is that there is no

Identification and Authentication (I&A) mechanism to the domain protocol to

ensure the desired address. After the connection is established the authentication between the user and the bank is one-way. One way authentication means that user does not validate they are connecting to the bank’s system, instead the bank

validates that the user is who they say they are. This is done with the account

number and PIN.

Man-in-the-Middle Attack

The following is an example of a man-inthe-middle attack. This term refers to

any attack where a second element (person, system, or application) performs a communication while masquerading as the intended destination. A DNS man-in-the-middle attack can occur as follows: An intruder (or a corrupt Internet system administrator) changes the name of your bank’s IP number in the DNS table to be

a machine controlled by the bad guy, which we’ll call EVILSYSTEM. When

you type WWW.SecureOnLineBankingSystem.COM

into your browser the compromised DNS now returns the IP address of

EVILSYSTEM. EVILSYSTEM system responds to the browser by sending its

public key. At the same time EVILSYSTEM opens a connection to the real banking system by using the IP address that is in its internal host table instead of the incorrect one in the DNS table. Now there is a secure connection from the user to EVILSYSTEM and EVILSYSTEM to the bank. EVILSYSTEM forwards the bank page back to the user, and the user enters in the account number and PIN.

EVILSYSTEM then forwards that information back to the bank system

after copying the user’s information. EVILSYSTEM acts as a mediator

capturing all the critical information during the transaction. There are no

obvious signs to the user that they are not connected solely to the bank.

The Real Problem

There are a number of countermeasures that a user can do, like hard coding the IP address. But there are a number of hacks that allow an aggressor to remain one step ahead: ·  Inserting a corrupted host table into user’s system using BackOrifice or another Windows hacking tool (these can be inserted using any EXE file to a DOS system and having the end user play the EXE. Such an example would be any

number of holiday executable cards sent via e-mail). This works since

the user system will check the host table if one exists before the system

checks a remote DNS. ·  Changing how the router routes information, allowing the traffic to flow by a compromised system that hijacks the session and acts as a

mediator in the exchange of the DNS information. The problem is not truly in the DNS as much as it is in the Authentication and Identification mechanism being used.

Mutual-Authentication

In this example, and in most cases of logging into systems, the user presumes

that they are talking to the correct system. A user must identify and authenticate themselves to the system, but the system does not authenticate itself to the user in an obvious way. The problem is only compounded with an increasing number of vulnerabilities in the TCP/IP protocol suite that can create misinformation to an aggressor’s advantage. To resolve this problem of man-in-themiddle, a proper mutual authentication mechanism needs to be in place. Mutual authentication is when the host authenticates the client, and the client authenticates the host. In the previous example the client fails to authenticate the host. This lack of authenticating a host is a common weakness to systems that can be attacked with misinformation

and man-in-the-middle attacks. Mutual Authentication is currently being addressed through the technique of digital signatures and third party companies.

The information contained in this paper is for education purposes only. This paper is the

property of Coretez Giovanni, and is not to be replicated for commercial advertisement or gain

without the written permission of Endeavor Systems , Inc. The example is not an example

of an actual computer incident, but fictitious and used only to explain the technique.

4.Network security Wireless Hacking Tools

                       Network security                

                 Wireless Hacking Tools

1.1 Wireless Attack Tools

Many of the wireless attack tools are developed to compromise 802.11 networks. The popularity and widespread use of Wi-Fi gives the attacker a platform in which they can cause the most disruption. As other technologies gain popularity and usefulness, the more attack tools are developed for those technologies.
The wireless attack tools can be categorized, for the most part, as one that attacks the confidentiality, integrity, or availability of a network. This paper is organized as follows: first confidentiality attacks will be discussed and examples of wireless hacking tools will be given in section two. Then integrity attacks and availability attacks will follow in sections three and four. Specific Bluetooth attacks and hacking tools will be discussed in section five.

