Access Control and Site Security

1
Access Control and Site Security
2
Access Control

• Access Control
• Access control is the policy-driven limitation of
  access to systems, data, and dialogs
• Prevent attackers from gaining access, stopping
  them if they do

3
Access Control

• First Steps
• Enumeration of Resources
• Sensitivity of Each Resource
• Next, who Should Have Access?
• Can be made individual by individual
• More efficient to define by roles (logged-in
  users, system administrators, project team
  members, etc.)

4
Access Control

• What Access Permissions (Authorizations) Should
  They Have?
• Access permissions (authorizations) define
  whether a role or individual should have any
  access at all
• If so, exactly what the role or individual should
  be allowed to do to the resource.
• Usually given as a list of permissions for users
  to be able to do things (read, change, execute
  program, etc.) for each resource

5
Access Control

• How Should Access Control Be Implemented?
• For each resource, need an access protection plan
  for how to implement protection in keeping with
  the selected control policy
• For a file on a server, for instance, limit
  authorizations to a small group, harden the
  server against attack, use a firewall to thwart
  external attackers, etc.

6
Access Control

• Policy-Based Access Control and Protection
• Have a specific access control policy and an
  access protection policy for each resource
• Focuses attention on each resource
• Guides the selection and configuration of
  firewalls and other protections
• Guides the periodic auditing and testing of
  protection plans

7
Server Password Cracking
shibboleth

• Reusable Passwords
• A password you use repeatedly to get access to a
  resource on multiple occasions
• Bad because attacker will have time to learn it
  then can use it
• Difficulty of Cracking Passwords by Guessing
  Remotely
• Usually cut off after a few attempts
• However, if can steal the password file, can
  crack passwords at leisure

8
Server Password Cracking

• Hacking Root
• Super accounts (can take any action in any
  directory)
• Hacking root in UNIX
• Super accounts in Windows (administrator) and
  NetWare (supervisor)
• Hacking root is rare usually can only hack an
  ordinary user account
• May be able to elevate the privileges of the user
  account to take root action

9
Server Password Cracking

• Physical Access Password Cracking
• l0phtcrack
• Lower-case L, zero, phtcrack
• Password cracking program
• Run on a server (need physical access)
• Or copy password file and run l0phtcrack on
  another machine.

10
Server Password Cracking

• Physical Access Password Cracking
• Brute-force password guessing
• Try all possible character combinations
• Longer passwords take longer to crack
• Using more characters also takes longer
• Alphabetic, no case (26 possibilities)
• Alphabetic, case (52)
• Alphanumeric (letters and numbers) (62)
• All keyboard characters (80)

11
Password Length
Password Length In Characters
Alphanumeric Letters Digits (N62)
All Keyboard Characters (N80)
Alphabetic, Case (N52)
Alphabetic, No Case (N26)
1
62
80
52
26
2 (N2)
3,844
6,400
2,704
676
4 (N4)
14,776,336
40,960,000
7,311,616
456,976
6
56,800,235,584
2.62144E11
19,770,609,664
308,915,776
8
2.1834E14
1.67772E15
5.34597E13
2.08827E11
10
8.39299E17
1.07374E19
1.44555E17
1.41167E14
12
Server Password Cracking

• Physical Access Password Cracking
• Brute Force Attacks
• Try all possible character combinations
• Slow with long passwords length
• Dictionary attacks
• Try common words (password, ouch, etc.)
• There are only a few thousand of these
• Cracked very rapidly
• Hybrid attacks
• Common word with single digit at end, etc.

13
Server Password Cracking

• Password Policies
• Good passwords
• At least 6 characters long
• Change of case not at beginning
• Digit (0 through 9) not at end
• Other keyboard character not at end
• Example triV6ial

14
Server Password Cracking

• Password Policies
• Testing and enforcing password policies
• Run password cracking program against own servers
• Caution requires approval! SysAdmins have been
  fired for doing this without permissionand
  should be
• Password duration policies How often passwords
  must be changed

15
Server Password Cracking

• Password Policies
• Password sharing policies Generally, forbid
  shared passwords
• Removes ability to learn who took actions loses
  accountability
• Usually is not changed often or at all because of
  need to inform all sharers

16
Server Password Cracking

• Password Policies
• Disabling passwords that are no longer valid
• As soon as an employee leaves the firm, etc.
• As soon as contractors, consultants leave
• In many firms, a large percentage of all accounts
  are for people no longer with the firm

17
Server Password Cracking

• Password Policies
• Lost passwords
• Password resets Help desk gives new password for
  the account
• Opportunities for social engineering attacks
• Leave changed password on answering machine
• Biometrics voice print identification for
  requestor (but considerable false rejection rate)

18
Server Password Cracking

• Password Policies
• Lost passwords
• Automated password resets
• Employee goes to website
• Must answer a question, such as In what city
  were you born?
• Problem of easily-guessed questions that can be
  answered with research

19
UNIX/etc/passwd File Entries
Without Shadow Password File
With Shadow Password File
Pleex473Pat Lee/usr/plee//bin/csh
The x indicates that the password is stored in a
separate shadow password file
20
UNIX/etc/passwd File Entries

• Unix passwd File
• Contains the username, password, and other
  information is semi-standard form
• In the /etc directory that is accessible to
  anyone
• Anyone can steal the passwd file and crack the
  passwords
• Unix Shadow File
• Newer versions of Unix store passwords in a
  protected shadow file
• In the passwd file, there is an x in the password
  position

21
Server Password Cracking

• Password Policies
• Encrypted (hashed) password files (Figure 2-4)
• Passwords not stored in readable form
• Encrypted with DES or hashed with MD5
• In UNIX, etc/passwd puts x in place of password
• Encrypted or hashed passwords are stored in a
  different (shadow) file to which only high-level
  accounts have access

22
Password Hashing (or Encryption)
2. Hash My4Bad 11110000
1. User Lee Password My4Bad
3. Hashes Match
Client PC User Lee
Hashed Password File Brown 11001100 Lee 11110000 C
hun 00110011 Hatori 11100010
4. Hashes Match, So User is Authenticated
23
Server Password Cracking

• Password Policies
• Windows passwords
• Obsolete LAN manager passwords (7 characters
  maximum) should not be used
• Windows NTLM passwords are better
• Option (not default) to enforce strong passwords

24
Server Password Cracking

• Shoulder Surfing
• Watch someone as they type their password
• Keystroke Capture Software
• Professional versions of windows protect RAM
  during password typing
• Consumer versions do not
• Trojan horse throws up a login screen later,
  reports its finding to attackers

25
Server Password Cracking

• Windows Client PC Software
• Consumer version login screen is not for security
• Windows professional and server versions provide
  good security with the login password
• BIOS passwords allow boot-up security
• Can be disabled by removing the PCs battery
• But during a battery removal, the attacker will
  be very visible
• Screen savers with passwords allow away-from-desk
  security after boot-up

26
Building Security
27
Building Security

• Building Security Basics
• Single point of (normal) entry to building
• Fire doors, etc. use closed-circuit television
  (CCTV) and alarms to monitor them
• Security centers
• Monitors for closed-circuit TV (CCTV)
• Videotapes that must be retained (Dont reuse too
  much or the quality will be bad)
• Alarms

28
Building Security

• Building Security Basics
• Interior doors to control access between parts of
  the building
• Piggybacking holding the door open so that
  someone can enter without identification defeats
  this protection
• Enforcing policies You get what you enforce
• Training security personnel
• Training all employees

29
Building Security

• Building Security Basics
• Phone stickers with security center phone number
• Thwarting piggybacking by employee education and
  sanctions for allowing it
• Dumpster diving by keeping Dumpsters in locked,
  lighted area
• Drive shredding programs for discarded disk
  drives that do more than reformat drives

30
Physical building Cabling
3. Entrance Facility with Termination Equipment
6. Vertical Riser Space
5. Core Switch (Chassis)
4. Router
2. To WAN
1. Equipment Room (Usually in Basement)
31
Physical building Cabling

