SlideShare a Scribd company logo

Password Stealing & Enhancing User Authentication Using Opass Protocol

•Download as PPTX, PDF•
•
Prasad Pawar
Prasad Pawar

A glimpse of various password stealing attacks & description of Opass user authentication protocol.

TechnologyNews & Politics
1 of 38
Society for Computer Technology & Research’s PUNE INSTITUTE OF COMPUTER TECHNOLOGY S. No. 27, Dhankawadi, Pune Satara Road, Pune – 411043 A Seminar On Academic Year 2012-2013
# Contents… • Definition Of Hacking • Hackers & Crackers • Types Of Hackers • Reasons For Hacking • Ethical Hacking – The Concept • Steps In Hacking • About Password Hacking • Hacking Windows Login Passwords • Web-site Phishing • Trojan Horse • oPass User Authentication Protocol Computer Hacking Password Hacking (Stealing) oPass UAP 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 2
# Hacking - The Definition • Hacking is the practice of modifying the features of a system, in order to accomplish a goal outside of the creator's original purpose -- whatishacking.org • Hacking means finding out weaknesses in a computer or computer network, though the term can also refer to someone with an advanced understanding of computers and computer networks -- wikipedia.org • Computer hacking is the practice of modifying computer hardware and software to accomplish a goal -- wisegeek.com 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 3
# Hackers & Crackers… • Traditionally, a hacker is someone who likes to play with software or electronic systems. Hackers enjoy exploring and learning how computer systems operate. They love discovering new ways to work electronically • But recently, Hacker has taken on a new meaning — someone who maliciously breaks into systems for personal gain. Technically, these criminals are Crackers or Criminal Hackers. Crackers break into systems with malicious intentions • Hackers, on the other side, work against the crackers. They find out the vulnerabilities or study the recent attacks & fix those loopholes so as to protect us from Crackers Hackers  Legal Crackers  Illegal 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 4
• Hacking exists in many forms like Cell-Phone hacking, Brain hacking, etc. but Computer Hacking is most popular form of hacking nowadays, specially in the field of computer security Hackers are classified as :- • White Hat : A white hat hacker breaks security for non-malicious reasons, perhaps to test their own security system or while working for a security company which makes security software. The term "white hat" in Internet slang refers to an ethical hacker • Black Hat : A Black Hat Hacker is a hacker who violates computer security for little reason beyond maliciousness or for personal gain • Grey Hat : A grey hat hacker is a combination of a Black Hat and a White Hat Hacker. A Grey Hat Hacker may surf the internet and hack into a computer system for the sole purpose of notifying the administrator that their system has been hacked, for example. Then they may offer to repair their system for a small fee # Types Of Hackers… 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 5
• Script kiddie : A script kiddie (or skiddie) is a non-expert who breaks into computer systems by using pre- packaged automated tools written by others, usually with little understanding of the underlying concept • Neophyte : A neophyte or newbie is someone who is new to hacking or phreaking and has almost no knowledge or experience of the workings of technology and hacking • Organized criminal gangs : Criminal activity carried on for profit • Bots : Automated software tools, some freeware, available for the use of any type of hacker continued… 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 6
# Why do hackers hack ??? • The main reason why Hackers hack is because they can hack. Hacking is a casual hobby for some Hackers — they just hack to see what they can hack and what they can’t hack, usually by testing their own systems • Many Hackers are the guys who get kicked out of corporate and government IT and security organizations. They try to bring down the status of the organization by attacking or stealing information • Some Hackers want to make your life miserable, and others simply want to be famous • Some common motives of malicious Hackers are revenge, curiosity, boredom, challenge, theft for financial gain, blackmail, extortion and corporate work pressure. • Many Hackers say they do not hack to harm or profit through their bad activities, which helps them justify their work. They often do not look for money full of pocket. Just proving a point is often a good enough reward for them 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 7
# Ethical Hacking-The Concept... • Ethical hacking is where a person hacks to find weaknesses in a system and then usually patches them. • For example, a bank may pay a hacker to hack their systems to see if it is hackable. If he gets in, then they know there is potential for other people to hack in, and usually they will work with this ethical hacker to patch these holes. If he doesn't get in, then they pray that nobody is better at hacking than him • Ethical hacking is performed with the target’s permission • The intent of Ethical Hacking is to discover vulnerabilities from a Hacker’s viewpoint so systems can be better secured • Ethical Hacking is part of an overall information Risk Management program that allows for ongoing security improvements. • Ethical hacking can also ensure that vendors’ claims about the security of their products are legitimate 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 8
# Steps In Hacking… • Reconnaissance : The first stage of any attack is "reconnaissance“ - scanning the victims & looking for ways into their systems. The purpose of this stage is to map out the target network and systems. The hacker will try to list all the systems on the network, and then try to list all the holes available on the target systems. Once the hacker has a list of systems, he/she will scan the system looking for possible entry points into the system. • Scanning : The second step of ethical hacking and penetration testing involve two terms that is scanning or port scanning and enumeration. During this process you have to find out the alive host, operating systems involved, firewalls, intrusion detection systems, servers/services, perimeter devices, routing and general network topology (physical layout of network), that are part of the target organisation. Enumeration is the first attack on target network, enumeration is the process to gather the information about a target machine by actively connecting to it. • Gaining Access : In this step, the attacker exploits the discovered vulnerabilities to actually connect to the target system i.e., gaining complete control of the target system. • Maintaining Access : The attacker after getting access to the system once, creates some backdoors so that he/she can get access to the system at any time in the future. For e.g. creating a hidden user account in windows. • Clearing Tracks : As in the case of crime scenes, forensic analysis in computer can help to trace the attacker. So, in order to avoid getting caught by the authorities the attacker can use many ways so as to clear his tracks of intrusion into the target system. For e.g. deleting the user account after hacking into a windows operating system. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 9
# Hacking Login Password… Microsoft Windows 95 / 98 / ME : • In Windows 95/98/ME passwords are stored in password list (.pwl) files. • All *.pwl files are generally stored in the C:WINDOWS folder. We can find all the *.pwl files on the system using the operating systems find option. • These .pwl files are readable in any text editor like Notepad, but they are definitely not understandable. A typical example of the contents of a .pwl file is: ã‚...- ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿR p u.ÐX+•|rÐq"±/2³ Êå¡hCJ‚D × `ÍY¥•!íx}(•qW¤ãƱ<!?àÜ6šá˜ôæ4+3/4õ+%E°ËÔýmÇÔ ÞI»‚ B à×oeøÐ...'@ 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 10
# Continued… Microsoft Windows 95 / 98 / ME : • Now these passwords can be easily removed/bypassed using a simple technique. • Firstly, boot up the system, then press F8 key to invoke a configuration screen. • On this screen, select MS-DOS Mode. Now you will be sent to a command prompt. • Here, simply goto “C:Windows” or “<Root Drive>:Windows” and type “del *.pwl”. • This will delete the password files & next time you log in, you will be asked for a new password. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 11
# Hacking Login Password… Microsoft Windows NT / XP / Vista / 7 : • Majority of the different versions of Windows like Windows NT, Windows 2000, Windows XP, Windows Vista and Windows 7 uses Systems Account Manager (SAM) to store users credentials. • The important part is that these files become inaccessible after windows starts. • So in order to hack these passwords, all job has to be done without starting windows. • For this purpose, readymade tools are available over the internet. • For e.g., Ophcrack is a free open source program that cracks Windows passwords. On most computers, ophcrack can crack most passwords within a few minutes. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 12
# Continued… Microsoft Windows NT / XP / Vista / 7 : • The process is simple – Boot your system with the live CD of ophcrack in the CD- Drive • Wait for the live OS to load, and the software will take rest of the care. You will get all the passwords within some minutes. • The catch is the time required to crack the password is proportional to length and complexity of password. • Also, if the passwords are too complex the software may fail. • There are other tools like Offline password cracker, Hiren Multi Boot Disk, ERD Commander, Admin Hack, Active Password Changer are also used for the same purpose. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 13
# Erasing BIOS Password… • Due to the sensitive nature of the system settings controlled by the BIOS, a password can be set by either the computer manufacturer or the end-user. • In addition to creating a BIOS password from a hash code, a number of BIOS manufacturers also implement an explicit backdoor password. • This password will work regardless of the presence of a manually set BIOS password. The primary purpose of a manufacturer’s backdoor BIOS password is for maintenance and testing evolutions. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 14
# Erasing BIOS Password… One of the most common methods to reset the BIOS password is to remove or discharge the battery on the computer’s motherboard. If the power to the battery is lost or drained, the BIOS configuration will be reset to the factory state with no password. System settings made to the BIOS will also be lost. • Step 1 – Turn off the computer and ensure it has no external power (i.e. unplug the power cable. If it has a battery, remove it). • Step 2 – Open the computer’s case or box. • Step 3 – Locate the computer’s motherboard and look for the white silver button battery on the motherboard. • Step 4 – Remove the battery carefully and wait for approximately 30 seconds. • Step 5 – Put the computer case back together and boot the computer. • Step 6 – If the “CMOS Checksum Error-Defaults Loaded” error message is displayed, the BIOS password has been reset. If the CMOS battery is soldered to the computer’s motherboard, some brands will have a jumper located on the board that can be used to reset or clear the BIOS password. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 15
# Website Phishing… Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by misleading as a trustworthy entity in an electronic communication. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 16
# Website Phishing…The Process… • The attacker calls you or send you an email. The email or call will give you some exciting offers or will in some way try to lure you so as to open the link provided or disclose some confidential information • For e.g., there was a scam recently over Facebook where they claimed to give you Free Facebook Tshirt or Free Facebook Shoes. • Users were required to fill in a form which required to give your user id & passwords for facebook account. • Then users had to like a page in order to avail the offer. • After that, users were asked to share that link in 10 different groups so as to spread the scam. • Also the process never completed because the page always said You havent shared the link yet. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 17
# Website Phishing… • Phishing is the most common & efficient password stealing attack. • According to APWG (Anti-phishing Working Group)’s report, the number of unique phishing websites detected in the second half of 2010 was 97,388. • RSA, formerly RSA Security, Inc., is an American computer and network security company. Phishing attacks increased 24% in November 2012 with 41,834 attacks identified by RSA. To date, the RSA Anti-Fraud Command Center has shut down 7,67,442 cyber attacks. • The U.S. and UK were targeted by the most volume of phishing attacks in November, but India emerged as the third most targeted, enduring 7% of phishing attack volume last month. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 18
# Identifying Phishing Mails… Attackers might email you, call you on the phone, or convince you to download something off of a website. Here is an example of what a phishing scam in an email message might look like: 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 19
# Trojan Horse… • A Trojan horse, or Trojan, is a non-self-replicating type of malware which appears to perform a desirable function but instead facilitates unauthorized access to the users computer system. • Trojans do not attempt to inject themselves into other files like a computer virus. • Trojan horses may steal information, or harm their host computer systems. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 20
# Trojan Horse…Purpose & Uses… A Trojan may give a hacker remote access to a targeted computer system. Operations that could be performed by a hacker on a targeted computer system may include: • Crashing the computer • Blue screen of death • Electronic money theft • Data theft (e.g. retrieving passwords or credit card information) • Installation of software, including third-party malware and ransomware • Downloading or uploading of files on the user's computer • Modification or deletion of files • Keystroke logging • Watching the user's screen • Viewing the user's webcam • Controlling the computer system remotely 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 21
# Trojan Horse…Prevention… • Prevention against Trojan horses depends on the skills of the attacker or the ability of Trojan. • Most of the Trojans available over internet have been already marked in almost all anti- virus databases & even in windows defender database. • Use an anti-virus software before you use internet on your computer. Also keep its virus definitions updated. • Frequently check for Windows Defender Updates & download them if available. Defender is an inbuilt software in Windows OS to keep track of malwares & spywares. • If you feel your computer is behaving abnormally, disconnect from internet & contact some security experts. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 22
# All About Passwords… • Over the past few decades, text passwords have been adopted as primary means of user authentication for websites. • Users select username & passwords while registering on websites. But to log onto that site next time, user has to recall that password. • If the user selects complex password, it can resist brute force & dictionary attacks. • But because humans are not good at memorizing strings, most users would choose easy to remember passwords. • Another crucial problem is that many users reuse the same password for many sites. • Password reuse can cause a great loss because a hacker can compromise a weak site & use the password for other websites. This is password reuse attack. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 23
# All About Passwords… • Various schemes have been suggested till date for User Authentication. • It included some Graphical Password Schemes as well. • Although it’s a great idea, it is not mature enough & is vulnerable to some attacks like guessing, shoulder surfing & spywares. • Keylogging or keylistening cannot crack them but we are not sure about mouse tracking spywares. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 24
# All About Passwords… • Another alternative to password security is to use Password Management Tools. • These tools suggest long complex passwords while registering over websites & store them so that when you login next time, it can fill them automatically. • The user just need to remember one Master Password & all other passwords are managed by the software. • Some managers even facilitate carrying a copy in flash drives so as to use them on other computers. • But users doubt its security & thus feel uncomfortable about using it. • Some researches focus on three factor authentication rather than password based to provide more reliable user authentication. Three factor authentication depends on what you know(e.g.password), What you have(e.g.ID cards) & Who you are(e.g.fingerprint or iris). • This requires comparatively high cost. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 25
# What is oPass ??… • oPass is an User Authentication Protocol which leverages a user’s cell phone & SMS service to prevent password reuse & password stealing attacks. • The main cause why password stealing attacks succeed is because users have to type them in untrusted computers. • Therefore, the main concept of oPass is to free users from having to remember or type any passwords into conventional computers for authentication. • The users cell phone is used to generate one time passwords & a new communication channel – SMS is used to transmit authentication messages. • Because of one time passwords(OTP) the user is not required to memorize any passwords & there is no problem if the attacker knows this password as the password expires after one login session. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 26
# oPass Architecture… • In oPass, a user is required to only memorize one long-term password to access his cell phone. • For users to perform secure login on an untrusted computer(kiosk), oPass consists of a trusted cell phone, a browser on kiosk & the server he wishes to log into. • The communication between cell phone & web server is through SMS channel. • The browser interacts with web server via the internet. • In our protocol, we require cell phone to interact directly with the kiosk. The general approach is to select available interfaces like Wi-Fi or Bluetooth. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 27
# Assumptions in oPass… • Each web server posses a unique phone number. • Users cell phone is malware free. • The telecommunication service provider (TSP) will participate in registration & recovery phases. • Users connect to the TSP via 3G connection to protect transmission. • The TSP & web server establish a secure socket layer (SSL) tunnel to prevent phishing attacks. • If the user loses his cell phone, he will get a new sim card from TSP having the same number. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 28
# The Registration Phase… 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 29
# The Registration Phase… Step 1 : The user begins by opening the oPass program on her cell phone. Step 2 : She enters IDu (account id she prefers) & IDs (web site URL) to the program. The TSP plays the role to distribute a shared key Ksd between the user & the server. The key is used to encrypt the SMS with AES-CBC. AES-CBC : Advanced Encryption Standard Cipher Block Chaining Step 3 : TSP forwards user id (IDu) , user number (Tu) & shared key (Ksd) to the server (s). 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 30
# The Registration Phase… Step 4 : Server generates corresponding information about the account & replies with server ID (IDs), a random seed ф & servers phone number (Ts). Step 5 : TSP then forwards server ID (IDs), a random seed ф, servers phone number (Ts) & a shred key Ksd to users cell phone. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 31
Step 6 : The user will now set up a long-term password Pu for her cell phone. The phone computes a secret credential c using Pu, IDs & ф. The cell phone then encrypts the credential c with key Ksd & generates corresponding MAC i.e. HMAC1 . # The Registration Phase… Step 7 : The cell phone now sends an encrypted registration SMS to server phone number Ts which consists of user ID, c, ф, IV & HMAC1. Step 8 : Server decrypts this SMS to obtain c, key Ksd & sends an acknowledgement to user cell phone. In the end, cell phone stores server ID, server number, ф & i. ‘i’ is current index of OTP. Step 9 : After SMS from above step, server stores user ID, user number, c, ф & i. This completes registration. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 32
# The Login Phase… 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 33
# The Recovery Phase… 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 34
# oPass Security Analysis… • An attacker can target user or server side. • At user side, he can install malwares or use phishing sites to fetch the passwords. • But in oPass, passwords are not entered into browsers. So, oPass resists phishing & malware attacks. • At server side, attacker can intercept & manipulate messages to launch SMS spoofing attacks. • But as ciphertext cannot be decrypted without corresponding secret key & hash function is irreversible, this attack will fail. • Also the attacker doesn’t know the session key of 3G connection & SSL tunnel. So he cannot derive the secret credential c. • If someone steals the cell phone, he cant login as he doesn’t know the long-term password setup by user. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 35
# Something Important… • The TSP & server communicate via a SSL tunnel which guarantees confidentiality. TSP can verify websites certificate to prevent phishing attacks. • To analyze effectiveness of oPass a study was conducted with 24 participants having avg. computer experience 11.9 years. • The average time of registering is 21.8 s and SMS delay is 9.1 s. • For login, average time was 21.62 s & SMS delay was 8.9 s. • Many people preferred oPass over present authentication protocols. • Also many suggested that such high level of security is good for applications like net banking & not simple websites like emails. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 36
# Conclusion… • Crackers are always onto developing something new. All we can do is fix the already discovered vulnerabilities so as to remain safe. • oPass protocol has a very high level of security which is not feasible for everyday login purposes. For usage like login, this protocol wont be acceptable. But for applications like net banking, the protocol is highly recommended. • Similar protocols have been implemented by some websites for e.g. Google. So we can say that security is improving day by day. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 37
38

Recommended

Hacking with Remote Admin Tools (RAT)
Hacking with Remote Admin Tools (RAT) Hacking with Remote Admin Tools (RAT)
Hacking with Remote Admin Tools (RAT)Zoltan Balazs
 
Ultimate Guide to Setup DarkComet with NoIP
Ultimate Guide to Setup DarkComet with NoIPUltimate Guide to Setup DarkComet with NoIP
Ultimate Guide to Setup DarkComet with NoIPPich Pra Tna
 
Step by Step on How to Setup DarkComet
Step by Step on How to Setup DarkCometStep by Step on How to Setup DarkComet
Step by Step on How to Setup DarkCometPich Pra Tna
 
ETHICAL HACKING
ETHICAL HACKINGETHICAL HACKING
ETHICAL HACKINGNAWAZ KHAN
 
Welcome to the world of hacking
Welcome to the world of hackingWelcome to the world of hacking
Welcome to the world of hackingTjylen Veselyj
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itZoltan Balazs
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs
 
Pentesting with Metasploit
Pentesting with MetasploitPentesting with Metasploit
Pentesting with MetasploitPrakashchand Suthar
 

Recommended

Hacking with Remote Admin Tools (RAT)
Hacking with Remote Admin Tools (RAT) Hacking with Remote Admin Tools (RAT)
Hacking with Remote Admin Tools (RAT)Zoltan Balazs
 
Ultimate Guide to Setup DarkComet with NoIP
Ultimate Guide to Setup DarkComet with NoIPUltimate Guide to Setup DarkComet with NoIP
Ultimate Guide to Setup DarkComet with NoIPPich Pra Tna
 
Step by Step on How to Setup DarkComet
Step by Step on How to Setup DarkCometStep by Step on How to Setup DarkComet
Step by Step on How to Setup DarkCometPich Pra Tna
 
ETHICAL HACKING
ETHICAL HACKINGETHICAL HACKING
ETHICAL HACKINGNAWAZ KHAN
 
Welcome to the world of hacking
Welcome to the world of hackingWelcome to the world of hacking
Welcome to the world of hackingTjylen Veselyj
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itZoltan Balazs
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs
 
Pentesting with Metasploit
Pentesting with MetasploitPentesting with Metasploit
Pentesting with MetasploitPrakashchand Suthar
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Zoltan Balazs
 
Password Cracking
Password CrackingPassword Cracking
Password CrackingRahul Sharma
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedZoltan Balazs
 
Security Handbook
Security Handbook Security Handbook
Security HandbookAnthony Hasse
 
Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)securityxploded
 
Playing with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritzPlaying with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritzDeepanshu Gajbhiye
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - Zoltan Balazs
 
Cybersecurity cyberlab1
Cybersecurity cyberlab1Cybersecurity cyberlab1
Cybersecurity cyberlab1rayborg
 
Security & ethical hacking p2
Security & ethical hacking p2Security & ethical hacking p2
Security & ethical hacking p2ratnalajaggu
 
Hack the book Mini
Hack the book MiniHack the book Mini
Hack the book MiniKhairi Aiman
 
KeyLoggers - beating the shit out of keyboard since quite a long time
KeyLoggers - beating the shit out of keyboard since quite a long timeKeyLoggers - beating the shit out of keyboard since quite a long time
KeyLoggers - beating the shit out of keyboard since quite a long timen|u - The Open Security Community
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksAsep Sopyan
 
Ceh v5 module 13 web based password cracking techniques
Ceh v5 module 13 web based password cracking techniquesCeh v5 module 13 web based password cracking techniques
Ceh v5 module 13 web based password cracking techniquesVi TĂ­nh HoĂ ng Nam
 
Hunting Ghost RAT Using Memory Forensics
Hunting Ghost RAT Using Memory ForensicsHunting Ghost RAT Using Memory Forensics
Hunting Ghost RAT Using Memory Forensicssecurityxploded
 
Password Attack
Password Attack Password Attack
Password Attack Sina Manavi
 
Ceh v8 labs module 11 session hijacking
Ceh v8 labs module 11 session hijackingCeh v8 labs module 11 session hijacking
Ceh v8 labs module 11 session hijackingAsep Sopyan
 
Dissecting BetaBot
Dissecting BetaBotDissecting BetaBot
Dissecting BetaBotsecurityxploded
 
Hacking Presentation
Hacking PresentationHacking Presentation
Hacking PresentationAnimesh Behera
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-daysZoltan Balazs
 
Real life hacking101
Real life hacking101Real life hacking101
Real life hacking101Florent Batard
 
Mohammed Al Hadi Hacking And Hackers
Mohammed Al Hadi Hacking And HackersMohammed Al Hadi Hacking And Hackers
Mohammed Al Hadi Hacking And HackersGoldenPartsAE101
 
Hacking
HackingHacking
HackingVirus
 

More Related Content

What's hot

Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Zoltan Balazs
 
Password Cracking
Password CrackingPassword Cracking
Password CrackingRahul Sharma
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedZoltan Balazs
 
Security Handbook
Security Handbook Security Handbook
Security HandbookAnthony Hasse
 
Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)securityxploded
 
Playing with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritzPlaying with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritzDeepanshu Gajbhiye
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - Zoltan Balazs
 
Cybersecurity cyberlab1
Cybersecurity cyberlab1Cybersecurity cyberlab1
Cybersecurity cyberlab1rayborg
 
Security & ethical hacking p2
Security & ethical hacking p2Security & ethical hacking p2
Security & ethical hacking p2ratnalajaggu
 
Hack the book Mini
Hack the book MiniHack the book Mini
Hack the book MiniKhairi Aiman
 
KeyLoggers - beating the shit out of keyboard since quite a long time
KeyLoggers - beating the shit out of keyboard since quite a long timeKeyLoggers - beating the shit out of keyboard since quite a long time
KeyLoggers - beating the shit out of keyboard since quite a long timen|u - The Open Security Community
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksAsep Sopyan
 
Ceh v5 module 13 web based password cracking techniques
Ceh v5 module 13 web based password cracking techniquesCeh v5 module 13 web based password cracking techniques
Ceh v5 module 13 web based password cracking techniquesVi TĂ­nh HoĂ ng Nam
 
Hunting Ghost RAT Using Memory Forensics
Hunting Ghost RAT Using Memory ForensicsHunting Ghost RAT Using Memory Forensics
Hunting Ghost RAT Using Memory Forensicssecurityxploded
 
Password Attack
Password Attack Password Attack
Password Attack Sina Manavi
 
Ceh v8 labs module 11 session hijacking
Ceh v8 labs module 11 session hijackingCeh v8 labs module 11 session hijacking
Ceh v8 labs module 11 session hijackingAsep Sopyan
 
Dissecting BetaBot
Dissecting BetaBotDissecting BetaBot
Dissecting BetaBotsecurityxploded
 
Hacking Presentation
Hacking PresentationHacking Presentation
Hacking PresentationAnimesh Behera
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-daysZoltan Balazs
 
Real life hacking101
Real life hacking101Real life hacking101
Real life hacking101Florent Batard
 

What's hot (20)

Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automated
 
Security Handbook
Security Handbook Security Handbook
Security Handbook
 
Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)
 
Playing with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritzPlaying with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritz
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
 
Cybersecurity cyberlab1
Cybersecurity cyberlab1Cybersecurity cyberlab1
Cybersecurity cyberlab1
 
Security & ethical hacking p2
Security & ethical hacking p2Security & ethical hacking p2
Security & ethical hacking p2
 
Hack the book Mini
Hack the book MiniHack the book Mini
Hack the book Mini
 
KeyLoggers - beating the shit out of keyboard since quite a long time
KeyLoggers - beating the shit out of keyboard since quite a long timeKeyLoggers - beating the shit out of keyboard since quite a long time
KeyLoggers - beating the shit out of keyboard since quite a long time
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
 
Ceh v5 module 13 web based password cracking techniques
Ceh v5 module 13 web based password cracking techniquesCeh v5 module 13 web based password cracking techniques
Ceh v5 module 13 web based password cracking techniques
 
Hunting Ghost RAT Using Memory Forensics
Hunting Ghost RAT Using Memory ForensicsHunting Ghost RAT Using Memory Forensics
Hunting Ghost RAT Using Memory Forensics
 
Password Attack
Password Attack Password Attack
Password Attack
 
Ceh v8 labs module 11 session hijacking
Ceh v8 labs module 11 session hijackingCeh v8 labs module 11 session hijacking
Ceh v8 labs module 11 session hijacking
 
Dissecting BetaBot
Dissecting BetaBotDissecting BetaBot
Dissecting BetaBot
 
Hacking Presentation
Hacking PresentationHacking Presentation
Hacking Presentation
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-days
 
Real life hacking101
Real life hacking101Real life hacking101
Real life hacking101
 

Viewers also liked

Mohammed Al Hadi Hacking And Hackers
Mohammed Al Hadi Hacking And HackersMohammed Al Hadi Hacking And Hackers
Mohammed Al Hadi Hacking And HackersGoldenPartsAE101
 
