Professional Documents
Culture Documents
By
Engr.Sidra Mudassar
Submitted To:
Contents
CHAPTER 1..................................................................................................................................................4
INTRODUCTION...........................................................................................................................................4
1.1 BACKGROUND...................................................................................................................................4
1.2 Characteristics...................................................................................................................................4
1.3 Attack mechanism:............................................................................................................................5
1.3.1 Brute force attack:......................................................................................................................5
1.3.4 Shoulder Surfing.........................................................................................................................6
1.3.5 Key logger Attack........................................................................................................................6
1.3.6 Replay Attack:.............................................................................................................................7
1.3.7 SQL Injection Attack....................................................................................................................7
Password theft on OSI Layer:......................................................................................................................8
2. 1 Black-hole attack:-............................................................................................................................8
2.2 Brute Force Attack Patterns in IoT Network......................................................................................9
2.3 MitM in Password Reset Process.....................................................................................................11
2.3.1Challenges in password reset MitM attack................................................................................11
2.3.2 Password reset link on the user registered email.....................................................................11
2.3.2 Changing of Geo Location.............................................................................................................12
2.4 Keylogger Application to Monitoring Users Activity with Exact String Matching Algorithm............13
Solutions to Password Attack:..................................................................................................................14
3.1 Time delays approach between keystroke:.....................................................................................14
3.2 IMAGE BASED PASSWORD TECHNIQUES:........................................................................................15
3.2.1 Pass-point Scheme:...................................................................................................................16
3.2.2 Cued Click Point scheme...........................................................................................................16
3.3 Virtual Passwords:...........................................................................................................................16
3.3.1 Virtual Password...........................................................................................................................17
3.3.2 Differentiated Security via a VPF..................................................................................................17
3.3.3 User Specified Programs/Functions..............................................................................................18
3.3.4 Codebook......................................................................................................................................18
REFERENCE:...............................................................................................................................................19
LIST OF FIGURES
INTRODUCTION
1.1 BACKGROUND
In this era everyone is connected to the digital word through internet & computer system have to
protect its own self from malicious codes and attacks which is very common now a days for
everyone who is connected with the internet for the ease and common people use widely Local
Area Network which is also known as internet network or LAN . So nowadays it’s easy for
hackers to steal the user’s credentials and their private life data and their banking details through
cyber-attack. Dictionaries are the most commonly use identifications for a person to gain the
accessibility to the system which are not enough secure. These type of identification methods are
not enough secure because they are library based or in other words they are human generated
which can easily guess & crack able. Although computer/system generated passwords are bit
stronger than human generated passwords but they are difficult to memorize. Now a days there
are so many ways to hack the user’s confidential information or their banking details, their
passwords etc.
Dictionary attack is one of the basic type of attack in which dictionary is made up of commonly
use passwords which can be used to crack the user’s password & a system which is network
connected can also be the victim of Denial of service attack which is also known as DoS attack.
In today world still we have plenty of websites which are based on Hyper Text Transfer Protocol
HTTP. HTTP are not enough secure and mostly http websites are the targets of newly born
attackers/hackers and this type of authentication attacks is known as HTTP attacks. The purpose
of describing the above few basics attacks are too aware the users that in internet world it is very
difficult to keep safe your data and credentials.
1.2 Characteristics
The password is the main entry point of the applications and the gate pass to enter in their
environment. Password theft is the most common topic for cyber-attack. The IT companies are
spending their millions of dollars in researches to keep the credentials of users safe and secure
for the hackers. Here I would like to include the example of Facebook they are updating their
structure and their policies in order to keep the users account safe. They have introduced two
factor authentication in which user have to enter the password and to verify his/her self from
telecom message also which is sent by the Facebook & they are updating their system day by
day. [1]
As internet is growing around the globe where people with wide ranges are connected. Internet is
a system where password is a protected key to defend user’s confidential details. In numerous
computing applications including ATM machines, windows login, mobile etc., password plays a
vital role to keep the user’s sensitive data secure. Password attacks are vulnerable to breach the
security. Since they are necessary but still they are considered unsafe in providing security to
users due to various flaws in conventional password systems. Related to passwords, a large
number of attacks have been identified on various systems[2].
In order to prevent these password attacks it in important to study their attack
mechanisms .Different password attack mechanisms are discussed below
A dictionary which is made up of mostly used password and can be a password of user who
chooses common words and easy words for their passwords. This dictionary is made up by the
attackers and they attack on system with the commonly used passwords for stealing the user’s
data. That’s why it’s recommended to include alpha numeric words with special characters to
make the password stronger. On the other hand comparatively it is much faster than the brute
force attack but it also have some limitations such as limited words that might not be successful
in obtaining the users password due to not availability in the dictionary. Most of the people uses
country name, city name, familiar things, their famous actors which can be easily guessable and
these types of password might be the victim of Dictionary attack[3].
Phishing is just like trapping the user by just show them that everything happen to them is real
but it may be a trap by hacker to steal the passwords. Phishing is online web dependent attack
which takes the user to fake websites looks like as their real login platform but it is fake. Mostly
attacker uses fake/dummy pages of famous social platforms & various email platforms then they
redirect the victims to their own generated dummy pages and ask the credentials from user.
When the user enters the password it will sent on the desired location of the hacker. Sometimes it
is very difficult to understand for the user that the page he is visiting is fake or may lead to loss
of their credentials. After getting the credentials from the user hackers redirect them to their
original website and they even not feel that something happens to them and then attacker easily
uses the victims entered passwords for login into his/her private space.
2. 1 Black-hole attack:-
This research is based on password vulnerability which are length related & introduces the
mechanism from which hackers trap the users over internet and seizes the accounts details of the
users. Furthermore this research also suggests for an improved processes which are essential in
preventing various type of attacks such as seizing the user account by the hacker.
The users over the internet is increasingly rapidly day by day and according to the research most
of the people have the same identical ID and password for the various different platforms such as
shopping sites and social sites. So if the hacker got the one password than might be he will
access the other famous platform with the same credentials stolen. This research will also
describe the password weakness and the techniques to steal the password information using the
phishing sites and also across the session layer the get password of the user.
Basically the phishing sites are the dummy sites which seems as the original page which ask the
users for their credentials and when the user enters his/her credentials then it will directly goes
on the hackers destination. Similar to phishing there is an attack named as Pharming which
means the attack which use to steal the financial information of the users after infecting the
system of user with malicious code. The success rate of pharming is higher than the phishing.
A system named Honeypot which is made to prevent the hacker subsequent attacks. Honeypot
develops a system as if it contained the information which is attractive to the hacker. This system
basically used to track the hackers pattern of attacks. It attack through session layer, application
layer and network layer
The Black-hole attack method is when the users tries to logging into web and it’s failed, when
the user repeatedly trying different other passwords which comes to his/her mind without
resetting the password from forgot password option. By using this mechanism in the reverse
order the user credentials easily seized by hacker. The pictorial representation of the scenario on
the Black-hole attack which is given below which says that client accesses the honeypot which
he/she does not want & his/her account credentials were stolen due to virus/malicious code.
As we all know that day by day higher processing speed system are coming into the market the
usage of varied characters, extended words & secure hash functions for credentials to strengthen
the authentication of websites is essentials[8].
BFAs strength is the insertion of characters that have possibility to guesses password and it get a
password remotely by an attacker machine.BFAs are classified into two attacks one is insider
and other is outsider, these two attacks are explained in Figure 1. BFAs have real-time
competence to truly deduce right passwords on FTP servers. Several types of insider attacks are
possible. One of them are the man in the middle attack, carry your own device (BYOD) attack,
malware, device/physical data theft, and sabotage.