• Vertical
• Distribution

5. Horizontal Distribution
4. Workgroup Switch
3. Telecommunications Closet on Floor
2. Optical Fiber One Pair per Floor
32
Physical building Cabling
Horizontal and Final Distribution
Workgroup Switch in Telecoms Closet
1. Horizontal Distribution One 4-Pair UTP Cord
33
Building Security

• Data Wiring Security
• Telecommunications closets should be locked
• Wiring conduits should be hard to cut into
• Servers rooms should have strong access security

34
Access Cards and Tokens
35
Access Cards

• Magnetic Stripe Cards
• Smart Cards
• Have a microprocessor and RAM
• More sophisticated than mag stripe cards
• Release only selected information to different
  access devices

36
Access Cards

• Tokens
• Small device with constantly-changing password
• Or device that can plug into USB port or another
  port
• Proximity Tokens
• Use short-range radio transmission
• Can be detected and tested without physical
  contact
• Allows easier access used in Tokyo subways

37
Access Cards

• Card Cancellation
• Requires a central system
• PINs
• Personal Identification Numbers
• Short about 4 digits
• Can be short because attempts are manual (10,000
  combinations to try with 4 digits)

38
Access Cards

• PINs
• Should not allow obvious combinations (1111,
  1234) or important dates
• Provide two-factor authentication
• E.g., PIN and card
• Dont allow writing PIN on card

39
Biometric Authentication
40
Biometric Authentication

• Biometric Authentication
• Authentication based on body measurements and
  motions
• Because you always bring your body with you
• Biometric Systems (Figure 2-10)
• Enrollment
• Later access attempts
• Acceptance or rejection

41
Biometric Authentication System
1. Initial Enrollment
User Lee Scanning
User Lee Template (01101001)
Processing (Key Feature Extraction) A01, B101,
C001
Template Database Brown 10010010 Lee
01101001 Chun 00111011 Hirota 1101110

3. Match Index Decision Criterion (Close Enough?)
2. Subsequent Access
Applicant Scanning
User Access Data (01111001)
Processing (Key Feature Extraction) A01, B111,
C001
42
Biometric Authentication

• Verification Versus Identification
• Verification Are applicants who they claim to
  be? (compare with single template)
• Identification Who is the applicant? (compare
  with all templates)
• More difficult than verification because must
  compare to many templates
• Watch list is this person a member of a specific
  group (e.g., known terrorists)
• Intermediate in difficulty

43
Biometric Authentication

• Verification Versus Identification
• Verification is good for replacing passwords in
  logins
• Identification is good for door access and other
  situations where entering a name would be
  difficult

44
Biometric Authentication
FAR

• Precision
• False acceptance rates (FARs) Percentage of
  unauthorized people allowed in
• Person falsely accepted as member of a group
• Person allowed through a door who should be
  allowed through it
• Very bad for security

45
Biometric Authentication
FRR

• Precision
• False rejection rates (FRRs) Percentage of
  authorized people not recognized as being members
  of the group
• Valid person denied door access or server login
  because not recognized
• Can be reduced by allowing multiple access
  attempts
• High FRRs will harm user acceptance because users
  are angered by being falsely forbidden

46
Biometric Authentication

• Precision
• Vendor claims for FARs and FRRs tend to be
  exaggerated because they often perform tests
  under ideal circumstances
• For instance, having only small numbers of users
  in the database
• For instance, by using perfect lighting,
  extremely clean readers, and other conditions
  rarely seen in the real world

47
Biometric Authentication

• User Acceptance is Crucial
• Strong user resistance can kill a system
• Fingerprint recognition may have a criminal
  connotation
• Some methods are difficult to use, such as iris
  recognition, which requires the eye to be lined
  up carefully.
• These require a disciplined group

48
Biometric Authentication

• Biometric Methods
• Fingerprint recognition
• Dominates the biometric market today
• Based on a fingers distinctive pattern of
  whorls, arches, and loops
• Simple, inexpensive, well-proven
• Weak security can be defeated fairly easily with
  copies
• Useful in modest-security areas

New
49
Biometric Authentication

• Biometric Methods
• Iris recognition
• Pattern in colored part of eye
• Very low FARs
• High FRR if eye is not lined up correctly can
  harm acceptance
• Reader is a cameradoes not send light into the
  eye!

New
50
Biometric Authentication

• Biometric Methods
• Face recognition
• Can be put in public places for surreptitious
  identification (identification without citizen
  or employee knowledge). More later.
• Hand geometry shape of hand
• Voice recognition
• High error rates
• Easy to fool with recordings

51
Biometric Authentication

• Biometric Methods
• Keystroke recognition
• Rhythm of typing
• Normally restricted to passwords
• Ongoing during session could allow continuous
  authentication
• Signature recognition
• Pattern and writing dynamics

52
Biometric Authentication

• Biometric Standards
• Almost no standardization
• Worst for user data (fingerprint feature
  databases)
• Get locked into single vendors

53
Biometric Authentication

• Can Biometrics be Fooled?
• Airport face recognition
• Identification of people passing in front of a
  camera
• False rejection rate rate of not identifying
  person as being in the database
• Fail to recognize a criminal, terrorist, etc.
• FRRs are bad

54
Biometric Authentication

• Can Biometrics be Fooled?
• Airport face recognition
• 4-week trial of face recognition at Palm Beach
  International Airport
• Only 250 volunteers in the user database
  (unrealistically small)
• Volunteers were scanned 958 times during the
  trial
• Only recognized 455 times! (47)
• 53 FRR

55
Biometric Authentication

• Can Biometrics be Fooled?
• Airport face recognition
• Recognition rate fell if wore glasses (especially
  tinted), looked away
• Would be worse with larger database
• Would be worse if photographs were not good

56
Biometric Authentication

• Can Biometrics be Fooled?
• DOD Tests indicate poor acceptance rates when
  subjects were not attempting to evade
• 270-person test
• Face recognition recognized person only 51
  percent of time
• Even iris recognition only recognized the person
  94 percent of the time!

57
Biometrics Authentication

• Can Biometrics be Fooled?
• Other research has shown that evasion is often
  successful for some methods
• German ct magazine fooled most face and
  fingerprint recognition systems
• Prof. Matsumoto fooled fingerprint scanners 80
  percent of the time with a gelatin finger created
  from a latent (invisible to the naked eye) print
  on a drinking glass

58
802.11 Wireless LAN Security
59
802.11 Wireless LAN (WLAN) Security

• 802.11 Wireless LAN Family of Standards
• Basic Operation (Figure 2-12 on next slide)
• Main wired network for servers (usually 802.3
  Ethernet)
• Wireless stations with wireless NICs
• Access points
• Access points are bridges that link 802.11 LANs
  to 802.3 Ethernet LANs

60
802.11 Wireless LAN
802.11 Frame Containing Packet
(3)
(1)
61
Figure 2-12 802.11 Wireless LAN
(2)
802.3 Frame Containing Packet
(1)
(3)
62
802.11 Wireless LAN (WLAN) Security

• Basic Operation
• Propagation distance farther for attackers than
  users
• Attackers can have powerful antennas and
  amplifiers
• Attackers can benefit even if they can only read
  some messages
• Dont be lulled into complacency by internal
  experiences with useable distances

63
802.11 Wireless LAN Standards
Standard
Rated Speed (a)
Unlicensed Radio Band
Effective Distance (b)
802.11b
11 Mbps
2.4 GHz
30-50 meters
802.11a
54 Mbps
5 GHz
10-30 meters
802.11g
54 Mbps
2.4 GHz
?
Notes (a) Actual speeds are much lower and
decline with distance. (b) These are distances
for good communication attackers can read some
signals and send attack frames from longer
distances.
64
802.11 Wireless LAN (WLAN) Security

• Apparent 802.11 Security
• Spread spectrum transmission does not provide
  security
• Signal is spread over a broad range of
  frequencies
• Methods used by military are hard to detect
• 802.11 spread spectrum methods are easy to detect
  so devices can find each other
• Used in 802.11 to prevent frequency-dependent
  propagation problems rather than for security