Hacking
HackingHacking
HackingVirus
 
Defcamp 2013 - Does it pay to be a blackhat hacker
Defcamp 2013 - Does it pay to be a blackhat hackerDefcamp 2013 - Does it pay to be a blackhat hacker
Defcamp 2013 - Does it pay to be a blackhat hackerDefCamp
 
how to prevent system from hacking...by sarika
how to prevent system from hacking...by sarikahow to prevent system from hacking...by sarika
how to prevent system from hacking...by sarikaSarika Dyne
 
Cyper security & Ethical hacking
Cyper security & Ethical hackingCyper security & Ethical hacking
Cyper security & Ethical hackingCmano Kar
 
Hacking Law Reform LAWS4305 2003
Hacking Law Reform LAWS4305 2003Hacking Law Reform LAWS4305 2003
Hacking Law Reform LAWS4305 2003Peter Timusk
 
Hacking Psychology
Hacking PsychologyHacking Psychology
Hacking PsychologyFajar Anugerah
 
Web defacement
Web defacementWeb defacement
Web defacementstudent
 
Introduction to Growth Hacking
Introduction to Growth HackingIntroduction to Growth Hacking
Introduction to Growth HackingRadek Grabarek
 
Cyber Crime and Ethical Hacking
Cyber Crime and Ethical HackingCyber Crime and Ethical Hacking
Cyber Crime and Ethical HackingANKIT KUMAR
 
Duties within iHeart
Duties within iHeartDuties within iHeart
Duties within iHeartEmani Sewell
 
Cross Site Scripting - Web Defacement Techniques
Cross Site Scripting - Web Defacement TechniquesCross Site Scripting - Web Defacement Techniques
Cross Site Scripting - Web Defacement TechniquesRonan Dunne, CEH, SSCP
 
DESIGN Your Ideal Life! by Corporate Leadership Speaker and Author Tricia Molloy
DESIGN Your Ideal Life! by Corporate Leadership Speaker and Author Tricia MolloyDESIGN Your Ideal Life! by Corporate Leadership Speaker and Author Tricia Molloy
DESIGN Your Ideal Life! by Corporate Leadership Speaker and Author Tricia MolloyTricia Molloy
 
Hacking and Hackers
Hacking and HackersHacking and Hackers
Hacking and HackersFarwa Ansari
 
Cyber Law With case studies
Cyber Law With case studies Cyber Law With case studies
Cyber Law With case studies Bhagya Bgk
 

Viewers also liked (20)

Mohammed Al Hadi Hacking And Hackers
Mohammed Al Hadi Hacking And HackersMohammed Al Hadi Hacking And Hackers
Mohammed Al Hadi Hacking And Hackers
 
Hacking
HackingHacking
Hacking
 
Hacking
HackingHacking
Hacking
 
Defcamp 2013 - Does it pay to be a blackhat hacker
Defcamp 2013 - Does it pay to be a blackhat hackerDefcamp 2013 - Does it pay to be a blackhat hacker
Defcamp 2013 - Does it pay to be a blackhat hacker
 
how to prevent system from hacking...by sarika
how to prevent system from hacking...by sarikahow to prevent system from hacking...by sarika
how to prevent system from hacking...by sarika
 
Hacking
HackingHacking
Hacking
 
Cyper security & Ethical hacking
Cyper security & Ethical hackingCyper security & Ethical hacking
Cyper security & Ethical hacking
 
Hacking Law Reform LAWS4305 2003
Hacking Law Reform LAWS4305 2003Hacking Law Reform LAWS4305 2003
Hacking Law Reform LAWS4305 2003
 
Haking PPT
Haking PPTHaking PPT
Haking PPT
 
Hacking Psychology
Hacking PsychologyHacking Psychology
Hacking Psychology
 
Web defacement
Web defacementWeb defacement
Web defacement
 
Introduction to Growth Hacking
Introduction to Growth HackingIntroduction to Growth Hacking
Introduction to Growth Hacking
 
Hacking
HackingHacking
Hacking
 
Cyber Crime and Ethical Hacking
Cyber Crime and Ethical HackingCyber Crime and Ethical Hacking
Cyber Crime and Ethical Hacking
 
Duties within iHeart
Duties within iHeartDuties within iHeart
Duties within iHeart
 
Cross Site Scripting - Web Defacement Techniques
Cross Site Scripting - Web Defacement TechniquesCross Site Scripting - Web Defacement Techniques
Cross Site Scripting - Web Defacement Techniques
 
DESIGN Your Ideal Life! by Corporate Leadership Speaker and Author Tricia Molloy
DESIGN Your Ideal Life! by Corporate Leadership Speaker and Author Tricia MolloyDESIGN Your Ideal Life! by Corporate Leadership Speaker and Author Tricia Molloy
DESIGN Your Ideal Life! by Corporate Leadership Speaker and Author Tricia Molloy
 
Hacking and Hackers
Hacking and HackersHacking and Hackers
Hacking and Hackers
 
Windows Hacking
Windows HackingWindows Hacking
Windows Hacking
 
Cyber Law With case studies
Cyber Law With case studies Cyber Law With case studies
Cyber Law With case studies
 

Similar to Password Stealing & Enhancing User Authentication Using Opass Protocol

Ethical Hacking
Ethical HackingEthical Hacking
Ethical HackingMukul Agarwal
 
Introduction to ethical hacking
Introduction to ethical hackingIntroduction to ethical hacking
Introduction to ethical hackingHassanAhmedShaikh1
 
Ethical hacking and cyber security intro
Ethical hacking and cyber security introEthical hacking and cyber security intro
Ethical hacking and cyber security introAbhilash Ak
 
Web hacking 1.0
Web hacking 1.0Web hacking 1.0
Web hacking 1.0Q Fadlan
 
Ethical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingEthical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingANURAG CHAKRABORTY
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hackingRishabha Garg
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical HackingRohan Raj
 
Introduction to ethical hacking
Introduction to ethical hackingIntroduction to ethical hacking
Introduction to ethical hackingankit sarode
 
Cyber Security Module 3.pptx Cybersecurity is the practice of protecting syst...
Cyber Security Module 3.pptx Cybersecurity is the practice of protecting syst...Cyber Security Module 3.pptx Cybersecurity is the practice of protecting syst...
Cyber Security Module 3.pptx Cybersecurity is the practice of protecting syst...GIRISHKUMARBC1
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
Inetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentationInetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentationJoshua Prince
 
ethical-hacking-18092013112412-ethical-hacking.ppt
ethical-hacking-18092013112412-ethical-hacking.pptethical-hacking-18092013112412-ethical-hacking.ppt
ethical-hacking-18092013112412-ethical-hacking.pptricagip499
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical HackingRaghav Bisht
 
IRJET- Study of Hacking and Ethical Hacking
IRJET- Study of Hacking and Ethical HackingIRJET- Study of Hacking and Ethical Hacking
IRJET- Study of Hacking and Ethical HackingIRJET Journal
 
