Information security awareness
From Computing and Software Wiki
(→Discussion) |
|||
(19 intermediate revisions not shown) | |||
Line 1: | Line 1: | ||
- | '''Information security awareness''' is the awareness of potential security risks. Being information security aware means people understand that it is possible (sometimes easy) for someone to break the confidentiality, integrity or availability of information stored or transferred electronically. Since being aware is always the first step of protection, raising people's awareness of potential risks is a good practice to improve | + | '''Information security awareness''' is the awareness of potential security risks. Being information security aware means people understand that it is possible (sometimes easy) for someone to break the confidentiality, integrity or availability of information stored or transferred electronically. Since being aware is always the first step of protection, raising people's awareness of potential risks is a good practice to improve information security. |
Although people have become more aware of some security concerns such as malware and phishing nowadays, a lot of people do not realize that good security software does not guarantee security. There exists methods, such as sniffing, that compromise information security without involving the user machine at all. Thus these kinds of attacks cannot be prevented by any software on the user computer, no matter how good the software is at dealing with active attacks. This makes it more important for people to be aware of these kinds of security risks. | Although people have become more aware of some security concerns such as malware and phishing nowadays, a lot of people do not realize that good security software does not guarantee security. There exists methods, such as sniffing, that compromise information security without involving the user machine at all. Thus these kinds of attacks cannot be prevented by any software on the user computer, no matter how good the software is at dealing with active attacks. This makes it more important for people to be aware of these kinds of security risks. | ||
Line 5: | Line 5: | ||
A good way to make people aware of information security is simply to show them how attacks can be done and how easily they can be done. This article provides several attack techniques as examples and some discussion. | A good way to make people aware of information security is simply to show them how attacks can be done and how easily they can be done. This article provides several attack techniques as examples and some discussion. | ||
- | ==Examples of attacks== | + | == Examples of attacks == |
Unlike malware or [[phishing]], some attacks do not require any involvement from the target machine. More importantly, some of these attacks require no specific knowledge about networking or operating system. With the help of some tools, an average hacker can break others' information security even when their machines are well protected by security softwares. | Unlike malware or [[phishing]], some attacks do not require any involvement from the target machine. More importantly, some of these attacks require no specific knowledge about networking or operating system. With the help of some tools, an average hacker can break others' information security even when their machines are well protected by security softwares. | ||
(This section is open for discussing, since there are always new effective attack methods.) | (This section is open for discussing, since there are always new effective attack methods.) | ||
- | ===Wireless cracking=== | + | === Wireless cracking === |
Wireless networks are becoming very popular since they provide easy access to the internet. However, wireless networks are vulnerable to a lot attacks that are not possible on wired networks. | Wireless networks are becoming very popular since they provide easy access to the internet. However, wireless networks are vulnerable to a lot attacks that are not possible on wired networks. | ||
Wireless networks are generally very vulnerable to cracking. A lot of wireless networks used in families are poorly configured, which means they either have no passwords at all, or have very weak passwords. This makes it very easy for attackers to get access to the network by simply guessing the passwords. | Wireless networks are generally very vulnerable to cracking. A lot of wireless networks used in families are poorly configured, which means they either have no passwords at all, or have very weak passwords. This makes it very easy for attackers to get access to the network by simply guessing the passwords. | ||
- | However, when the network is configured so that it has a good password, there is still a good chance that it can be cracked easily. It is due to the fact that most wireless networks use WEP (Wired Equivalent Privacy) as authentication methods, and WEP has some serious weakness. According to | + | However, when the network is configured so that it has a good password, there is still a good chance that it can be cracked easily. It is due to the fact that most wireless networks use WEP (Wired Equivalent Privacy) as authentication methods, and WEP has some serious weakness. According to Fluhrer and his colleagues, RC4, the encryption method that WEP uses, can be broken when enough sample traffic is collected; and both gathering sample traffic and cracking encryption can be automated. When the whole cracking process is automated by computer programs, it takes less than 10 minutes to crack a WEP protected network. |
