Password Cracking and Countermeasures in Computer Security: A Survey

With the rapid development of internet technologies, social networks, and other related areas, user authentication becomes more and more important to protect the data of the users. Password authentication is one of the widely used methods to achieve authentication for legal users and defense against intruders. There have been many password cracking methods developed during the past years, and people have been designing the countermeasures against password cracking all the time. However, we find that the survey work on the password cracking research has not been done very much. This paper is mainly to give a brief review of the password cracking methods, import technologies of password cracking, and the countermeasures against password cracking that are usually designed at two stages including the password design stage (e.g. user education, dynamic password, use of tokens, computer generations) and after the design (e.g. reactive password checking, proactive password checking, password encryption, access control). The main objective of this work is offering the abecedarian IT security professionals and the common audiences with some knowledge about the computer security and password cracking, and promoting the development of this area.Comment: add copyright to the tables to the original authors, add acknowledgement to helpe

An Analysis Of Tools, Techniques, And Mathematics Involved In A Penetration Test

In the security arena, there are two main approaches to carrying out security measures, namely offensive and defensive. Penetration testing combines these two methodologies to help detect and eliminate vulnerabilities. Penetration testing simulates real attacks to properly assess the potential consequences of a security breach; furthermore, penetration testers not only discover vulnerabilities but actively exploit vulnerabilities to identify the systems and data potentially at risk. Using a virtual lab and Appalachian State University’s Computer Science Department’s student server as targets, this thesis introduces the idea of a penetration test, provides a demonstration of selected tools, investigates efficiency issues of various attacks, and ultimately offers an inspection of the information obtained. An effective and efficient password cracking attempt is illustrated by discovering, analyzing, and interpreting the mathematics that underlie the Secure Hashing Algorithm. This work exposed significant security vulnerabilities on the student machine, including an exploit that can be executed by a regular user to obtain root access unobtrusively. In addition, student account passwords are, by default, very insecure. After using an exploit to obtain the password and shadow files, it was found that 60% of the passwords can be cracked in just over 24 hours

Adaptive Vocal Random Challenge Support for Biometric Authentication

Käesoleva bakalaureusetöö eesmärgiks oli arendada välja kõnetuvastusprogramm, mida saaks kasutada vokaalsete juhuväljakutse tarvis. Programmi eesmärgiks oli anda üks võimalik lahendus kõnepõhilise biomeetrilise autentimise kesksele turvaprobleemile – taasesitusrünnetele. Programm põhineb vabavaralisel PocketSphinxi kõnetuvastuse tööriistal ning on kirjutatud Pythoni programmeerimiskeeles. Loodud rakendus koosneb kahest osast: kasutajaliidesega varustatud demonstratsiooniprogrammist ja käsurea utiilidist. Kasutajaliidesega rakendus sobib kõnetuvastusteegi võimete demonstreerimiseks, käsurea utiliiti saab aga kasutada mis tahes teisele programmile kõnetuvastusvõimekuse lisamiseks. Kasutajaliidesega rakenduses saab kasutaja oma hääle abil programmiga vahetult suheldes avada näitlikustamiseks loodud demoprogrammi ust. Kasutaja peab ütlema õige numbrite jada või pildile vastava sõna inglise keeles, et programmi poolt autoriseeritud saada. Mõlemat loodud rakendust saab seadistada luues oma keelemudeleid või muutes demorakenduse puhul numbriliste juhuväljakutsete pikkust.The aim of this thesis was to develop a speech recognition application which could be used for vocal random challenges. The goal of the application was to provide a solution to the central problem for voice-based biometric authentication – replay attacks. This piece of software is based on the PocketSphinx speech recognition toolkit and is written in the Python programming language. The resulting application is composed of two parts: a demonstration application with a GUI interface, and a command line utility. The GUI application is suitable for demonstrating the capabilities of the speech recognition toolkit, whereas the command line utility can be used to add speech recognition capabilities to virtually any application. The user can interact with the door of the GUI application by using his or her voice. The user must utter the correct word corresponding to the picture in English or say the sequence of digits in order to be authenticated. Both of the applications can be configured by generating language models, or by changing the length of the random challenges for the demonstration application

Infectious diseases management framework for Saudi Arabia (SAIF)

A Thesis Submitted to the University of Bedfordshire in partial fulfilment of the requirements for the degree of Doctor of PhilosopyInfectious disease management system area is considered as an emerging field of modern healthcare in the Gulf region. Significant technical and clinical progress and advanced technologies can be utilized to enhance the performance and ubiquity of such systems. Effective infectious disease management (IDM) can be achieved by analysing the disease management issues from the perspectives of healthcare personnel and patients. Hence, it is necessary to identify the needs and requirements of both healthcare personnel and patients for managing the infectious disease. The basic idea behind the proposed mobile IDM system in this thesis is to improve the healthcare processes in managing infectious diseases more effectively. For this purpose, internet and mobile technologies are integrated with social networking, mapping and IDM applications to improve the processes efficiency. Hence, the patients submit their health related data through their devices remotely using our application to our system database (so-called SAIF). The main objective of this PhD project was the design and development of a novel web based architecture of next-generation infectious disease management system embedding the concept of social networking tailored for Saudi patients. Following a detailed literature review which identifies the current status and potential impact of using infectious diseases management system in KSA, this thesis conducts a feasibility user perspective study for identifying the needs and the requirements of healthcare personnel and the patients for managing infectious diseases. Moreover, this thesis proposes a design and development of a novel architecture of next-generation web based infectious disease management system tailored for Saudi patients (i.e., called SAIF – infectious diseases management framework for Saudi Arabia). Further, this thesis introduces a usability study for the SAIF system to validate the acceptability of using mobile technologies amongst infected patient in KSA and Gulf region. The preliminary results of the study indicated general acceptance of the patients in using the system with higher usability rating in high affected patients. In general, the study concluded that the concept of SAIF system is considered acceptable tool in particularly with infected patients