(a) Insider attack is usually perceived as a legitimate user of the organization. Insider attack takes
limited access to some services without additional coverings on different service packages and
also varies from inbound packages from outside the network that are closely scrutinized by filters
with multiple DMZ services
(b) An insider attack on IoT is a multiform that poses numerous problems connected to malicious
and accidental security incidents stemming from outsources and employees
(c) The attacker is insider, they have detailed information of technical matters such as the
network’s backbone, IP address allocations, the virtual local area network (VLAN), the service
clustering application, and IT staff members who monitor the network[2]
MitM is the short form of Man in the Middle. We will describe that how it will be used to get the
victims credentials through password resetting & the attack falls on the application side. The
hacker takes is start from launching the reset process of password through website & sends all
challenges to user in this way hacker gets the victims credentials by don’t even realizing them
that anything happened or not.
Basically Keylogger is computer software which is use to trace the every single key pressed by
the victim and the data which is recorded by the Keylogger will further refine into a meaningful
information and users credentials. In this type of attack user is unaware of that what he/she is
pressing/typing will be recorded and not safe enough. In real world mostly the Internet café users
are the victims of Keylogger attack. In this attack hackers installs the Keylogger in the victim’s
computer or trap the victim by giving fake offers for installing the software and people normally
installs on clicking fake links. The Keylogger sent the log file which have user typing activity
through cloud or email on hacker’s desired address which is further use to steal his/her password.
There are the solution how to secure a password or how to maintain a security of passwords
Securing a password from cyber-attacks by using Time delays approach between keystroke. This
new mechanism is used to strengthen the password by giving the delays of time in-between
password typing while doing signup & for the sign-in process you should not only insert your
correct passwords but also have to give the delay in inserting the password in the wright order. If
a user attempted to provide real password while sign-in without giving proper delay in time with
wright order then it will be rejected. To test the mechanism it was tested in laboratory.
This mechanism is not like the Keystroke Dynamics basically KD (keystroke dynamics) are the
just delays information which measures the individual’s rhythm and manner while typing on the
keyboard.
By following this approach user can have a secure password by giving the augmenting time
delays in typing the password with the wright procedure the user will highlight the time delayed
positions during sign-up process this what we can say “adopted keystroke pattern”. The user
should insert the wright password and gives the maximum time delays in precise positions than
the gap of time between the remaining characters of password. The main focus is to not enter the
password in rhythm. If the user’s time delay was not in correct positions then it will lead towards
failure of sign-in. The user can only login when he/she knows that how much time delay he/she
have to give while inserting a password if the password was typed in a correct time delay after
specific characters then the login will be successful otherwise it will lead towards the failure of
login. The whole mechanism was experimented in laboratory which was experimented through
VB application and for getting the clear pictorial representation of the whole mechanism the
figure is mentioned below.
Figure 3-0-5 Time delay flow chart.
To achieve the goals of the mechanism algorithm was used which based on sorting the time gaps
& calculating the differences between the time gaps in milliseconds. This mechanism is very
important in those organization who have confidential data and curious about their password
theft. Through this approach the system will be more secure even if anyone knows your
password he/she cannot login into the system[11].
Differentiated Virtual Passwords, Secret Little Functions, and Codebooks for Protecting Users
from Password Theft
This research describes that how to stop the users password from being stolen in online world
and ATM (automated teller machines). This research describes the differentiated virtual
credentials mechanism in this mechanism user is freely allowed to choose a scheme of virtual
password ranges from low security password to high security password. Virtual password needs
a very small amount of human computing in order to make more secure the users passwords. We
have traditional password scheme which is also called default method, user specified, system
recommended functions & users specified program etc. Implementing virtual password concept
from program/functions which requires a small amount of human computing and not very hard to
achieve. Furthermore in this paper secret little functions were adopted which will be playing an
important role in enhancing the security by hiding secret algorithms/functions.
The virtual password mechanism contains the functions which furthermore includes two schemes
known as codebook & reference switching functions. The objective is to write a function which
is capable of achieving both 1. Computational Ease & 2. Security point for keeping the function
simple and secure.