A tools set called Aircrack-ng is worth to be mentioned here, as it is currently the most popular tool to crack wireless networks. It provides a whole set of programs to crack wireless networks, including adapter configuration, fake authentication, de-authentication, passwords cracking, etc., and the only thing it requires is a good wireless card. | A tools set called Aircrack-ng is worth to be mentioned here, as it is currently the most popular tool to crack wireless networks. It provides a whole set of programs to crack wireless networks, including adapter configuration, fake authentication, de-authentication, passwords cracking, etc., and the only thing it requires is a good wireless card. | ||
- | ===Wireless sniffing=== | + | Brief WEP attack steps: |
+ | 1. Configure the wireless card to monitor mode | ||
+ | 2. Start capturing all traffic packets that contain initialization vectors (IVs) | ||
+ | 3. Fake authenticate to the target network | ||
+ | 4. Listen for address resolution protocol (ARP) requests and replay them back, so that new IVs are generated quickly | ||
+ | 5. Use a cracking tool like aircrack-ng to analyze all the IVs and get the WEP key | ||
+ | |||
+ | === Wireless sniffing === | ||
Due to the fact that wireless networks are vulnerable to cracking and the traffic on a wireless network is not constrained in wires, sniffing wireless networks is quite easy. Once an attacker gets access to a wireless network, he can sniff any useful information in the traffic as long as the information is not encrypted. | Due to the fact that wireless networks are vulnerable to cracking and the traffic on a wireless network is not constrained in wires, sniffing wireless networks is quite easy. Once an attacker gets access to a wireless network, he can sniff any useful information in the traffic as long as the information is not encrypted. | ||
There are a lot of tools, such as Wireshark and Kismet, can be used to sniff the network. They are not very easy to use, but they also do not require any particularly deep knowledge to use. Most of these tools offer good GUI for the users, and the presentation of sniffed data is usually very clear and organized. | There are a lot of tools, such as Wireshark and Kismet, can be used to sniff the network. They are not very easy to use, but they also do not require any particularly deep knowledge to use. Most of these tools offer good GUI for the users, and the presentation of sniffed data is usually very clear and organized. | ||
- | One thing should be noted here is that although a lot of websites use encryption when they are expecting passwords from users, many of them do not use encryption after the authentication since usually the only critical information being transferred is passwords. However, this brings a serious problem. Since during the session after authentication, the website stores the session information in cookies, which are not encrypted. These session data can be sniffed and replayed by an attacker to gain access to the website. For example, if a Hotmail user has checked the "remember my password" option, and if an attacker sniffs the session id contained in the user's cookies, the attacker then can access to the user's Hotmail account without even knowing the actual password at any time. | + | One thing should be noted here is that although a lot of websites use encryption when they are expecting passwords from users, many of them do not use encryption after the authentication since usually the only critical information being transferred is passwords. However, this brings a serious problem. Since during the session after authentication, the website stores the session information in cookies, which are not encrypted. These session data can be sniffed and replayed by an attacker to gain access to the website. For example, if a Hotmail user has checked the "remember my password" option, and if an attacker sniffs the session id contained in the user's cookies, the attacker then can access to the user's Hotmail account without even knowing the actual password at any time. WebCT in McMaster also encrypts only login pages just like Hotmail; thus it can be sniffed in the same way, though the session cannot last if the original user closes his browser. |
This particular type of sniffing is called side-jacking. It is very easy to be performed and it can be done in a lot of situations. Ferret is a tool developed by Errata Security, which automate the whole side-jacking process. A typical hacker can sit in a Hotspot enabled cafeteria or [[Piggybacking|piggyback]] a private network, open his laptop and click on Ferret; then after 1 hour or so, he will get all the email accounts that have been accessed in that wireless network. | This particular type of sniffing is called side-jacking. It is very easy to be performed and it can be done in a lot of situations. Ferret is a tool developed by Errata Security, which automate the whole side-jacking process. A typical hacker can sit in a Hotspot enabled cafeteria or [[Piggybacking|piggyback]] a private network, open his laptop and click on Ferret; then after 1 hour or so, he will get all the email accounts that have been accessed in that wireless network. | ||
- | ===Passwords cracking=== | + | Brief side-jacking attack steps: |
+ | 1. Connect to a public network or piggyback to a private network | ||
+ | 2. Crack the network using the previous method if the network is encrypted | ||
+ | 3. Start capturing all traffic packets, save all HTTP headers | ||
+ | 4. Analyze all the cookies and corresponding URLs in the headers or use tools like Ferret | ||
+ | 5. Replay these cookies to their corresponding web pages to fake original sessions | ||
+ | |||
+ | === Passwords cracking === | ||