2.0 Confidentiality Attacks

The confidentiality attacks attempt to gather private information by intercepting it over the wireless link. This is true whether the data is encrypted or sent in the clear. If the data is encrypted, these attacks would include breaking the encryption and finding the key. Additionally, eavesdropping, key cracking, access point (AP) phishing, and man in the middle attacks are including in this category.
Eavesdropping is intercepting or sniffing the transmitted network traffic. This is capturing the bits transmitted on the physical layer, but many commercial programs will format the data into a user friendly way. This makes understanding the data much easier. If encryption is used, one will only see the encrypted data while sniffing. There are other tools available to crack certain encryption techniques. These tools also are considered confidentiality attack tools.
Beyond simply capturing and displaying the packets from the physical layer, many of the sniffing programs have filters and plugins installed that have the ability to manipulate the data creating a man in the middle attack. For example, a sniffing program can have a filter running that will replace the https (secure website) with http (non-secure). As a result, the victim's authentication would appear in the clear across the physical layer. The eavesdropper would be able to see both the username and password for the login.
Another example of a man in the middle attack would be to downgrade the encryption used. It is possible to rollback the Microsoft Challenge-handshake Authentication Protocol (MSCHAP2) encryption to MSCHAP1, which is a weaker encryption, and then rollback further to plain text for Microsoft's Point to Point Tunneling Protocol over a Virtual Private Network. This involves using a man in the middle attack tools to alter the handshake messages between the client and server.

Figure 1 - Man in the Middle Attack

Figure 1 illustrates a man in the middle attack. The authorized user will be faked into connecting to the unauthorized user instead of the AP. The unauthorized user will be able to alter the message sent between the authorized user and the AP in order to attack the security.
AP phishing or "Evil Twin" is a confidentiality attack where the user is tricked into trying to logon to fake APs thus providing their credentials to the attacker. Attackers will setup these phony APs and create fake logon pages in hopes to collect users' personal information including credit card information. The user may also be coerced into downloading a series of trojan horses. They may also use these fake APs to invoke man in the middle attacks. [34]
There are a variety of confidentiality attacks, but they all have one common goal - to gather the private information of a user. One or more of the attacks can be used. These include eavesdropping or sniffing, man in the middle attacks, and AP phishing.

2.1 Confidentiality Attack Tools

For eavesdropping a commonly used tool is Wireshark, formally Ethereal. It is a basic sniffing program that will display all network traffic both wired and wireless. It is a multi-platform, multi-protocol analyzer with hundreds of protocols supported. It includes support for 802.11 and Bluetooth and also includes decryption support for many popular wireless security protocols including IPsec, Internet Security Association and Key Management Protocol (ISAKMP), Kerberos, Secure Sockets Layer, Wired Equivalent Privacy (WEP), and Wi-Fi Protected Access (WPA)/WPA2.  [10]
Wireshark will display the captured data in an easy to read and easy to follow form. It also has many built in filters and the ability for the user to design their own filters. These filters can be used to only capture specific data such as a certain IP address, protocol, port number, etc.

Figure 2 - Wireshark Screenshot

Figure 2 shows a screenshot of Wireshark. Each different color indicates a different protocol identified. When the user selects a packet, the details of that packet are displayed below.
The sniffing programs work well for information that is sent in the clear. For encrypted information, an encryption key cracker is necessary. For 802.11, WPA2 is the latest wireless encryption standard that has not been broken yet. WPA and WEP are two previous encryption schemes with many tools available that will crack their encryption keys. AirSnort [6] is a well known for WEP and AirCrack [7] is an attack tools for WPA.
Ettercap [8] and dsniff [9] are two popular man in the middle attack tools. They both provide sniffing capabilities similar to Wireshark, but go beyond that with the ability to modify the data in transmission. Again these are available for many platforms. Ettercap even has a tutorial on how to write your own plugin.
Tools such as Hotspotter [11], APsniff [12], APhunter [13], and KNSGEM [14] will scan for wireless AP beacon signals. Although they are not necessarily attack tools, they can be used to find the wireless APs. KNSGEM will even place the APs on a Google Earth map. Attackers will then setup their ?Evil Twin? AP near these legitimate ones. HermesAP [15] and OpenAP [16] are two Linux based tools that allow the user to setup phony APs. OpenWRT [17] and HyperWRT [18] are two open source projects that replace the factory firmware for Linksys's popular WRT line of APs. Attackers can use these distributions to create fake APs.
Table 1 - Summary of confidentiality attack tools


                 Tools                           Description                            Type of Attack
              1. AirSnort               Brute force WEP cracker           Encryption Cracker

               2. AirCrack                      WPA cracker                      Encryption Cracker

             3. Ettercap, dsniff,          Packet sniffers with                 Packet sniffing
             and Wireshark               traffic analysis                              
                                          .         These also include                             
                                                    tools to break encryption

            4. Hotspotter,                  Discovers WLANs                        AP locator

               APsniff, APhunter         by listening for
               and KNSGEM               beacon signals
                                                    transmitted from APs

         5. HermesAP                      Used to setup an                           Evil Twin
            and OpenAP                     rogue AP

         6. OpenWRT and           Replacement firmware so APs          Fake AP creation
        7. HyperWRT                     can be programmed

                                                    to execute attacks.

3.0 Integrity Attacks

The idea of an integrity attack is to alter the data while in transmission. Remember the integrity of the data means that it has not been altered in any way. This includes data deletion or addition, frame deletion or addition, or replay attacks.
One integrity attack is frame injection. This is when an attacker will inject their own Ethernet frames in the middle of the transmission. This can be used in a variety of ways to attack the user. The user can be misled into accepting frames that it did not intend. All the major Internet browsers were vulnerable to a frame injection attack. This vulnerability has been fixed, but it does give an example on how this can be used as an attack. An attacker could inject frames into a transmission to display their content with the legitimate outer web page frames of another company. For example, a user would access their banking web page and it would look like their legitimate web page, but the attacker has injected Ethernet frames so that even though the web page looks legitimate it is not. When the user attempts to login all the login information can be recorder by the attacker.
It is relatively easy to inject spoofed packets in a wireless network. When communicating with a web server there is a delay of tens of milliseconds while waiting for a reply. This is plenty of time for spoofed packets to be injected and the legitimate packets to be deleted. This is similar, but not exactly the same as the man in the middle attacks.
Packet injection can be used to generate a DoS attack as well. In 802.11, the AP and wireless device attempting to connect to it will trade associate and authenticate messages. When disconnecting, they will exchange deauthenticate messages. Packet injection tools can be used to issue deauthenticate messages for the IP addresses in the network, that could easily be obtain from sniffing the traffic. This would cause the valid device to be disconnected from the AP.
Similarly an attacker can delete or jam the data being transmitted. For example, an attacker could jam the wireless signal from reaching its intended target and also provide acknowledgments (ACKs) back to the source. The data would never reach the intended target, but the sender would have no idea, since it would see the ACKs.
Data replay is yet another attack on data integrity. This involves the attacker capturing authentication information and saving it for later use. This can be used for 802.1X Extensible Authentication Protocol (EAP) or for 802.1X Remote Authentication Dial-In User Service (RADIUS) authentications. Once the attacker has captured and saved the authentication information, it will monitor the traffic for another authentication. Then it will inject those frames instead of the legitimate authentication frames and essentially gaining access to a system.

3.1 Integrity Attack Tools

The list of integrity attack tools is not as extensive as the confidentiality attack tools. It is more common for sniffing and encryption cracking than it is for frame injection and replay attacks. Nonetheless, there are tools for frame manipulation (addition and deletion) and replay. .
Airpwn [19] is a wireless attack tool for 802.11 packet injection. It listens for specific patterns of the incoming packets. If there is a match with what is specified in the config file, then custom spoofed packets are injected from the AP. The valid packet that the spoofed packet replaced will be intercepted by airpwn and not allowed to reach the user.
File2air [20] is a similar injection tools except it allows the user to specify a file that will be used for the payload of the injected packets. It uses another tool called AirJack [21] to perform the actual frame injection. File2air runs on top of AirJack and reads in a binary file and transmits its contents onto a wireless network.
Simple-replay [22] is an attack tool that does exactly as the name implies. It allows for 802.11 packets that were previously captured to be injected back into the network.
Frame injection and frame replay tools can be used to attack the integrity of the data. Data integrity ensures that the transmitted data arrives at the destination unchanged. The attack tools focus on frame manipulation, so that an attacker can cause the user to receive the information it chooses.
Table 2 - Summary of integrity attack tools


          Tools                    Description                                                           Type of Attack
  1. Airpwn                    Allows for generic 802.11                              802.11 packet
                                      packet injection                                               injection

2. File2air                      Allow the specified                                     802.11 replay
                                     file be used as
                                   packet payload.

4.0 Availability Attacks

Availability attacks are most simply described as DoS attacks. DoS focuses on attacking a specific part of the network so that it is unreachable. Network availability means that any point the network is able to provide the requested information to the authorized user. DoS attacks prevent this information from reaching the user.
There are several types of DoS attacks; one is flooding. Flooding is overloading the network with a certain type of packet so that the wireless AP is busy serving all the flooding packets that it cannot serve any legitimate packets. For example, an 802.11 beacon flood is where thousands of illegitimate beacons are generate to make it difficult for individual machine to find the legitimate AP. Another is an 802.11 authentication flood where thousands of authentications are sent from random Media Access Control (MAC) addresses filling up the AP's authentication table and making it hard for a legitimate user to gain access. This gives a small example of the types of flooding attacks someone could execute on a wireless network.

Figure 3 - Beacon Flooding

Figure 3 shows an example of the beacon flooding attack. The legitimate AP emits a legitimate beacon signal that the user will look for. The fake AP is emitting many fake beacon signals. The user has a much better chance of trying to connect to one of the fake beacon signals rather than the one legitimate one. This leads to a DoS since the user cannot connect to the legitimate AP.
Another type of DoS attack is radio frequency jamming. In this case the attacker jams the frequency of the Wireless Local Area Network (WLAN); most likely with a much higher power level allowed by the regulation. This will not allow anyone access to the WLAN.
Again the idea of a DoS attack is to prevent the user from gaining access to the network. This is done by attacking certain pieces of the network usually those needed to connect to the network. Flooding and RF jamming are two examples of DoS attacks.

4.1 Availability Attack Tools

The list of attack tools for availability is similar to that of integrity. Many of the same tools can be used because of the similarity in the attacks. Many of the flooding attacks can be accomplished by using the injection attack tools on top of the flooding tools. To execute an authentication flooding attack, you could use frame injection to inject many authentication frames from different MAC addresses. This will fill up the authentication table of the AP and make it difficult for a legitimate user to connect.
There are, however, some specific tools available to launch these attacks that are separate from the integrity attack tools. FakeAP [23] generates thousands of 802.11 APs or more specifically it generates thousands of 802.11 beacon signals that can be used for the beacon signal flooding attack.
Void11 [24] is another flooding attack tool. It has the ability to implement three different flooding attacks: deauthenticate clients, authentication flood, and association flood. The deauthenticate attack floods the WLAN with deauthenticate packets for random MACs. Those legitimate users connected with matching MAC address will close their connection upon receiving the deauthenticate packet. The authentication attack again floods the network with authentication packets so legitimate user cannot connect. The same is with the association packets.
There are a variety of availability attacks. All of them implement a DoS attack of some sort whether it is radio frequency (RF) jamming or network flooding. There also are many different flooding attacks with just a few examples given here. Flooding attacks promote the vulnerabilities of the protocols.
Table 3 - Summary of availability attack tools


 Tools                                 Description                                                    Type of Attack
1. FakeAP                    Generate thousands of 802.11                             Flooding DoS
                                   beacon signals.

2. Void11                            Can be used to execute                                  Flooding DoS

                                           deauthenticate, authenticate, and
                                           association flooding attack.

3. Many commercial        Jams the RF signal so that it cannot be           RF jamming
    tools available              distinguished by a legitimate device

