768 research outputs found
Targeted online password guessing:an underestimated threat
While trawling online/offline password guessing has been intensively studied, only a few studies have examined targeted online guessing, where an attacker guesses a specific victim's password for a service, by exploiting the victim's personal information such as one sister password leaked from her another account and some personally identifiable information (PII). A key challenge for targeted online guessing is to choose the most effective password candidates, while the number of guess attempts allowed by a server's lockout or throttling mechanisms is typically very small. We propose TarGuess, a framework that systematically characterizes typical targeted guessing scenarios with seven sound mathematical models, each of which is based on varied kinds of data available to an attacker. These models allow us to design novel and efficient guessing algorithms. Extensive experiments on 10 large real-world password datasets show the effectiveness of TarGuess. Particularly, TarGuess I~IV capture the four most representative scenarios and within 100 guesses: (1) TarGuess-I outperforms its foremost counterpart by 142% against security-savvy users and by 46% against normal users; (2) TarGuess-II outperforms its foremost counterpart by 169% on security-savvy users and by 72% against normal users; and (3) Both TarGuess-III and IV gain success rates over 73% against normal users and over 32% against security-savvy users. TarGuess-III and IV, for the first time, address the issue of cross-site online guessing when given the victim's one sister password and some PII
A Survey on Password Guessing
Text password has served as the most popular method for user authentication
so far, and is not likely to be totally replaced in foreseeable future.
Password authentication offers several desirable properties (e.g., low-cost,
highly available, easy-to-implement, reusable). However, it suffers from a
critical security issue mainly caused by the inability to memorize complicated
strings of humans. Users tend to choose easy-to-remember passwords which are
not uniformly distributed in the key space. Thus, user-selected passwords are
susceptible to guessing attacks. In order to encourage and support users to use
strong passwords, it is necessary to simulate automated password guessing
methods to determine the passwords' strength and identify weak passwords. A
large number of password guessing models have been proposed in the literature.
However, little attention was paid to the task of providing a systematic survey
which is necessary to review the state-of-the-art approaches, identify gaps,
and avoid duplicate studies. Motivated by that, we conduct a comprehensive
survey on all password guessing studies presented in the literature from 1979
to 2022. We propose a generic methodology map to present an overview of
existing methods. Then, we explain each representative approach in detail. The
experimental procedures and available datasets used to evaluate password
guessing models are summarized, and the reported performances of representative
studies are compared. Finally, the current limitations and the open problems as
future research directions are discussed. We believe that this survey is
helpful to both experts and newcomers who are interested in password securityComment: 35 pages, 5 figures, 5 table
A New Targeted Password Guessing Model
TarGuess-I is a leading targeted password guessing model using users\u27 personally identifiable information(PII) proposed at ACM CCS 2016 by Wang et al. Owing to its superior guessing performance, TarGuess-I has attracted widespread attention in password security. Yet, TarGuess-I fails to capture popular passwords and special strings in passwords correctly. Thus we propose TarGuess-I: an improved password guessing model, which is capable of identifying popular passwords by generating top-300 most popular passwords from similar websites and grasping special strings by extracting continuous characters from user-generated PII. We conduct a series of experiments on 6 real-world leaked datasets and the results show that our improved model outperforms TarGuess-I by 9.07\% on average with 1000 guesses, which proves the effectiveness of our improvements
A framework for securing email entrances and mitigating phishing impersonation attacks
Emails are used every day for communication, and many countries and
organisations mostly use email for official communications. It is highly valued
and recognised for confidential conversations and transactions in day-to-day
business. The Often use of this channel and the quality of information it
carries attracted cyber attackers to it. There are many existing techniques to
mitigate attacks on email, however, the systems are more focused on email
content and behaviour and not securing entrances to email boxes, composition,
and settings. This work intends to protect users' email composition and
settings to prevent attackers from using an account when it gets hacked or
hijacked and stop them from setting forwarding on the victim's email account to
a different account which automatically stops the user from receiving emails. A
secure code is applied to the composition send button to curtail insider
impersonation attack. Also, to secure open applications on public and private
devices
Using Deception to Enhance Security: A Taxonomy, Model, and Novel Uses
As the convergence between our physical and digital worlds continue at a rapid pace, securing our digital information is vital to our prosperity. Most current typical computer systems are unwittingly helpful to attackers through their predictable responses. In everyday security, deception plays a prominent role in our lives and digital security is no different. The use of deception has been a cornerstone technique in many successful computer breaches. Phishing, social engineering, and drive-by-downloads are some prime examples. The work in this dissertation is structured to enhance the security of computer systems by using means of deception and deceit
Universal Neural-Cracking-Machines: Self-Configurable Password Models from Auxiliary Data
We develop the first universal password model -- a password model that, once
pre-trained, can automatically adapt to any password distribution. To achieve
this result, the model does not need to access any plaintext passwords from the
target set. Instead, it exploits users' auxiliary information, such as email
addresses, as a proxy signal to predict the underlying target password
distribution. The model uses deep learning to capture the correlation between
the auxiliary data of a group of users (e.g., users of a web application) and
their passwords. It then exploits those patterns to create a tailored password
model for the target community at inference time. No further training steps,
targeted data collection, or prior knowledge of the community's password
distribution is required. Besides defining a new state-of-the-art for password
strength estimation, our model enables any end-user (e.g., system
administrators) to autonomously generate tailored password models for their
systems without the often unworkable requirement of collecting suitable
training data and fitting the underlying password model. Ultimately, our
framework enables the democratization of well-calibrated password models to the
community, addressing a major challenge in the deployment of password security
solutions on a large scale.Comment: v0.0
Automated Crowdturfing Attacks and Defenses in Online Review Systems
Malicious crowdsourcing forums are gaining traction as sources of spreading
misinformation online, but are limited by the costs of hiring and managing
human workers. In this paper, we identify a new class of attacks that leverage
deep learning language models (Recurrent Neural Networks or RNNs) to automate
the generation of fake online reviews for products and services. Not only are
these attacks cheap and therefore more scalable, but they can control rate of
content output to eliminate the signature burstiness that makes crowdsourced
campaigns easy to detect.
Using Yelp reviews as an example platform, we show how a two phased review
generation and customization attack can produce reviews that are
indistinguishable by state-of-the-art statistical detectors. We conduct a
survey-based user study to show these reviews not only evade human detection,
but also score high on "usefulness" metrics by users. Finally, we develop novel
automated defenses against these attacks, by leveraging the lossy
transformation introduced by the RNN training and generation cycle. We consider
countermeasures against our mechanisms, show that they produce unattractive
cost-benefit tradeoffs for attackers, and that they can be further curtailed by
simple constraints imposed by online service providers
- …