Brutal force cracking used to be very limited, because it requires a huge amount of time to crack a password that is not too short. However, as personal computers have become very powerful and most recent computers carry a good amount of memory, a new brutal force method called "rainbow table" becomes popular recently. A normal password that is shorter than 9 characters can be cracked by rainbow tables within minutes. | Brutal force cracking used to be very limited, because it requires a huge amount of time to crack a password that is not too short. However, as personal computers have become very powerful and most recent computers carry a good amount of memory, a new brutal force method called "rainbow table" becomes popular recently. A normal password that is shorter than 9 characters can be cracked by rainbow tables within minutes. | ||
Line 35: | Line 49: | ||
Although rainbow table cracking can be prevented by using salt, a lot of applications and web services do not use salt. A good example is Microsoft Windows, it stores unsalted passwords hashes in the machine; thus it is vulnerable to this kind of attack. Many web applications also store unsalted hashes in the cookies to maintain sessions; since cookies can usually be sniffed easily, they are also vulnerable to rainbow tables. | Although rainbow table cracking can be prevented by using salt, a lot of applications and web services do not use salt. A good example is Microsoft Windows, it stores unsalted passwords hashes in the machine; thus it is vulnerable to this kind of attack. Many web applications also store unsalted hashes in the cookies to maintain sessions; since cookies can usually be sniffed easily, they are also vulnerable to rainbow tables. | ||
- | ==Discussion== | + | Brief rainbow table attack steps: |
+ | 1. Obtain the hash function and password hashes of target | ||
+ | 2. Generate the rainbow table corresponding to the hash function, if it does not already exists online | ||
+ | 3. Compare passwords hashes to the table indexes and find the plain text | ||
+ | |||
+ | == Discussion == | ||
As showed above, there exists many attacks that cannot be prevented by client side software. The only possible defense from general users is carefulness and good habits. All the attacks described above are most effective to those who are not aware of these security threats, and the effectiveness drops significantly when people are aware of them. The following section gives some advice for helping avoiding these security issues. | As showed above, there exists many attacks that cannot be prevented by client side software. The only possible defense from general users is carefulness and good habits. All the attacks described above are most effective to those who are not aware of these security threats, and the effectiveness drops significantly when people are aware of them. The following section gives some advice for helping avoiding these security issues. | ||
- | '''Avoid using wireless when dealing with sensitive data''' | + | '''Avoid using wireless when dealing with sensitive data.''' |
Since wireless networking really has a lot of security issues, it is best to just use wired connection when dealing sensitive information such as banking or confidential communication. If wireless is the only choice, try to encrypt all the information, either manually or using services like VPN. | Since wireless networking really has a lot of security issues, it is best to just use wired connection when dealing sensitive information such as banking or confidential communication. If wireless is the only choice, try to encrypt all the information, either manually or using services like VPN. | ||
- | + | '''Always use web services that has encryption features.''' | |
Encryption is very important in all web services. It offers general protection to the information being transferred. Modern web browsers usually notify users that the visiting web site is using encryption via SSL (secure sockets layer) by changing the color of the address bar. | Encryption is very important in all web services. It offers general protection to the information being transferred. Modern web browsers usually notify users that the visiting web site is using encryption via SSL (secure sockets layer) by changing the color of the address bar. | ||
- | + | '''Use VPN when processing a lot of information on a public or wireless network.''' | |
VPN (virtual private network) offers a secure platform on public or insecure networks by using a set of encryptions and authentications. When processing lots of information on an insecure network, VPN is the best choice to protect information security. In McMaster University, this is enforced when students connect to university networks via MacConnect. | VPN (virtual private network) offers a secure platform on public or insecure networks by using a set of encryptions and authentications. When processing lots of information on an insecure network, VPN is the best choice to protect information security. In McMaster University, this is enforced when students connect to university networks via MacConnect. | ||
- | + | '''Use different passwords for different purpose.''' | |
A lot of people use one password for all the authentications on the internet. This is not a good practice as it increases security risks, since all the information is tied to one key that is sometimes exposed in insecure environment. It is good to have several different passwords for sensitive information such as banking, and one or two keys for information which is not so important such as online discussion boards. | A lot of people use one password for all the authentications on the internet. This is not a good practice as it increases security risks, since all the information is tied to one key that is sometimes exposed in insecure environment. It is good to have several different passwords for sensitive information such as banking, and one or two keys for information which is not so important such as online discussion boards. | ||
- | ==See also== | + | == See also == |
* [[Piggybacking]] | * [[Piggybacking]] | ||
* [[Phishing]] | * [[Phishing]] | ||