65
802.11 Wireless LAN (WLAN) Security

• Apparent 802.11 Security
• SSIDs
• Mobile devices must know the access points
  service set identifier (SSID) to talk to the
  access point
• Usually broadcast frequently by the access point
  for ease of discovery, so offers no security.
• Sent in the clear in messages sent between
  stations and access points

66
802.11 Wireless LAN (WLAN) Security

• Wired Equivalent Privacy (WEP)
• Biggest security problem Not enabled by default
• 40-bit encryption keys are too small
• Nonstandard 128-bit (really 104-bit) keys are
  reasonable interoperable

67
802.11 Wireless LAN (WLAN) Security

• Wired Equivalent Privacy (WEP)
• Shared passwords
• Access points and all stations use the same
  password
• Difficult to change, so rarely changed
• People tend to share shared passwords too widely
• Flawed security algorithms
• Algorithms were selected by cryptographic
  amateurs

68
802.11 Wireless LAN (WLAN) Security

• 802.1x and 802.11i (Figure 2-14)
• Authentication server
• User data server
• Individual keys give out at access point

69
802.1x Authentication for 802.11i WLANs
RADIUS Server
2. Pass on Request to RADIUS Server
1. Authentication Data
4. Accept Applicant KeyXYZ
5. OK Use Key XYZ
3. Get User Lees Data (Optional RADIUS Server
May Store This Data)
Directory Server or Kerberos Server
70
802.11 Wireless LAN (WLAN) Security
New Presentation

• 802.1x and 802.11
• Control access when the user connects to the
  network
• At a wired RJ-45 jack
• At a wireless access point
• 802.1x is a general approach to port
  authentication
• 802.11i is the implementation of 802.1x on 802.11
  wireless LANs

71
802.11 Wireless LAN (WLAN) Security
New Presentation

• 802.1x and 802.11
• Extensible Authentication Protocol (EAP)
• Supports multiple forms of authentication
• EAP-TLS
• EAP-TTLS
• PEAP

72
802.11 Wireless LAN (WLAN) Security
New Presentation

• 802.1x and 802.11
• Extensible Authentication Protocol (EAP)
• Authentication mechanisms
• Passwords
• Simple and inexpensive to implement
• Low security
• Digital Certificate
• Complex and expensive to install digital
  certificates on many devices
• Very strong authentication

73
802.11 Wireless LAN (WLAN) Security
New Presentation
74
802.11 Wireless LAN (WLAN) Security
New Presentation

• TLS
• The default for 802.11i security but choice of
  either digital certificates for clients or no
  client authentication is undesirable
• PEAP and TTLS
• Very similar in terms of the authentication
  methods they support
• PEAP is supported by Microsoft, Cisco, and RSA
• TTLS is supported by a consortium of other vendors

75
802.11 Wireless LAN (WLAN) Security
New Presentation

• 802.1x and 802.11i (Figure 2-14)
• After authentication, the client must be given a
  key for confidentiality
• Temporal Key Integrity Protocol (TKIP) is used in
  802.11i and 802.1x
• Key changed every 10,000 frames to foil data
  collection for key guessing
• This is an Advanced Encryption Standard (AES) key

76
Wi-Fi and WPA
New Not in Book

• Wi-Fi Alliance
• Industry group that certifies 802.11 systems
• Created the Wi-Fi Protected Access (WPA) system
  in 2002
• WPA is basically 802.11i
• But does not use AES keys
• Many installed wireless products can be upgraded
  to WPA
• Stop-gap measure before 802.11i

77
802.11i Today
New Not in Book

• 802.11i standard was released in July 2004
• But products started appearing in 2003
• What must firms do?
• Throw out WEP-only products
• In security, legacy technologies are not
  acceptable
• Decide if it can have WPA and 802.11i products
  co-exist

78
802.11 Wireless LAN (WLAN) Security

• Virtual Private Networks (VPNs)
• Add security on top of network technology to
  compensate for WLAN weaknesses
• Discussed in Chapter 8

WLAN, etc.
VPN
79
The Situation Today in Wireless Security

• Wireless security is poor in most installations
  today
• The situation is improving, and technology will
  soon be good
• But old installations are likely to remain weak
  links in corporate security