Common Access Control Attacks

642
Chapter 14 
■
Controlling and Monitoring Access
access to the account and access resources authorized to the account. If an attacker dis-
covers a root or administrator password, the attacker can access any other account and 
its resources. If attackers discover passwords for privileged accounts in a high-security 
environment, the security of the environment can never be fully trusted again. The 
attacker could have created other accounts or backdoors to access the system. Instead 
of accepting the risk, an organization may choose to rebuild the entire system from 
scratch. 
A
strong password
helps prevent password attacks. It is suffi ciently long with a combina-
tion of character types. The phrase “suffi ciently long” is a moving target and dependent on 
the usage and the environment. Chapter 13 discusses password policies, strong passwords, 
and the use of passphrases. The important point is that longer passwords are stronger than 
shorter passwords. 
While security professionals usually know what makes a strong password, many users 
do not, and it is common for users to create short passwords with only a single character 
type. The Ashley Madison data breach in 2015 helps illustrate this. Ashley Madison is an 
online dating service marketed to people who are married or in relationships, and its slogan 
is “Life is short. Have an affair.” Attackers released more than 60 GB of customer records, 
and an analysis of passwords showed that more than 120,000 users had a password of 
123456. Other passwords in the top 10 included 12345, 1234567, 12345678, 123456789, 
password, and abc123. Users were seeking to cheat on their spouses yet still using incred-
ibly simple passwords. 
Passwords should not be stored in cleartext. Instead, they are typically hashed using a 
strong hashing function such as SHA-3, and the hash of the password is stored. When a 
user authenticates, the system hashes the provided password and typically sends the hash 
to an authentication server in an encrypted format. The authentication server decrypts the 
received hash and then compares it to the stored hash for the user. If the hashes match, the 
system authenticates the user. 
It’s important to use strong hashing functions when hashing passwords. Many password 
attacks succeed when organizations have used weak hashing functions, such as message 
digest 5 (MD5). 
Most security professionals know they should never use simple pass-
words, such as 123456. However, security professionals sometimes forget 
that users still create these types of simple passwords because they are 
unaware of the risks. Many end users benefit from security training to edu-
cate them.
It’s also important to change default passwords. While IT professionals know this for 
computers, this knowledge hasn’t extended well to embedded systems. An embedded system 
is any device with a dedicated function and includes a computing system to perform that 
function. As an example, consider an embedded system that operates a network and col-
lects data from customer’s water meters. If the default password isn’t changed, anyone who 
knows the password can log in and cause problems. 

Understanding Access Control Attacks 
643
dangers of Failing to Change default Password
Adam Flanagan was sentenced to jail for attacking and damaging IT networks of several 
water utility providers. He was fi red on November 16, 2013, and later pleaded guilty for 
six attacks that occurred between March 1, 2014, and May 19, 2014. 
These attacks prevented the water utility providers in at least six cities from connecting 
to water meters remotely. He also changed passwords on some systems to obscenities. 
Court documents indicate that he attacked systems that he installed. 
Flanagan later admitted to FBI agents that he used telnet to log onto remote systems 
from his home computer. While court documents aren’t clear, it appears that the embed-
ded systems were running Linux, and the organization used the same password for the 
root account when installing systems. In several attacks, investigators discovered that he 
had logged in using the default root password of the remote system. 
He plead guilty on March 7, 2017, and was sentenced to a year and one day in prison on 
June 14, 2017. This is just one of many examples. Many are making their way through the 
court system, and the fi nal results may not be known for a year or more.
The following sections describe common password attacks using dictionary, brute-force, 
rainbow tables, and sniffi ng methods. Some of these attacks are possible against online 
accounts. However, it’s more common for an attacker to steal an account database and 
then crack the passwords using an offl ine attack. 

Download 19,3 Mb.

Do'stlaringiz bilan baham: