6,525 research outputs found
Defense of a Small Network
A sample network will be virtually created consisting of three routers, one switch, and three hosts. The network will be secured using various methods such as enabling passwords and encryption. After the network has been properly secured, various attacks will be attempted with the goal of breaking into the network. These attacks include reconnaissance (gathering information), penetrating the network using the tool Metasploit, and attempting to get a credential phishing email to end users. If successful in the attacks, the network will be revisited and analyzed for any weaknesses or oversights
PILOT: Password and PIN Information Leakage from Obfuscated Typing Videos
This paper studies leakage of user passwords and PINs based on observations
of typing feedback on screens or from projectors in the form of masked
characters that indicate keystrokes. To this end, we developed an attack called
Password and Pin Information Leakage from Obfuscated Typing Videos (PILOT). Our
attack extracts inter-keystroke timing information from videos of password
masking characters displayed when users type their password on a computer, or
their PIN at an ATM. We conducted several experiments in various attack
scenarios. Results indicate that, while in some cases leakage is minor, it is
quite substantial in others. By leveraging inter-keystroke timings, PILOT
recovers 8-character alphanumeric passwords in as little as 19 attempts. When
guessing PINs, PILOT significantly improved on both random guessing and the
attack strategy adopted in our prior work [4]. In particular, we were able to
guess about 3% of the PINs within 10 attempts. This corresponds to a 26-fold
improvement compared to random guessing. Our results strongly indicate that
secure password masking GUIs must consider the information leakage identified
in this paper
Why Botnets Work: Distributed Brute-Force Attacks Need No Synchronization
In September 2017, McAffee Labs quarterly report estimated that brute force
attacks represent 20\% of total network attacks, making them the most prevalent
type of attack ex-aequo with browser based vulnerabilities. These attacks have
sometimes catastrophic consequences, and understanding their fundamental limits
may play an important role in the risk assessment of password-secured systems,
and in the design of better security protocols. While some solutions exist to
prevent online brute-force attacks that arise from one single IP address,
attacks performed by botnets are more challenging. In this paper, we analyze
these distributed attacks by using a simplified model. Our aim is to understand
the impact of distribution and asynchronization on the overall computational
effort necessary to breach a system. Our result is based on Guesswork, a
measure of the number of queries (guesses) required of an adversary before a
correct sequence, such as a password, is found in an optimal attack. Guesswork
is a direct surrogate for time and computational effort of guessing a sequence
from a set of sequences with associated likelihoods. We model the lack of
synchronization by a worst-case optimization in which the queries made by
multiple adversarial agents are received in the worst possible order for the
adversary, resulting in a min-max formulation. We show that, even without
synchronization, and for sequences of growing length, the asymptotic optimal
performance is achievable by using randomized guesses drawn from an appropriate
distribution. Therefore, randomization is key for distributed asynchronous
attacks. In other words, asynchronous guessers can asymptotically perform
brute-force attacks as efficiently as synchronized guessers.Comment: Accepted to IEEE Transactions on Information Forensics and Securit
Security and Online learning: to protect or prohibit
The rapid development of online learning is opening up many new learning opportunities. Yet, with this increased potential come a myriad of risks. Usable security systems are essential as poor usability in security can result in excluding intended users while allowing sensitive data to be released to unacceptable recipients. This chapter presents findings concerned with usability for two security issues: authentication mechanisms and privacy. Usability issues such as memorability, feedback, guidance, context of use and concepts of information ownership are reviewed within various environments. This chapter also reviews the roots of these usability difficulties in the culture clash between the non-user-oriented perspective of security and the information exchange culture of the education domain. Finally an account is provided of how future systems can be developed which maintain security and yet are still usable
- …