I l @ ve RuBoard |
A user's credentials are the identifier used to distinguish the user and the information used to authenticate the identity. The first rule of computer security is: Do not share your password. However, stolen passwords continue to be a significant security issue. SniffingSniffing is the process of monitoring a communication media in an attempt to gather information. This process is used to find identification and authentication information. Password sniffing is effective because of the use of reusable passwords and the use of protocols which transmit user IDs and passwords across the communication media in clear text. This creates an environment where the process of stealing credentials is a trivial task.
Any password which is sent over a network in clear text has to be considered compromised. Even if the password is encrypted before transmission, password snooping can be used in conjunction with password guessing to extract a user ID and password pair. Numerous implementations have had weak encryption of passwords. SnoopingSnooping is the process of observing a user's activity visually on his or her terminal device or with software. Trojan horses and parasites in the display software or input drivers have been used to observe keyboard and mouse input in windows desktops, X windows displays and web browsers. The locally collected information can be stored or sent to the hacker. This type of attack is successful even with the use of encrypted communications, since the information is stolen before it is sent.
Social EngineeringSocial engineering is the process of obtaining information through the use of a false pretense. Asking an individual for his password may seem trivial to some experienced users, but there have been numerous reports of very simple techniques that have been successful. The request could come in the form of an e-mail message, a broadcast, or a telephone call.
The request may instruct the user to immediately change his password, usually due to testing or security issues. The user is further instructed to change the password to one that is specified in the message, or the user may be instructed to run a program, which will request the user to enter his user ID and password, which are then collected by the attacker. The message can appear to be from a site administrator or root. In reality, it may have been sent by an individual who is trying to gain access or additional privileges to the local machine via the user's account. There should be a procedure to authenticate requests to change passwords or to run programs that request password information, so that the users are assured that these requests are legitimate . There should also be a well-defined process to report such attempts so that they can be tracked and the attacker captured. |
I l @ ve RuBoard |