Addressing the cyber safety challenge: from risk to resilience

Addressing the cyber safety challenge: from risk to resilience describes the cyber safety issues emerging from a range of technology trends, how different populations are using technologies and the risks they face, and how we can effectively respond to each group’s unique cyber safety needs. Written by the University of Western Sydney for Telstra Corporation Ltd, the report advocates for continuing to move cyber safety from a ‘risk and protection’ framework to one that focuses on building digital resilience, as well as fostering trust and confidence in the online environment. To do this we need to: Address the needs of populations often neglected by current policies and programs – including adults, seniors, parents, and small to medium enterprises Continue to build the digital literacy skills of all populations, because digital literacy strongly influences users’ ability to engage safely online – this is best achieved by a hands-on learning approach Keep risk in perspective – the risks and benefits of digital participation go hand in hand Broaden the focus from awareness-raising to long-term behaviour change. As digital technologies become further integrated into the everyday lives of Australians, users are potentially exposed to greater risks. However, the risks and benefits of digital participation go hand in hand. The challenge, therefore, is to support users to minimise the risks without limiting their digital participation and their capacity to derive the full benefits of connectivity. If Australians are to benefit as either consumers or providers of online services and products in the e-commerce environment, consumer safety and trust need to be improved. Cyber safety needs to be considered against a transforming backdrop of technology trends, products and practices. While the rise of social media has tended to dominate recent debate and developments in cyber safety, particularly in relation to young people, a range of other trends is also shaping how users engage online, the risks they potentially face in the new media landscape, and the strategies used to address them. These trends include the rise of user generated content and content sharing platforms; the uptake of mobile technologies and, in particular, the adoption of smartphones; cloud computing; platform integration and single sign-on mechanisms; and the rise of GPS and location based services

Human Factors in Secure Software Development

While security research has made significant progress in the development of theoretically secure methods, software and algorithms, software still comes with many possible exploits, many of those using the human factor. The human factor is often called ``the weakest link'' in software security. To solve this, human factors research in security and privacy focus on the users of technology and consider their security needs. The research then asks how technology can serve users while minimizing risks and empowering them to retain control over their own data. However, these concepts have to be implemented by developers whose security errors may proliferate to all of their software's users. For example, software that stores data in an insecure way, does not secure network traffic correctly, or otherwise fails to adhere to secure programming best practices puts all of the software's users at risk. It is therefore critical that software developers implement security correctly. However, in addition to security rarely being a primary concern while producing software, developers may also not have extensive awareness, knowledge, training or experience in secure development. A lack of focus on usability in libraries, documentation, and tools that they have to use for security-critical components may exacerbate the problem by blowing up the investment of time and effort needed to "get security right". This dissertation's focus is how to support developers throughout the process of implementing software securely. This research aims to understand developers' use of resources, their mindsets as they develop, and how their background impacts code security outcomes. Qualitative, quantitative and mixed methods were employed online and in the laboratory, and large scale datasets were analyzed to conduct this research. This research found that the information sources developers use can contribute to code (in)security: copying and pasting code from online forums leads to achieving functional code quickly compared to using official documentation resources, but may introduce vulnerable code. We also compared the usability of cryptographic APIs, finding that poor usability, unsafe (possibly obsolete) defaults and unhelpful documentation also lead to insecure code. On the flip side, well-thought out documentation and abstraction levels can help improve an API's usability and may contribute to secure API usage. We found that developer experience can contribute to better security outcomes, and that studying students in lieu of professional developers can produce meaningful insights into developers' experiences with secure programming. We found that there is a multitude of online secure development advice, but that these advice sources are incomplete and may be insufficient for developers to retrieve help, which may cause them to choose un-vetted and potentially insecure resources. This dissertation supports that (a) secure development is subject to human factor challenges and (b) security can be improved by addressing these challenges and supporting developers. The work presented in this dissertation has been seminal in establishing human factors in secure development research within the security and privacy community and has advanced the dialogue about the rigorous use of empirical methods in security and privacy research. In these research projects, we repeatedly found that usability issues of security and privacy mechanisms, development practices, and operation routines are what leads to the majority of security and privacy failures that affect millions of end users

Scaring and Bullying People into Security Won't Work

Users will pay attention to reliable and credible indicators of risks they want to avoid. Security mechanisms with a high false positive rate undermine the credibility of security and train users to ignore them. We need more accurate detection and better security tools if we are to regain users' attention and respect, rather than scare, trick, and bully them into complying with security measures that obstruct human endeavors

Modeling The Secure Boot Protocol Using Actor Network Theory

M.S. Thesis. University of Hawaiʻi at Mānoa 2017

About the Measuring of Information Security Awareness: A Systematic Literature Review

To make employees aware of their important role for information security, companies typically carry out security awareness campaigns. The success and effectiveness of those campaigns has to be measured to justify the budget for example. Therefore, we did a systematic literature review in order to learn how information security awareness (ISA) is measured in theory and practice. We covered published literature as well as unpublished information. The unpublished information was retrieved by interviewing experts of small and medium-sized enterprises. The results showed that ISA is mostly measured via questionnaires. Round about 40 % of the questionnaires are based on the Knowledge-Attitude-Behavior-Model which is itself scientifically weak. According to studies measuring knowledge is not sufficient and,behavior has to be measured. Our results show that the answers of participants in questionnaires often differ from the truth due to wrong perception or social desirability bias. Therefore, behavior should be measured through behavior tests