Effectiveness of Security Measures

1
Source http//en.wikipedia.org/wiki/ImageDilbert
-20050910.gif
2
The Effectiveness of Security by Password

• Ken Guo

3
Agenda

• Overview
• Password Insecurity
• Password Myths
• Case Study
• Current Trends
• Conclusion
• QA

4
Where Passwords are Used
5
Where Passwords are Used

• System access
• Network, desktop, online shopping
• Public Key Infrastructure
• Document protection
• Word, PDF

6
Requirements for Password1

• Should be secure
• Look random
• Hard to guess

• Easy to remember

conflicting
1. Wiedenbeck, S., Waters, J., Birget, J.C.,
Brodskiy, A., Memon, N. (xxxx). Authentication
using graphical password Basic results.
7
How Secure is Secure

• The Weakest Link1
• Long Password Security2

1. Schneier, B. (2003). Beyond Fear. New York
Copernicus Books. 2. Luby, M. Rackoff, C.
(1989). A study of password security. Journal of
Cryptology, 1, pp. 151-158.
8
Insecurity by Password

• Desktop cracking software
• Example PDF Password Recovery
• 15-char random password
• 128-bit RC4 encryption
• Decrypted and password removed

9
Insecurity by Password in E-Business

• The Weakest Links Technical Factors
• Shoppers
• Stolen by Spyware
• Transmission
• Eavesdropping
• Businesses
• Password in plain text

10
Insecurity by Password in E-Business

• The Weakest Links Human Factors
• Shoppers
• Easy-to-guess password
• Susceptible to social engineering
• Too many passwords

11
Insecurity by Password in E-Business

• The Weakest Links Organizational Factors
• Businesses
• Costs
• Management practices
• Trade off security for convenience
• Implementation issues
• Executions by different employees
• A CCRA example address change

12
Insecurity by Password in Organization

• Management practices
• Unchanged default/blank passwords
• Too frequent forced changes
• ? More Write-downs by users
• Rules of password
• Often not user-friendly
• Domino effect
• If admin password is compromised

13
Myth - Periodic changes improve security1

• Only reduces threats by guessing
• Does more harm than good
• Users run out of options to set a good, memorable
  password
• Does not address the following threats
• Disclosure (intentional or unintentional)
• Inference
• Exposure
• Loss
• Snooping (eavesdropping)

1. http//www.cerias.purdue.edu/weblogs/spaf/gener
al/post-30/
14
Myth Random Passwords are Better

• Passwords based on mnemonic phases are as good as
  randomized1

Yan, J., Blackwell, A., Anderson, R., Grant, A.
(2004). Password memorability and security
empirical results
15
An Example

• Limited number of try

• Problem better write the password somewhere to
  avoid a/c being locked

16
Case Study1

• Case Hacking
• security testing (penetration testing)
• Demonstrate how ID and password are exploited
• Target
• A large international bank
• online banking service
• Approach black-box testing

• Dos Santos, A.L.M, Vigna, G., and Kemmerer, R.A.
  (2001). Security testing of an online banking
  service. In Ghosh, A.K (Ed.). E-Commerce Security
  and Privacy, Norwell, Massachusetts Kluwer
  Academic, pp. 3-16.

17
Case Background

• User logon steps
• Step 1 enter 4 text fields
• Account
• Branch number 4 digits
• Account number 6 digits
• Control digit 1 digit
• PIN 4 digits

Vulnerabilities?
18
Case Background

• User logon steps
• If authenticated in step 1, then
• Step 2
• One personal information
• SSN
• Date of birth
• Fathers name
• Mothers maiden name

Vulnerabilities?
19
Case Background

• The banks other security measures
• Account lockout
• 3 password failures
• 2 personal data failures
• Limited session time
• For the same account
• For the same IP address
• SSL
• Java class obfuscated

Vulnerabilities?
20
Attack Procedures

• Development custom application
• Reverse engineering Java Applet

21
Attack Procedures

• Account
• Branch number 4 digits
• Account number 6 digits
• Control digit 1 digit
• PIN 4 digits

Publicly known
Parallel attacks to test all accounts
Algorithm reverse Engineered based on 300 Known
accounts

