Password Stealing & Enhancing User Authentication Using Opass Protocol


Published on

A glimpse of various password stealing attacks & description of Opass user authentication protocol.

Published in: Technology, News & Politics
  • I Got The Full File, I Just Wanna Share to You Guyszz.. It's Working You Can The Download The Full File + Instructions Here ://
    Are you sure you want to  Yes  No
    Your message goes here
  • Download Here
    download this amazing full version 100% working and virus proof file without any survey
    Are you sure you want to  Yes  No
    Your message goes here
  • free download the updated file from here:-
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Password Stealing & Enhancing User Authentication Using Opass Protocol

  1. 1. Society for Computer Technology & Research’s PUNE INSTITUTE OF COMPUTER TECHNOLOGY S. No. 27, Dhankawadi, Pune Satara Road, Pune – 411043 A Seminar On Academic Year 2012-2013
  2. 2. # Contents… • Definition Of Hacking • Hackers & Crackers • Types Of Hackers • Reasons For Hacking • Ethical Hacking – The Concept • Steps In Hacking • About Password Hacking • Hacking Windows Login Passwords • Web-site Phishing • Trojan Horse • oPass User Authentication Protocol Computer Hacking Password Hacking (Stealing) oPass UAP 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 2
  3. 3. # Hacking - The Definition • Hacking is the practice of modifying the features of a system, in order to accomplish a goal outside of the creator's original purpose -- • Hacking means finding out weaknesses in a computer or computer network, though the term can also refer to someone with an advanced understanding of computers and computer networks -- • Computer hacking is the practice of modifying computer hardware and software to accomplish a goal -- 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 3
  4. 4. # Hackers & Crackers… • Traditionally, a hacker is someone who likes to play with software or electronic systems. Hackers enjoy exploring and learning how computer systems operate. They love discovering new ways to work electronically • But recently, Hacker has taken on a new meaning — someone who maliciously breaks into systems for personal gain. Technically, these criminals are Crackers or Criminal Hackers. Crackers break into systems with malicious intentions • Hackers, on the other side, work against the crackers. They find out the vulnerabilities or study the recent attacks & fix those loopholes so as to protect us from Crackers Hackers  Legal Crackers  Illegal 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 4
  5. 5. • Hacking exists in many forms like Cell-Phone hacking, Brain hacking, etc. but Computer Hacking is most popular form of hacking nowadays, specially in the field of computer security Hackers are classified as :- • White Hat : A white hat hacker breaks security for non-malicious reasons, perhaps to test their own security system or while working for a security company which makes security software. The term "white hat" in Internet slang refers to an ethical hacker • Black Hat : A Black Hat Hacker is a hacker who violates computer security for little reason beyond maliciousness or for personal gain • Grey Hat : A grey hat hacker is a combination of a Black Hat and a White Hat Hacker. A Grey Hat Hacker may surf the internet and hack into a computer system for the sole purpose of notifying the administrator that their system has been hacked, for example. Then they may offer to repair their system for a small fee # Types Of Hackers… 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 5
  6. 6. • Script kiddie : A script kiddie (or skiddie) is a non-expert who breaks into computer systems by using pre- packaged automated tools written by others, usually with little understanding of the underlying concept • Neophyte : A neophyte or newbie is someone who is new to hacking or phreaking and has almost no knowledge or experience of the workings of technology and hacking • Organized criminal gangs : Criminal activity carried on for profit • Bots : Automated software tools, some freeware, available for the use of any type of hacker continued… 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 6
  7. 7. # Why do hackers hack ??? • The main reason why Hackers hack is because they can hack. Hacking is a casual hobby for some Hackers — they just hack to see what they can hack and what they can’t hack, usually by testing their own systems • Many Hackers are the guys who get kicked out of corporate and government IT and security organizations. They try to bring down the status of the organization by attacking or stealing information • Some Hackers want to make your life miserable, and others simply want to be famous • Some common motives of malicious Hackers are revenge, curiosity, boredom, challenge, theft for financial gain, blackmail, extortion and corporate work pressure. • Many Hackers say they do not hack to harm or profit through their bad activities, which helps them justify their work. They often do not look for money full of pocket. Just proving a point is often a good enough reward for them 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 7
  8. 8. # Ethical Hacking-The Concept... • Ethical hacking is where a person hacks to find weaknesses in a system and then usually patches them. • For example, a bank may pay a hacker to hack their systems to see if it is hackable. If he gets in, then they know there is potential for other people to hack in, and usually they will work with this ethical hacker to patch these holes. If he doesn't get in, then they pray that nobody is better at hacking than him • Ethical hacking is performed with the target’s permission • The intent of Ethical Hacking is to discover vulnerabilities from a Hacker’s viewpoint so systems can be better secured • Ethical Hacking is part of an overall information Risk Management program that allows for ongoing security improvements. • Ethical hacking can also ensure that vendors’ claims about the security of their products are legitimate 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 8
  9. 9. # Steps In Hacking… • Reconnaissance : The first stage of any attack is "reconnaissance“ - scanning the victims & looking for ways into their systems. The purpose of this stage is to map out the target network and systems. The hacker will try to list all the systems on the network, and then try to list all the holes available on the target systems. Once the hacker has a list of systems, he/she will scan the system looking for possible entry points into the system. • Scanning : The second step of ethical hacking and penetration testing involve two terms that is scanning or port scanning and enumeration. During this process you have to find out the alive host, operating systems involved, firewalls, intrusion detection systems, servers/services, perimeter devices, routing and general network topology (physical layout of network), that are part of the target organisation. Enumeration is the first attack on target network, enumeration is the process to gather the information about a target machine by actively connecting to it. • Gaining Access : In this step, the attacker exploits the discovered vulnerabilities to actually connect to the target system i.e., gaining complete control of the target system. • Maintaining Access : The attacker after getting access to the system once, creates some backdoors so that he/she can get access to the system at any time in the future. For e.g. creating a hidden user account in windows. • Clearing Tracks : As in the case of crime scenes, forensic analysis in computer can help to trace the attacker. So, in order to avoid getting caught by the authorities the attacker can use many ways so as to clear his tracks of intrusion into the target system. For e.g. deleting the user account after hacking into a windows operating system. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 9
  10. 10. # Hacking Login Password… Microsoft Windows 95 / 98 / ME : • In Windows 95/98/ME passwords are stored in password list (.pwl) files. • All *.pwl files are generally stored in the C:WINDOWS folder. We can find all the *.pwl files on the system using the operating systems find option. • These .pwl files are readable in any text editor like Notepad, but they are definitely not understandable. A typical example of the contents of a .pwl file is: ã‚...- ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿR p u.ÐX+•|rÐq"±/2³ Êå¡hCJ‚D × `ÍY¥•!íx}(•qW¤ãƱ<!?àÜ6šá˜ôæ4+3/4õ+%E°ËÔýmÇÔ ÞI»‚ B à×oeøÐ...'@ 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 10
  11. 11. # Continued… Microsoft Windows 95 / 98 / ME : • Now these passwords can be easily removed/bypassed using a simple technique. • Firstly, boot up the system, then press F8 key to invoke a configuration screen. • On this screen, select MS-DOS Mode. Now you will be sent to a command prompt. • Here, simply goto “C:Windows” or “<Root Drive>:Windows” and type “del *.pwl”. • This will delete the password files & next time you log in, you will be asked for a new password. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 11
  12. 12. # Hacking Login Password… Microsoft Windows NT / XP / Vista / 7 : • Majority of the different versions of Windows like Windows NT, Windows 2000, Windows XP, Windows Vista and Windows 7 uses Systems Account Manager (SAM) to store users credentials. • The important part is that these files become inaccessible after windows starts. • So in order to hack these passwords, all job has to be done without starting windows. • For this purpose, readymade tools are available over the internet. • For e.g., Ophcrack is a free open source program that cracks Windows passwords. On most computers, ophcrack can crack most passwords within a few minutes. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 12
  13. 13. # Continued… Microsoft Windows NT / XP / Vista / 7 : • The process is simple – Boot your system with the live CD of ophcrack in the CD- Drive • Wait for the live OS to load, and the software will take rest of the care. You will get all the passwords within some minutes. • The catch is the time required to crack the password is proportional to length and complexity of password. • Also, if the passwords are too complex the software may fail. • There are other tools like Offline password cracker, Hiren Multi Boot Disk, ERD Commander, Admin Hack, Active Password Changer are also used for the same purpose. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 13
  14. 14. # Erasing BIOS Password… • Due to the sensitive nature of the system settings controlled by the BIOS, a password can be set by either the computer manufacturer or the end-user. • In addition to creating a BIOS password from a hash code, a number of BIOS manufacturers also implement an explicit backdoor password. • This password will work regardless of the presence of a manually set BIOS password. The primary purpose of a manufacturer’s backdoor BIOS password is for maintenance and testing evolutions. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 14
  15. 15. # Erasing BIOS Password… One of the most common methods to reset the BIOS password is to remove or discharge the battery on the computer’s motherboard. If the power to the battery is lost or drained, the BIOS configuration will be reset to the factory state with no password. System settings made to the BIOS will also be lost. • Step 1 – Turn off the computer and ensure it has no external power (i.e. unplug the power cable. If it has a battery, remove it). • Step 2 – Open the computer’s case or box. • Step 3 – Locate the computer’s motherboard and look for the white silver button battery on the motherboard. • Step 4 – Remove the battery carefully and wait for approximately 30 seconds. • Step 5 – Put the computer case back together and boot the computer. • Step 6 – If the “CMOS Checksum Error-Defaults Loaded” error message is displayed, the BIOS password has been reset. If the CMOS battery is soldered to the computer’s motherboard, some brands will have a jumper located on the board that can be used to reset or clear the BIOS password. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 15
  16. 16. # Website Phishing… Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by misleading as a trustworthy entity in an electronic communication. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 16
  17. 17. # Website Phishing…The Process… • The attacker calls you or send you an email. The email or call will give you some exciting offers or will in some way try to lure you so as to open the link provided or disclose some confidential information • For e.g., there was a scam recently over Facebook where they claimed to give you Free Facebook Tshirt or Free Facebook Shoes. • Users were required to fill in a form which required to give your user id & passwords for facebook account. • Then users had to like a page in order to avail the offer. • After that, users were asked to share that link in 10 different groups so as to spread the scam. • Also the process never completed because the page always said You havent shared the link yet. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 17
  18. 18. # Website Phishing… • Phishing is the most common & efficient password stealing attack. • According to APWG (Anti-phishing Working Group)’s report, the number of unique phishing websites detected in the second half of 2010 was 97,388. • RSA, formerly RSA Security, Inc., is an American computer and network security company. Phishing attacks increased 24% in November 2012 with 41,834 attacks identified by RSA. To date, the RSA Anti-Fraud Command Center has shut down 7,67,442 cyber attacks. • The U.S. and UK were targeted by the most volume of phishing attacks in November, but India emerged as the third most targeted, enduring 7% of phishing attack volume last month. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 18
  19. 19. # Identifying Phishing Mails… Attackers might email you, call you on the phone, or convince you to download something off of a website. Here is an example of what a phishing scam in an email message might look like: 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 19
  20. 20. # Trojan Horse… • A Trojan horse, or Trojan, is a non-self-replicating type of malware which appears to perform a desirable function but instead facilitates unauthorized access to the users computer system. • Trojans do not attempt to inject themselves into other files like a computer virus. • Trojan horses may steal information, or harm their host computer systems. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 20
  21. 21. # Trojan Horse…Purpose & Uses… A Trojan may give a hacker remote access to a targeted computer system. Operations that could be performed by a hacker on a targeted computer system may include: • Crashing the computer • Blue screen of death • Electronic money theft • Data theft (e.g. retrieving passwords or credit card information) • Installation of software, including third-party malware and ransomware • Downloading or uploading of files on the user's computer • Modification or deletion of files • Keystroke logging • Watching the user's screen • Viewing the user's webcam • Controlling the computer system remotely 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 21
  22. 22. # Trojan Horse…Prevention… • Prevention against Trojan horses depends on the skills of the attacker or the ability of Trojan. • Most of the Trojans available over internet have been already marked in almost all anti- virus databases & even in windows defender database. • Use an anti-virus software before you use internet on your computer. Also keep its virus definitions updated. • Frequently check for Windows Defender Updates & download them if available. Defender is an inbuilt software in Windows OS to keep track of malwares & spywares. • If you feel your computer is behaving abnormally, disconnect from internet & contact some security experts. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 22
  23. 23. # All About Passwords… • Over the past few decades, text passwords have been adopted as primary means of user authentication for websites. • Users select username & passwords while registering on websites. But to log onto that site next time, user has to recall that password. • If the user selects complex password, it can resist brute force & dictionary attacks. • But because humans are not good at memorizing strings, most users would choose easy to remember passwords. • Another crucial problem is that many users reuse the same password for many sites. • Password reuse can cause a great loss because a hacker can compromise a weak site & use the password for other websites. This is password reuse attack. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 23
  24. 24. # All About Passwords… • Various schemes have been suggested till date for User Authentication. • It included some Graphical Password Schemes as well. • Although it’s a great idea, it is not mature enough & is vulnerable to some attacks like guessing, shoulder surfing & spywares. • Keylogging or keylistening cannot crack them but we are not sure about mouse tracking spywares. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 24
  25. 25. # All About Passwords… • Another alternative to password security is to use Password Management Tools. • These tools suggest long complex passwords while registering over websites & store them so that when you login next time, it can fill them automatically. • The user just need to remember one Master Password & all other passwords are managed by the software. • Some managers even facilitate carrying a copy in flash drives so as to use them on other computers. • But users doubt its security & thus feel uncomfortable about using it. • Some researches focus on three factor authentication rather than password based to provide more reliable user authentication. Three factor authentication depends on what you know(e.g.password), What you have(e.g.ID cards) & Who you are(e.g.fingerprint or iris). • This requires comparatively high cost. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 25