Web security chapter#2
Web security chapter#2Web security chapter#2
Web security chapter#2Ishaq Shinwari
 
ethical hacking
ethical hackingethical hacking
ethical hackingsamprada123
 

Similar to Password Stealing & Enhancing User Authentication Using Opass Protocol (20)

How to hack or what is ethical hacking
How to hack or what is ethical hackingHow to hack or what is ethical hacking
How to hack or what is ethical hacking
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Introduction to ethical hacking
Introduction to ethical hackingIntroduction to ethical hacking
Introduction to ethical hacking
 
Ethical hacking and cyber security intro
Ethical hacking and cyber security introEthical hacking and cyber security intro
Ethical hacking and cyber security intro
 
Web hacking 1.0
Web hacking 1.0Web hacking 1.0
Web hacking 1.0
 
Ethical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingEthical hacking/ Penetration Testing
Ethical hacking/ Penetration Testing
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Introduction to ethical hacking
Introduction to ethical hackingIntroduction to ethical hacking
Introduction to ethical hacking
 
Cyber Security Module 3.pptx Cybersecurity is the practice of protecting syst...
Cyber Security Module 3.pptx Cybersecurity is the practice of protecting syst...Cyber Security Module 3.pptx Cybersecurity is the practice of protecting syst...
Cyber Security Module 3.pptx Cybersecurity is the practice of protecting syst...
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Hacking
HackingHacking
Hacking
 
Inetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentationInetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentation
 
ethical-hacking-18092013112412-ethical-hacking.ppt
ethical-hacking-18092013112412-ethical-hacking.pptethical-hacking-18092013112412-ethical-hacking.ppt
ethical-hacking-18092013112412-ethical-hacking.ppt
 
ETHICAL HACKING
ETHICAL HACKING ETHICAL HACKING
ETHICAL HACKING
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical Hacking
 
IRJET- Study of Hacking and Ethical Hacking
IRJET- Study of Hacking and Ethical HackingIRJET- Study of Hacking and Ethical Hacking
IRJET- Study of Hacking and Ethical Hacking
 
Web security chapter#2
Web security chapter#2Web security chapter#2
Web security chapter#2
 
ethical hacking
ethical hackingethical hacking
ethical hacking
 

Recently uploaded

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 

Recently uploaded (20)