Line 56: | Line 75: | ||
* [[Operating Systems Security]] | * [[Operating Systems Security]] | ||
- | ==External links== | + | == References == |
- | *[http://insecure.org/ Insecure.org, a good source and review of security tools] | + | * Siponen, Mikko T. (June 2001). "Five dimensions of information security awareness". Computers and Society 31 (2), 24 - 29. New York, ACM Press. |
- | *[http://www.aircrack-ng.org/ Aircrack-ng] | + | * Fluhrer, Scott R.; Mantin, Itsik; Shamir, Adi (August 2001). "Weaknesses in the Key Scheduling Algorithm of RC4", Revised Papers from the 8th Annual International Workshop on Selected Areas in Cryptography, 1-24. |
- | *[http://www.wireshark.org/ Wireshark] | + | |
- | *[http://ophcrack.sourceforge.net/ Project Ophcrack, a famous tool implementing rainbow tables] | + | == External links == |
- | *[http://en.wikipedia.org/wiki/Wireless_security Wireless security on Wikipedia] | + | * [http://insecure.org/ Insecure.org, a good source and review of security tools] |
- | *[http://en.wikipedia.org/wiki/VPN VPN on Wikipedia] | + | * [http://www.aircrack-ng.org/ Aircrack-ng] |
- | *[http://en.wikipedia.org/wiki/Transport_Layer_Security SSL on Wikipedia] | + | * [http://www.wireshark.org/ Wireshark] |
+ | * [http://ophcrack.sourceforge.net/ Project Ophcrack, a famous tool implementing rainbow tables] | ||
+ | * [http://en.wikipedia.org/wiki/Wireless_security Wireless security on Wikipedia] | ||
+ | * [http://en.wikipedia.org/wiki/VPN VPN on Wikipedia] | ||
+ | * [http://en.wikipedia.org/wiki/Transport_Layer_Security SSL on Wikipedia] |
Current revision as of 00:20, 10 December 2007
Information security awareness is the awareness of potential security risks. Being information security aware means people understand that it is possible (sometimes easy) for someone to break the confidentiality, integrity or availability of information stored or transferred electronically. Since being aware is always the first step of protection, raising people's awareness of potential risks is a good practice to improve information security.
Although people have become more aware of some security concerns such as malware and phishing nowadays, a lot of people do not realize that good security software does not guarantee security. There exists methods, such as sniffing, that compromise information security without involving the user machine at all. Thus these kinds of attacks cannot be prevented by any software on the user computer, no matter how good the software is at dealing with active attacks. This makes it more important for people to be aware of these kinds of security risks.
A good way to make people aware of information security is simply to show them how attacks can be done and how easily they can be done. This article provides several attack techniques as examples and some discussion.
Contents |
Examples of attacks
Unlike malware or phishing, some attacks do not require any involvement from the target machine. More importantly, some of these attacks require no specific knowledge about networking or operating system. With the help of some tools, an average hacker can break others' information security even when their machines are well protected by security softwares.
(This section is open for discussing, since there are always new effective attack methods.)
Wireless cracking
Wireless networks are becoming very popular since they provide easy access to the internet. However, wireless networks are vulnerable to a lot attacks that are not possible on wired networks.
Wireless networks are generally very vulnerable to cracking. A lot of wireless networks used in families are poorly configured, which means they either have no passwords at all, or have very weak passwords. This makes it very easy for attackers to get access to the network by simply guessing the passwords.
However, when the network is configured so that it has a good password, there is still a good chance that it can be cracked easily. It is due to the fact that most wireless networks use WEP (Wired Equivalent Privacy) as authentication methods, and WEP has some serious weakness. According to Fluhrer and his colleagues, RC4, the encryption method that WEP uses, can be broken when enough sample traffic is collected; and both gathering sample traffic and cracking encryption can be automated. When the whole cracking process is automated by computer programs, it takes less than 10 minutes to crack a WEP protected network.
A tools set called Aircrack-ng is worth to be mentioned here, as it is currently the most popular tool to crack wireless networks. It provides a whole set of programs to crack wireless networks, including adapter configuration, fake authentication, de-authentication, passwords cracking, etc., and the only thing it requires is a good wireless card.
Brief WEP attack steps: 1. Configure the wireless card to monitor mode 2. Start capturing all traffic packets that contain initialization vectors (IVs) 3. Fake authenticate to the target network 4. Listen for address resolution protocol (ARP) requests and replay them back, so that new IVs are generated quickly 5. Use a cracking tool like aircrack-ng to analyze all the IVs and get the WEP key
Wireless sniffing
Due to the fact that wireless networks are vulnerable to cracking and the traffic on a wireless network is not constrained in wires, sniffing wireless networks is quite easy. Once an attacker gets access to a wireless network, he can sniff any useful information in the traffic as long as the information is not encrypted.
There are a lot of tools, such as Wireshark and Kismet, can be used to sniff the network. They are not very easy to use, but they also do not require any particularly deep knowledge to use. Most of these tools offer good GUI for the users, and the presentation of sniffed data is usually very clear and organized.