5.0 Bluetooth Attacks

Recently more Bluetooth attacks have emerged with Bluetooth technology gaining popularity. The two most well known attacks are DoS, bluesnarfing, and a key bump attack. The key bump attack involves obtaining the pairing key and then having full access to the victim's system.
One Bluetooth DoS attack involves a device that is not part of a piconet disrupting the established piconet of other devices. A Bluetooth piconet is the ad hoc network created with two or more Bluetooth devices that includes one master device and a number of slaves. The attacking device that is not participating in the piconet spoofs a slave out of the piconet and then contacts the master of the piconet. This will confuse the master device and lead to a disruption of the piconet.
Another DoS attack on Bluetooth devices involves a buffer overrun. This is when data is copied into a buffer, but the amount of data copied into the buffer exceeds the size of the buffer. This will cause the data to be copied into memory where it is not intended. The resulting status of the system depends on where in memory the data is copied.
Bluesnarfing is a term that means an attacker has obtained unauthorized information through a Bluetooth connection. The Object Exchange (OBEX) Push Profiler (OPP) has been identified as an easy mechanism for exchange of business cards, calendar entries, and other similar items. In most cases it does not require authentication. Bluesnarfing involves connecting to the OBEX Push target and issuing an OBEX GET request for common known filenames. In some cases, depending on the victim device's firmware, the attacker will be able to obtain all the files that were requested.
In the key bump attack the attacker gets the victim to accept a connection for some trivial data transfer, such as a picture, calendar notice, or a business card on a PDA. After the data is sent, the attacker keeps the connection open. This allows the attacker to request a key regeneration after the victim has deleted the pairing between the two devices. Once the key regeneration is done, the attacker has full access to any services provided by the victim's device.

5.1 Bluetooth Attack Tools

The number of tools available to attack Bluetooth devices is also growing with the growing popularity of Bluetooth devices. For DoS attacks, the BlueSmack [25] tool can be used to launch the ping of death attack on Bluetooth devices. It works by requesting an echo from a Bluetooth device. When thousand of these echoes are requested, the device cannot service anything but the echoes and causes a DoS. Other DoS tools include BlueChop [26] and BluePass [27]. BlueChop can be used to disrupt the established piconet and BluePass can be used to create Bluetooth packets to cause the buffer overflow attack.
BlueSnarf [28] is a tool that can be used for bluesnarfing. Again means obtaining unauthorized files from a Bluetooth device by keeping the connection open and requesting those file. BlueBump [29] is a tool that can be used to obtain the victim's key. Some PDAs will allow an attacker to request a key regeneration that can be used later to gain full access to the system. The table below summarizes the Bluetooth attack tools presented.
As Bluetooth technology becomes more prevalent in user's everyday lives and as more product become available, more attack tools will emerge. There are several DoS attacks that can be used to disrupt normal Bluetooth communication. Also there are attacks to gain full access to a victim's device. All of which can cause major problems for the user.
Table 4 - Summary of Bluetooth attack tools

  Tools                                  Description                                             Type of Attack
1. BlueSmack                      Issues ping of death attack                       DoS
2. BlueChop                        Disrupts and existing piconet                   DoS
3. BluePass                          Causes a buffer overflow attack              DoS

4. BlueSnarf                         Obtain unauthorized access to files       Bluesnarfing

                                                       Summary
In this paper we discussed several attack tools for 802.11 and Bluetooth systems. Since both of these protocols are a major part of everyday lives, many attack tools exist. The attacks can be categorized into three major categories: confidentiality, integrity, and availability. Confidentiality attacks include sniffing, encryption cracking, and AP attacks. Integrity attacks include attacks on the data while in transmission. This includes frame manipulation, addition, and subtraction. Finally, the availability attacks in all DoS attacks.
Presented were wireless hacking tools and possible attacks on wireless networks. Although wireless networks will probably never be completely secure because research on protocol vulnerabilities will always continue, one can keep their network as secure as possible. Staying educated on the latest encryption schemes and other network security related items is probably the best way to keep your network secure. You will not be able to stop the sniffing of your traffic; however, you can prevent the attacker from being able to decipher the traffic. The protocols will continue to evolve to keep unauthorized devices from connecting to a wireless network. However, even the latest security methods have their weaknesses. For example, WPA2, the latest encryption method, does not address the problem of dissociation and deauthentication attacks, but does address many of the issues with WEP.
The attack tools are easy to obtain, easy to install, and have detailed web pages or forums that include directions on how to obtain, install and use. Many of the tools are multi-platform which makes it even easier to use. As the network security field grows in complexity, the attack tools will evolve.

List of Acronyms

ACK             Acknowledgmen
AP                 Access Point
DoS               Denial of Service
EAP               Extensible Authentication Protocol

ISAKMP      Internet Security Association and Key Management Protocol

MAC             Medium Access Control