E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 

Password Stealing & Enhancing User Authentication Using Opass Protocol

  • 1. Society for Computer Technology & Research’s PUNE INSTITUTE OF COMPUTER TECHNOLOGY S. No. 27, Dhankawadi, Pune Satara Road, Pune – 411043 A Seminar On Academic Year 2012-2013
  • 2. # Contents… • Definition Of Hacking • Hackers & Crackers • Types Of Hackers • Reasons For Hacking • Ethical Hacking – The Concept • Steps In Hacking • About Password Hacking • Hacking Windows Login Passwords • Web-site Phishing • Trojan Horse • oPass User Authentication Protocol Computer Hacking Password Hacking (Stealing) oPass UAP 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 2
  • 3. # Hacking - The Definition • Hacking is the practice of modifying the features of a system, in order to accomplish a goal outside of the creator's original purpose -- whatishacking.org • Hacking means finding out weaknesses in a computer or computer network, though the term can also refer to someone with an advanced understanding of computers and computer networks -- wikipedia.org • Computer hacking is the practice of modifying computer hardware and software to accomplish a goal -- wisegeek.com 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 3
  • 4. # Hackers & Crackers… • Traditionally, a hacker is someone who likes to play with software or electronic systems. Hackers enjoy exploring and learning how computer systems operate. They love discovering new ways to work electronically • But recently, Hacker has taken on a new meaning — someone who maliciously breaks into systems for personal gain. Technically, these criminals are Crackers or Criminal Hackers. Crackers break into systems with malicious intentions • Hackers, on the other side, work against the crackers. They find out the vulnerabilities or study the recent attacks & fix those loopholes so as to protect us from Crackers Hackers  Legal Crackers  Illegal 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 4
  • 5. • Hacking exists in many forms like Cell-Phone hacking, Brain hacking, etc. but Computer Hacking is most popular form of hacking nowadays, specially in the field of computer security Hackers are classified as :- • White Hat : A white hat hacker breaks security for non-malicious reasons, perhaps to test their own security system or while working for a security company which makes security software. The term "white hat" in Internet slang refers to an ethical hacker • Black Hat : A Black Hat Hacker is a hacker who violates computer security for little reason beyond maliciousness or for personal gain • Grey Hat : A grey hat hacker is a combination of a Black Hat and a White Hat Hacker. A Grey Hat Hacker may surf the internet and hack into a computer system for the sole purpose of notifying the administrator that their system has been hacked, for example. Then they may offer to repair their system for a small fee # Types Of Hackers… 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 5
  • 6. • Script kiddie : A script kiddie (or skiddie) is a non-expert who breaks into computer systems by using pre- packaged automated tools written by others, usually with little understanding of the underlying concept • Neophyte : A neophyte or newbie is someone who is new to hacking or phreaking and has almost no knowledge or experience of the workings of technology and hacking • Organized criminal gangs : Criminal activity carried on for profit • Bots : Automated software tools, some freeware, available for the use of any type of hacker continued… 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 6
  • 7. # Why do hackers hack ??? • The main reason why Hackers hack is because they can hack. Hacking is a casual hobby for some Hackers — they just hack to see what they can hack and what they can’t hack, usually by testing their own systems • Many Hackers are the guys who get kicked out of corporate and government IT and security organizations. They try to bring down the status of the organization by attacking or stealing information • Some Hackers want to make your life miserable, and others simply want to be famous • Some common motives of malicious Hackers are revenge, curiosity, boredom, challenge, theft for financial gain, blackmail, extortion and corporate work pressure. • Many Hackers say they do not hack to harm or profit through their bad activities, which helps them justify their work. They often do not look for money full of pocket. Just proving a point is often a good enough reward for them 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 7
  • 8. # Ethical Hacking-The Concept... • Ethical hacking is where a person hacks to find weaknesses in a system and then usually patches them. • For example, a bank may pay a hacker to hack their systems to see if it is hackable. If he gets in, then they know there is potential for other people to hack in, and usually they will work with this ethical hacker to patch these holes. If he doesn't get in, then they pray that nobody is better at hacking than him • Ethical hacking is performed with the target’s permission • The intent of Ethical Hacking is to discover vulnerabilities from a Hacker’s viewpoint so systems can be better secured • Ethical Hacking is part of an overall information Risk Management program that allows for ongoing security improvements. • Ethical hacking can also ensure that vendors’ claims about the security of their products are legitimate 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 8
  • 9. # Steps In Hacking… • Reconnaissance : The first stage of any attack is "reconnaissance“ - scanning the victims & looking for ways into their systems. The purpose of this stage is to map out the target network and systems. The hacker will try to list all the systems on the network, and then try to list all the holes available on the target systems. Once the hacker has a list of systems, he/she will scan the system looking for possible entry points into the system. • Scanning : The second step of ethical hacking and penetration testing involve two terms that is scanning or port scanning and enumeration. During this process you have to find out the alive host, operating systems involved, firewalls, intrusion detection systems, servers/services, perimeter devices, routing and general network topology (physical layout of network), that are part of the target organisation. Enumeration is the first attack on target network, enumeration is the process to gather the information about a target machine by actively connecting to it. • Gaining Access : In this step, the attacker exploits the discovered vulnerabilities to actually connect to the target system i.e., gaining complete control of the target system. • Maintaining Access : The attacker after getting access to the system once, creates some backdoors so that he/she can get access to the system at any time in the future. For e.g. creating a hidden user account in windows. • Clearing Tracks : As in the case of crime scenes, forensic analysis in computer can help to trace the attacker. So, in order to avoid getting caught by the authorities the attacker can use many ways so as to clear his tracks of intrusion into the target system. For e.g. deleting the user account after hacking into a windows operating system. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 9
  • 10. # Hacking Login Password… Microsoft Windows 95 / 98 / ME : • In Windows 95/98/ME passwords are stored in password list (.pwl) files. • All *.pwl files are generally stored in the C:WINDOWS folder. We can find all the *.pwl files on the system using the operating systems find option. • These .pwl files are readable in any text editor like Notepad, but they are definitely not understandable. A typical example of the contents of a .pwl file is: ã‚...- ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ĂżR p u.ÐX+•|rÐq"Âą/2Âł Êå¡hCJ‚D × `ÍY¥•!Ă­x}(•qW¤ãƱ<!?àÜ6šá˜ôæ4+3/4Ăľ+%E°ËÔýmÇÔ ÞI»‚ B à×oeøÐ...'@ 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 10
  • 11. # Continued… Microsoft Windows 95 / 98 / ME : • Now these passwords can be easily removed/bypassed using a simple technique. • Firstly, boot up the system, then press F8 key to invoke a configuration screen. • On this screen, select MS-DOS Mode. Now you will be sent to a command prompt. • Here, simply goto “C:Windows” or “<Root Drive>:Windows” and type “del *.pwl”. • This will delete the password files & next time you log in, you will be asked for a new password. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 11
  • 12. # Hacking Login Password… Microsoft Windows NT / XP / Vista / 7 : • Majority of the different versions of Windows like Windows NT, Windows 2000, Windows XP, Windows Vista and Windows 7 uses Systems Account Manager (SAM) to store users credentials. • The important part is that these files become inaccessible after windows starts. • So in order to hack these passwords, all job has to be done without starting windows. • For this purpose, readymade tools are available over the internet. • For e.g., Ophcrack is a free open source program that cracks Windows passwords. On most computers, ophcrack can crack most passwords within a few minutes. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 12
  • 13. # Continued… Microsoft Windows NT / XP / Vista / 7 : • The process is simple – Boot your system with the live CD of ophcrack in the CD- Drive • Wait for the live OS to load, and the software will take rest of the care. You will get all the passwords within some minutes. • The catch is the time required to crack the password is proportional to length and complexity of password. • Also, if the passwords are too complex the software may fail. • There are other tools like Offline password cracker, Hiren Multi Boot Disk, ERD Commander, Admin Hack, Active Password Changer are also used for the same purpose. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 13
  • 14. # Erasing BIOS Password… • Due to the sensitive nature of the system settings controlled by the BIOS, a password can be set by either the computer manufacturer or the end-user. • In addition to creating a BIOS password from a hash code, a number of BIOS manufacturers also implement an explicit backdoor password. • This password will work regardless of the presence of a manually set BIOS password. The primary purpose of a manufacturer’s backdoor BIOS password is for maintenance and testing evolutions. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 14
  • 15. # Erasing BIOS Password… One of the most common methods to reset the BIOS password is to remove or discharge the battery on the computer’s motherboard. If the power to the battery is lost or drained, the BIOS configuration will be reset to the factory state with no password. System settings made to the BIOS will also be lost. • Step 1 – Turn off the computer and ensure it has no external power (i.e. unplug the power cable. If it has a battery, remove it). • Step 2 – Open the computer’s case or box. • Step 3 – Locate the computer’s motherboard and look for the white silver button battery on the motherboard. • Step 4 – Remove the battery carefully and wait for approximately 30 seconds. • Step 5 – Put the computer case back together and boot the computer. • Step 6 – If the “CMOS Checksum Error-Defaults Loaded” error message is displayed, the BIOS password has been reset. If the CMOS battery is soldered to the computer’s motherboard, some brands will have a jumper located on the board that can be used to reset or clear the BIOS password. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 15
  • 16. # Website Phishing… Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by misleading as a trustworthy entity in an electronic communication. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 16
