INVITATION TO CYBERSECURITY 76 or wireless keyboards, can connect to wireless networks and transmit the keystrokes they capture back to the hacker over the Internet. Others need to be physically retrieved in order to obtain the data they captured, creating more risk for the hacker. Figure 4.1 A hardware-based keylogger. Passwords can also be compromised through password cracking attacks. As we will see in Section 7.2.3.3, computers do not store users’ passwords but instead store password hashes. Password hashes are scrambled “fingerprints” of passwords, and cannot be used for logging in. Hashes need to be “cracked” in order for them to be useful. Hashes are cracked by generating password guesses, hashing the guesses, and then comparing the resulting hash to the hashes in the hash dump. A hash dump is a file that contains password hashes. In password cracking attacks, billions of password guesses are tried per second. Many effective password cracking tools are freely available such as John the Ripper, a command-line tool that runs on Linux (see Figure 4.2). Hackers obtain password hashes when they gain admin access to servers. Sometimes they post hash dumps online, making them free game for other hackers to try to crack. Some hash dumps contain millions of hashes. A website called haveibeenpwned.com hosts a searchable database of stolen credentials that have been posted online—users can visit the site to see if their passwords have been cracked. (Note, there are more details on hashing in Section 7.2.3.3 and password cracking in Section 9.2.1.1 of this text). Password guessing is another attack on passwords. In this attack, the hacker attempts to login as a valid user by guessing the user’s password. It is assumed that the hacker is able to obtain valid usernames but does not know the corresponding passwords. Obtaining valid usernames is not difficult since they are not normally secret—many times email addresses are used as usernames. Password guessing is not the same as password cracking because the hacker is forced to go through the authentication server (e.g., a website login screen), and this is much slower. Even when guesses can be sped up by using hacking programs such as THC Hydra (see Figure 4.3) to automate the attempts, servers can mitigate attacks by enforcing time delays between attempts or by locking access to accounts after too many failed login attempts. Hackers are forced to work around these mitigations by adjusting the frequency of their guesses. For example, if the authentication server triggers some action after five bad attempts over a certain period of time, hackers will try four guesses and then wait until the count resets before trying again. Password
RkJQdWJsaXNoZXIy MTM4ODY=