The capacity/program is utilized to execute the virtual secret word idea with a tradeoff among
security and intricacy and requires little measure of human registering. Notwithstanding, since
effortlessness and security conflict with one another, it is difficult to accomplish both. We further
proposed a few capacities filling in as framework suggested works and gave a security
examination. We broke down how the proposed plans protect against phishing, key-lumberjack,
bear surfing assaults, and numerous assaults. In client specified capacities, we received mystery
little capacities in which security is improved by concealing mystery capacities/calculations. All
in all, client defined capacities (mystery little capacities) are better. We trust that for some
significant records, for example, financial balances, a few clients might want to spend somewhat
more human figuring time to make it increasingly secure, particularly when utilizing a PC in a
safeguard domain, for example, the Internet café.
V=Fh(X,R) OR Fh(Xi,Ri)=Vi this is the equation which is used by server to authenticate the
user. F is injective type function. In case F is not a injective it may be possible that server have to
authenticate the user by first find the record from database on behalf of ID then compute the V &
match it with users provided ID.
REFERENCE:
[1] A. Eldar, I. Sharoni, T. Mendelson, and U. Blumenthal, "Techniques for password attack
mitigation," ed: Google Patents, 2012.
[2] E. S. E. C. †M.E. (CSE) Second Year, Erode,Tamilnadu,India ††Head of Department, Erode
Sengunthar Engineering College, Erode, Tamilnadu,India, "REVIEW OF PASSWORD PROTECTING
MECHANISM," International Journal of Advanced Research in Computer Engineering &
Technology (IJARCET), 2013.
[3] M. Raza, M. Iqbal, M. Sharif, and W. Haider, "A survey of password attacks and comparative
analysis on methods for secure authentication," World Applied Sciences Journal, vol. 19, pp. 439-
444, 2012.
[4] V. Panchal and K. P. RavirajPrajapati, "AN INNOVATIVE PATTERN BASED PASSWORD METHOD
USING TIME VARIABLE WITH ARITHMETIC OPERATIONS," International Journal of Information,
vol. 6, 2016.
[5] R. Rahim, H. Nurdiyanto, D. Abdullah, D. Hartama, and D. Napitupulu, "Keylogger Application to
Monitoring Users Activity with Exact String Matching Algorithm," in Journal of Physics:
Conference Series, 2018, p. 012008.
[6] G. Dua, N. Gautam, D. Sharma, and A. Arora, "Replay attack prevention in Kerberos
authentication protocol using triple password," arXiv preprint arXiv:1304.3550, 2013.
[7] H. Patil and C. D. Parekh, "Attacks and Remedies of Authentication Techniques: A," 2017.
[8] H.-J. Mun and K.-H. Han, "Blackhole attack: user identity and password seize attack using
honeypot," Journal of Computer Virology and Hacking Techniques, vol. 12, pp. 185-190, 2016.
[9] J. Bonneau, "The science of guessing: analyzing an anonymized corpus of 70 million passwords,"
in 2012 IEEE Symposium on Security and Privacy, 2012, pp. 538-552.
[10] N. Gelernter, S. Kalma, B. Magnezi, and H. Porcilan, "The password reset mitm attack," in 2017
IEEE Symposium on Security and Privacy (SP), 2017, pp. 251-267.
[11] K. W. Mahmoud, "Elastic password: A new mechanism for strengthening passwords using time
delays between keystrokes," in 2017 8th International Conference on Information and
Communication Systems (ICICS), 2017, pp. 316-321.
[12] D. Stiawan, M. Idris, R. F. Malik, S. Nurmaini, N. Alsharif, and R. Budiarto, "Investigating Brute
Force Attack Patterns in IoT Network," Journal of Electrical and Computer Engineering, vol. 2019,
2019.
[13] Y. Xiao, C.-C. Li, M. Lei, and S. V. Vrbsky, "Differentiated virtual passwords, secret little functions,
and codebooks for protecting users from password theft," IEEE Systems Journal, vol. 8, pp. 406-
416, 2014.