One thing should be noted here is that although a lot of websites use encryption when they are expecting passwords from users, many of them do not use encryption after the authentication since usually the only critical information being transferred is passwords. However, this brings a serious problem. Since during the session after authentication, the website stores the session information in cookies, which are not encrypted. These session data can be sniffed and replayed by an attacker to gain access to the website. For example, if a Hotmail user has checked the "remember my password" option, and if an attacker sniffs the session id contained in the user's cookies, the attacker then can access to the user's Hotmail account without even knowing the actual password at any time. WebCT in McMaster also encrypts only login pages just like Hotmail; thus it can be sniffed in the same way, though the session cannot last if the original user closes his browser.
This particular type of sniffing is called side-jacking. It is very easy to be performed and it can be done in a lot of situations. Ferret is a tool developed by Errata Security, which automate the whole side-jacking process. A typical hacker can sit in a Hotspot enabled cafeteria or piggyback a private network, open his laptop and click on Ferret; then after 1 hour or so, he will get all the email accounts that have been accessed in that wireless network.
Brief side-jacking attack steps: 1. Connect to a public network or piggyback to a private network 2. Crack the network using the previous method if the network is encrypted 3. Start capturing all traffic packets, save all HTTP headers 4. Analyze all the cookies and corresponding URLs in the headers or use tools like Ferret 5. Replay these cookies to their corresponding web pages to fake original sessions
Passwords cracking
Brutal force cracking used to be very limited, because it requires a huge amount of time to crack a password that is not too short. However, as personal computers have become very powerful and most recent computers carry a good amount of memory, a new brutal force method called "rainbow table" becomes popular recently. A normal password that is shorter than 9 characters can be cracked by rainbow tables within minutes.
A rainbow table is simply a lookup table which stores all possible keys and corresponding hashes. It was very hard to create a large rainbow table in the past since it requires huge amount of disk space to store the database and a lot of RAM to store the indexes to run efficiently. However, personal computers have become powerful enough to create and run a useful rainbow table. A typical rainbow table is about 10 gigabytes large, and can crack any passwords that contains less than 9 characters with no special characters, or less than 8 characters with special characters. The cracking process usually takes less than 10 minutes.
Although rainbow table cracking can be prevented by using salt, a lot of applications and web services do not use salt. A good example is Microsoft Windows, it stores unsalted passwords hashes in the machine; thus it is vulnerable to this kind of attack. Many web applications also store unsalted hashes in the cookies to maintain sessions; since cookies can usually be sniffed easily, they are also vulnerable to rainbow tables.
Brief rainbow table attack steps: 1. Obtain the hash function and password hashes of target 2. Generate the rainbow table corresponding to the hash function, if it does not already exists online 3. Compare passwords hashes to the table indexes and find the plain text
Discussion
As showed above, there exists many attacks that cannot be prevented by client side software. The only possible defense from general users is carefulness and good habits. All the attacks described above are most effective to those who are not aware of these security threats, and the effectiveness drops significantly when people are aware of them. The following section gives some advice for helping avoiding these security issues.
Avoid using wireless when dealing with sensitive data. Since wireless networking really has a lot of security issues, it is best to just use wired connection when dealing sensitive information such as banking or confidential communication. If wireless is the only choice, try to encrypt all the information, either manually or using services like VPN.
Always use web services that has encryption features. Encryption is very important in all web services. It offers general protection to the information being transferred. Modern web browsers usually notify users that the visiting web site is using encryption via SSL (secure sockets layer) by changing the color of the address bar.
Use VPN when processing a lot of information on a public or wireless network. VPN (virtual private network) offers a secure platform on public or insecure networks by using a set of encryptions and authentications. When processing lots of information on an insecure network, VPN is the best choice to protect information security. In McMaster University, this is enforced when students connect to university networks via MacConnect.
Use different passwords for different purpose. A lot of people use one password for all the authentications on the internet. This is not a good practice as it increases security risks, since all the information is tied to one key that is sometimes exposed in insecure environment. It is good to have several different passwords for sensitive information such as banking, and one or two keys for information which is not so important such as online discussion boards.
See also
References
- Siponen, Mikko T. (June 2001). "Five dimensions of information security awareness". Computers and Society 31 (2), 24 - 29. New York, ACM Press.
- Fluhrer, Scott R.; Mantin, Itsik; Shamir, Adi (August 2001). "Weaknesses in the Key Scheduling Algorithm of RC4", Revised Papers from the 8th Annual International Workshop on Selected Areas in Cryptography, 1-24.