• Only 10,000 possibilities
• 3 users use 1234

22
Attack Procedures

• The banks other security measures
• Account lockout
• 3 password failures
• 2 personal data failures
• Limited session time
• For the same account
• For the same IP address

Fixed password, try all accounts! So no more
lockouts!
IP Spoofing
23
Attack Procedures

• Find out account owner
• One personal information
• SSN
• Date of birth
• Fathers name
• Mothers maiden name

Initialize and abort electronic transfers The
system will show the destination account info

• Social engineering
• Target
• Government for SSN
• Account owner
• Other people in the town

24
Attack Results

• Many other weaknesses
• A number of accounts compromised
• Personal
• Business

25
Case Lesson Learned

• Implementation issues
• Too much diagnostic information, e.g.
• which is control digit
• Destination account information
• Too short password
• System not fully tested
• Lockout password failures, but not account number
  failures
• Human factors are often more important

26
Some Trends

• Graphical passwords
• Single Sign-On (SSO)

27
Graphical Passwords

• Use graphics rather than alphanumeric characters
• Imprinted memories
• Easily recognize something, but
• Difficult to recall systematically

28
Graphical Passwords

• Variation 1
• Users must click the correct regions on an image

29
Graphical Passwords

• Variation 2
• Pictures grouped on common theme
• To log on, user must pick the correct picture
  from each group

30
Graphical Passwords

• Some early work
• PassPoint1
• use a single picture (variation 1)
• déjà vu2
• use a set of pictures (variation 2)
• Passfaces3
• use special pictures human faces (variation 2)

• Wiedenbeck, S., Waters, J., Birget, J.C.,
  Brodskiy, A., Memon, N. (xxxx). Authentication
  using graphical password Basic results.
• Dhamia, R. and Perrig, A. (2002). Déjà vu user
  study using images for authentication. In The 9th
  USENIX Security Sympoium.
• Brostoff, S. and Sasse, M.A. (2000). Are
  passfaces more usable than passwords?, People and
  Computers-XIV Usability or Else! Proceedings of
  HCI2000, Sunderland, UK, pp. 405-424

31
Deja Vu
32
Graphical Passwords

• Advantages
• Higher memorability
• Less guessability
• Avoid dictionary attacks
• Disadvantages
• Precision (variation 1)
• Vulnerable to eavesdropping1

1. Weinshall, D. Kirkpatrick, S. (2004).
Passwords youll never forget, but cant recall.
CHI 2004, April 24-29, 2004, Vienna, Auatria.
33
Single Sign-On

• One ID/Password for multiple applications
• Users only need to log on once
• This is not a SSO MAC ID for MUGSI and Library

34
Single Sign-On

• Applications in Corporate network
• Best work in homogeneous network, e.g
• Windows network
• Exchange
• IIS
• Different story in heterogeneous network
• E.g. Windows does not talk to UNIX

35
Single Sign-On

• Applications E-business
• Trusted 3rd-party authentication
• Microsoft Passport Service1
• Used for most Microsofts services
• E.g. MSDN, Hotmail, Messenger
• Liberty Alliance2

• Microsoft Passport Network. http//www.passport.co
  m.
• Liberty Alliance. http//www.projectliberty.org/.

36
Single Sign-On

• Applications E-business

37
Single Sign-On

• Advantages
• Increase frequency of use ? Improved memorability
• Less passwords to remember ? Less
  write-it-downs
• Disadvantages
• May not work for heterogeneous networks
• Domino effect All eggs in one basket?
• Costs
• Installation
• Maintenance

38
Single Sign-On

• Issue in e-business
• Microsoft My Services on Hold1
• Security
• Privacy
• Control of information

1. Olavsrud, T. (2002). Microsoft Puts .NET My
Services on Hold. http//www.internetnews.com/dev
-news/article.php/1007961
39
Conclusion

• Password is just one of the security perimeters
• Good-Enough Security1
• User-friendly
• Business-driven

1. Sandhu, R. (2003). Good-enough security
toward a pragmatic business-driven discipline.
IEEE Internet Computing, January/February 2003.
40
CommentsQuestions
Thank You