  26. 26. # What is oPass ??… • oPass is an User Authentication Protocol which leverages a user’s cell phone & SMS service to prevent password reuse & password stealing attacks. • The main cause why password stealing attacks succeed is because users have to type them in untrusted computers. • Therefore, the main concept of oPass is to free users from having to remember or type any passwords into conventional computers for authentication. • The users cell phone is used to generate one time passwords & a new communication channel – SMS is used to transmit authentication messages. • Because of one time passwords(OTP) the user is not required to memorize any passwords & there is no problem if the attacker knows this password as the password expires after one login session. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 26
  27. 27. # oPass Architecture… • In oPass, a user is required to only memorize one long-term password to access his cell phone. • For users to perform secure login on an untrusted computer(kiosk), oPass consists of a trusted cell phone, a browser on kiosk & the server he wishes to log into. • The communication between cell phone & web server is through SMS channel. • The browser interacts with web server via the internet. • In our protocol, we require cell phone to interact directly with the kiosk. The general approach is to select available interfaces like Wi-Fi or Bluetooth. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 27
  28. 28. # Assumptions in oPass… • Each web server posses a unique phone number. • Users cell phone is malware free. • The telecommunication service provider (TSP) will participate in registration & recovery phases. • Users connect to the TSP via 3G connection to protect transmission. • The TSP & web server establish a secure socket layer (SSL) tunnel to prevent phishing attacks. • If the user loses his cell phone, he will get a new sim card from TSP having the same number. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 28
  29. 29. # The Registration Phase… 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 29
  30. 30. # The Registration Phase… Step 1 : The user begins by opening the oPass program on her cell phone. Step 2 : She enters IDu (account id she prefers) & IDs (web site URL) to the program. The TSP plays the role to distribute a shared key Ksd between the user & the server. The key is used to encrypt the SMS with AES-CBC. AES-CBC : Advanced Encryption Standard Cipher Block Chaining Step 3 : TSP forwards user id (IDu) , user number (Tu) & shared key (Ksd) to the server (s). 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 30
  31. 31. # The Registration Phase… Step 4 : Server generates corresponding information about the account & replies with server ID (IDs), a random seed ф & servers phone number (Ts). Step 5 : TSP then forwards server ID (IDs), a random seed ф, servers phone number (Ts) & a shred key Ksd to users cell phone. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 31
  32. 32. Step 6 : The user will now set up a long-term password Pu for her cell phone. The phone computes a secret credential c using Pu, IDs & ф. The cell phone then encrypts the credential c with key Ksd & generates corresponding MAC i.e. HMAC1 . # The Registration Phase… Step 7 : The cell phone now sends an encrypted registration SMS to server phone number Ts which consists of user ID, c, ф, IV & HMAC1. Step 8 : Server decrypts this SMS to obtain c, key Ksd & sends an acknowledgement to user cell phone. In the end, cell phone stores server ID, server number, ф & i. ‘i’ is current index of OTP. Step 9 : After SMS from above step, server stores user ID, user number, c, ф & i. This completes registration. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 32
  33. 33. # The Login Phase… 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 33
  34. 34. # The Recovery Phase… 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 34
  35. 35. # oPass Security Analysis… • An attacker can target user or server side. • At user side, he can install malwares or use phishing sites to fetch the passwords. • But in oPass, passwords are not entered into browsers. So, oPass resists phishing & malware attacks. • At server side, attacker can intercept & manipulate messages to launch SMS spoofing attacks. • But as ciphertext cannot be decrypted without corresponding secret key & hash function is irreversible, this attack will fail. • Also the attacker doesn’t know the session key of 3G connection & SSL tunnel. So he cannot derive the secret credential c. • If someone steals the cell phone, he cant login as he doesn’t know the long-term password setup by user. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 35
  36. 36. # Something Important… • The TSP & server communicate via a SSL tunnel which guarantees confidentiality. TSP can verify websites certificate to prevent phishing attacks. • To analyze effectiveness of oPass a study was conducted with 24 participants having avg. computer experience 11.9 years. • The average time of registering is 21.8 s and SMS delay is 9.1 s. • For login, average time was 21.62 s & SMS delay was 8.9 s. • Many people preferred oPass over present authentication protocols. • Also many suggested that such high level of security is good for applications like net banking & not simple websites like emails. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 36
  37. 37. # Conclusion… • Crackers are always onto developing something new. All we can do is fix the already discovered vulnerabilities so as to remain safe. • oPass protocol has a very high level of security which is not feasible for everyday login purposes. For usage like login, this protocol wont be acceptable. But for applications like net banking, the protocol is highly recommended. • Similar protocols have been implemented by some websites for e.g. Google. So we can say that security is improving day by day. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 37
  38. 38. 38