  • 17. # Website Phishing…The Process… • The attacker calls you or send you an email. The email or call will give you some exciting offers or will in some way try to lure you so as to open the link provided or disclose some confidential information • For e.g., there was a scam recently over Facebook where they claimed to give you Free Facebook Tshirt or Free Facebook Shoes. • Users were required to fill in a form which required to give your user id & passwords for facebook account. • Then users had to like a page in order to avail the offer. • After that, users were asked to share that link in 10 different groups so as to spread the scam. • Also the process never completed because the page always said You havent shared the link yet. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 17
  • 18. # Website Phishing… • Phishing is the most common & efficient password stealing attack. • According to APWG (Anti-phishing Working Group)’s report, the number of unique phishing websites detected in the second half of 2010 was 97,388. • RSA, formerly RSA Security, Inc., is an American computer and network security company. Phishing attacks increased 24% in November 2012 with 41,834 attacks identified by RSA. To date, the RSA Anti-Fraud Command Center has shut down 7,67,442 cyber attacks. • The U.S. and UK were targeted by the most volume of phishing attacks in November, but India emerged as the third most targeted, enduring 7% of phishing attack volume last month. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 18
  • 19. # Identifying Phishing Mails… Attackers might email you, call you on the phone, or convince you to download something off of a website. Here is an example of what a phishing scam in an email message might look like: 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 19
  • 20. # Trojan Horse… • A Trojan horse, or Trojan, is a non-self-replicating type of malware which appears to perform a desirable function but instead facilitates unauthorized access to the users computer system. • Trojans do not attempt to inject themselves into other files like a computer virus. • Trojan horses may steal information, or harm their host computer systems. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 20
  • 21. # Trojan Horse…Purpose & Uses… A Trojan may give a hacker remote access to a targeted computer system. Operations that could be performed by a hacker on a targeted computer system may include: • Crashing the computer • Blue screen of death • Electronic money theft • Data theft (e.g. retrieving passwords or credit card information) • Installation of software, including third-party malware and ransomware • Downloading or uploading of files on the user's computer • Modification or deletion of files • Keystroke logging • Watching the user's screen • Viewing the user's webcam • Controlling the computer system remotely 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 21
  • 22. # Trojan Horse…Prevention… • Prevention against Trojan horses depends on the skills of the attacker or the ability of Trojan. • Most of the Trojans available over internet have been already marked in almost all anti- virus databases & even in windows defender database. • Use an anti-virus software before you use internet on your computer. Also keep its virus definitions updated. • Frequently check for Windows Defender Updates & download them if available. Defender is an inbuilt software in Windows OS to keep track of malwares & spywares. • If you feel your computer is behaving abnormally, disconnect from internet & contact some security experts. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 22
  • 23. # All About Passwords… • Over the past few decades, text passwords have been adopted as primary means of user authentication for websites. • Users select username & passwords while registering on websites. But to log onto that site next time, user has to recall that password. • If the user selects complex password, it can resist brute force & dictionary attacks. • But because humans are not good at memorizing strings, most users would choose easy to remember passwords. • Another crucial problem is that many users reuse the same password for many sites. • Password reuse can cause a great loss because a hacker can compromise a weak site & use the password for other websites. This is password reuse attack. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 23
  • 24. # All About Passwords… • Various schemes have been suggested till date for User Authentication. • It included some Graphical Password Schemes as well. • Although it’s a great idea, it is not mature enough & is vulnerable to some attacks like guessing, shoulder surfing & spywares. • Keylogging or keylistening cannot crack them but we are not sure about mouse tracking spywares. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 24
  • 25. # All About Passwords… • Another alternative to password security is to use Password Management Tools. • These tools suggest long complex passwords while registering over websites & store them so that when you login next time, it can fill them automatically. • The user just need to remember one Master Password & all other passwords are managed by the software. • Some managers even facilitate carrying a copy in flash drives so as to use them on other computers. • But users doubt its security & thus feel uncomfortable about using it. • Some researches focus on three factor authentication rather than password based to provide more reliable user authentication. Three factor authentication depends on what you know(e.g.password), What you have(e.g.ID cards) & Who you are(e.g.fingerprint or iris). • This requires comparatively high cost. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 25
  • 26. # What is oPass ??… • oPass is an User Authentication Protocol which leverages a user’s cell phone & SMS service to prevent password reuse & password stealing attacks. • The main cause why password stealing attacks succeed is because users have to type them in untrusted computers. • Therefore, the main concept of oPass is to free users from having to remember or type any passwords into conventional computers for authentication. • The users cell phone is used to generate one time passwords & a new communication channel – SMS is used to transmit authentication messages. • Because of one time passwords(OTP) the user is not required to memorize any passwords & there is no problem if the attacker knows this password as the password expires after one login session. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 26
  • 27. # oPass Architecture… • In oPass, a user is required to only memorize one long-term password to access his cell phone. • For users to perform secure login on an untrusted computer(kiosk), oPass consists of a trusted cell phone, a browser on kiosk & the server he wishes to log into. • The communication between cell phone & web server is through SMS channel. • The browser interacts with web server via the internet. • In our protocol, we require cell phone to interact directly with the kiosk. The general approach is to select available interfaces like Wi-Fi or Bluetooth. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 27
  • 28. # Assumptions in oPass… • Each web server posses a unique phone number. • Users cell phone is malware free. • The telecommunication service provider (TSP) will participate in registration & recovery phases. • Users connect to the TSP via 3G connection to protect transmission. • The TSP & web server establish a secure socket layer (SSL) tunnel to prevent phishing attacks. • If the user loses his cell phone, he will get a new sim card from TSP having the same number. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 28
  • 29. # The Registration Phase… 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 29
  • 30. # The Registration Phase… Step 1 : The user begins by opening the oPass program on her cell phone. Step 2 : She enters IDu (account id she prefers) & IDs (web site URL) to the program. The TSP plays the role to distribute a shared key Ksd between the user & the server. The key is used to encrypt the SMS with AES-CBC. AES-CBC : Advanced Encryption Standard Cipher Block Chaining Step 3 : TSP forwards user id (IDu) , user number (Tu) & shared key (Ksd) to the server (s). 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 30
  • 31. # The Registration Phase… Step 4 : Server generates corresponding information about the account & replies with server ID (IDs), a random seed ф & servers phone number (Ts). Step 5 : TSP then forwards server ID (IDs), a random seed ф, servers phone number (Ts) & a shred key Ksd to users cell phone. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 31
  • 32. Step 6 : The user will now set up a long-term password Pu for her cell phone. The phone computes a secret credential c using Pu, IDs & ф. The cell phone then encrypts the credential c with key Ksd & generates corresponding MAC i.e. HMAC1 . # The Registration Phase… Step 7 : The cell phone now sends an encrypted registration SMS to server phone number Ts which consists of user ID, c, ф, IV & HMAC1. Step 8 : Server decrypts this SMS to obtain c, key Ksd & sends an acknowledgement to user cell phone. In the end, cell phone stores server ID, server number, ф & i. ‘i’ is current index of OTP. Step 9 : After SMS from above step, server stores user ID, user number, c, ф & i. This completes registration. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 32
  • 33. # The Login Phase… 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 33
  • 34. # The Recovery Phase… 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 34
  • 35. # oPass Security Analysis… • An attacker can target user or server side. • At user side, he can install malwares or use phishing sites to fetch the passwords. • But in oPass, passwords are not entered into browsers. So, oPass resists phishing & malware attacks. • At server side, attacker can intercept & manipulate messages to launch SMS spoofing attacks. • But as ciphertext cannot be decrypted without corresponding secret key & hash function is irreversible, this attack will fail. • Also the attacker doesn’t know the session key of 3G connection & SSL tunnel. So he cannot derive the secret credential c. • If someone steals the cell phone, he cant login as he doesn’t know the long-term password setup by user. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 35
  • 36. # Something Important… • The TSP & server communicate via a SSL tunnel which guarantees confidentiality. TSP can verify websites certificate to prevent phishing attacks. • To analyze effectiveness of oPass a study was conducted with 24 participants having avg. computer experience 11.9 years. • The average time of registering is 21.8 s and SMS delay is 9.1 s. • For login, average time was 21.62 s & SMS delay was 8.9 s. • Many people preferred oPass over present authentication protocols. • Also many suggested that such high level of security is good for applications like net banking & not simple websites like emails. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 36
  • 37. # Conclusion… • Crackers are always onto developing something new. All we can do is fix the already discovered vulnerabilities so as to remain safe. • oPass protocol has a very high level of security which is not feasible for everyday login purposes. For usage like login, this protocol wont be acceptable. But for applications like net banking, the protocol is highly recommended. • Similar protocols have been implemented by some websites for e.g. Google. So we can say that security is improving day by day. 3/18/2013 Password Hacking & Enhancing Security Using oPass UAP 37
  • 38. 38