keys to the kingdom
play

Keys to the Kingdom A presentation to: E-Business 2008 Mike Auty - PowerPoint PPT Presentation

Aug 29, 2023 •348 likes •518 views

Keys to the Kingdom A presentation to: E-Business 2008 Mike Auty E-Security at WDL Date: 16 th October 2008 Overview Securing Systems Passwords Storing Passwords Guessing Passwords What can I do about it?

  1. Keys to the Kingdom A presentation to: E-Business 2008 Mike Auty E-Security at WDL Date: 16 th October 2008

  2. Overview • Securing Systems • Passwords • Storing Passwords • Guessing Passwords • What can I do about it? e-Security 2

  3. Securing Systems Securing a computer system is a difficult task ● Are you who I think you are? ● Are you allowed to do that? ● What should I do if you're not? • How do you ensure the person using the machine is the right person? ● Authentication & Authorization • We want to check “something you have and something you know” ● Password, RFID, Fingerprints, Retinas, Chip & PIN, etc • So far, there isn't an answer, but the most common solution is a password e-Security 3

  4. Passwords A Password is a pre-arranged secret shared between two parties. Some people worry about their side of the password: • Shoulder surfing • Sharing the password • Entering it on an untrusted webpage Security people worry about the other side: • Attacks on servers e-Security 4

  5. Storing Passwords Attempt Number 1: Just store them User Password Alice @halw!fwga5 Bob Dobbin7 Charlie Dobbin7 e-Security 5

  6. Storing Passwords Just writing the plain password down is bad • Imagine if Amazon wrote down the passwords of all their customers? Why not encrypt the password? • Just another key to keep secret Hash the password! • Hashing is a one-way process that turns words into gibberish ● Crucially, it always turns the same word into the same gibberish ● And it's very unlikely to turn two different words into the same gibberish • Lots of different ways of producing gibberish! e-Security 6

  7. Storing Passwords Attempt Number 2: Hash them User Hash Alice 8ed7edb463cddbbd... Bob 06f7e833953d846b... Charlie 06f7e833953d846b... e-Security 7

  8. Storing Passwords Better, but not great... identical passwords are stored identically • Back at Amazon, of all the millions of users, many will have the same password We need something to make the hashes different • It doesn't need to be entered by the user How about a “Salt”? • Random number that just adds a bit of flavour to the output of the hash Salt Salt Hashed Hash + Salted Process Password Password Password e-Security 8

  9. Storing Passwords Attempt Number 3: Hash them with a salt User Salt Hash Alice f4 973b503c92b16cef... 6b Bob 543de38793d57af2... f4 Charlie 460ebb6f8ad45f3f... e-Security 9

  10. So? Why do I need to know about all this? • Your laptop or desktop computer stores your password • Your business network servers need to know it too • They should use these techniques to secure your secret How does windows store your password? e-Security 10

  11. Storing Passwords Microsoft LanManager version 1 User Password LM Hash Alice @halw!fwga5 DDDFF1C4360A1EA0 7728CCC198F4E75E Bob Dobbin7 804C41F1209B1977 AAD3B435B51404EE Charlie doBBin7 804C41F1209B1977 AAD3B435B51404EE Dave B2D1009CBB5F11AC AAD3B435B51404EE 5ecur3 e-Security 11

  12. Storing Passwords What went wrong? • They changed all lowercase characters to uppercase characters • They truncated the password at 14 characters • They split the 14 characters into two sets of 7 ● Imagine splitting you pin number into two sets of two, each verified separately ● 10,000 x 1 possibilities goes down to 100 x 2 possibilities • No salt! Used in NT, and maintained for backwards compatibility in 2000 and XP Vista uses the stronger NTLMv2 hash e-Security 12

  13. Guessing passwords How to guess passwords: • Write a program to do it • Optimize the program • Trade off time for memory ● Spend a long time guessing lots of possible passwords ● Write them all down and then check through them when needed e-Security 13

  14. What can I do about it? Password self-defense 1) DO NOT REUSE PASSWORDS 2) REALLY, DO NOT REUSE PASSWORDS 3) Passwords can actually be phrases: “Alice had a little wolf, it's fur was gray as slate” 4) Things that look random can still be remembered: @halw!fwga5 5) Not everybody gives you good advice e-Security 14

  15. What can I do about it? Turn off LM hashes: • Control Panel > Administrative Tools > Local Security Policy • Local Policies > Security Options • Select Network Security: LAN Manager authentication level • Right click for Properties • Set it to NTLMv2 response only Now all new passwords will be secure so... Choose a new one! e-Security 15

  16. Questions?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution Jo

Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution Jo

Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution Jo Van Bulck 1 Marina Minkin 2 Ofir Weisse 3 Daniel Genkin 3 Baris Kasikci 3 Frank Piessens 1 Mark Silberstein 2 Thomas F. Wenisch 3 Yuval Yarom 4 Raoul

601 views • 56 slides
Obtaining the Keys to the Kingdom: Secrets of Serial Bibliographic Records Revealed Presentation

Obtaining the Keys to the Kingdom: Secrets of Serial Bibliographic Records Revealed Presentation

Obtaining the Keys to the Kingdom: Secrets of Serial Bibliographic Records Revealed Presentation Notes Mary Grenci, University of Oregon mgrenci@uoregon.edu 1. 2. Interspersed throughout the presentation there are boxes with search tips.

463 views • 15 slides
Still Passing the Hash 15 Years Later Using the Keys to the Kingdom to Access All Your Data

Still Passing the Hash 15 Years Later Using the Keys to the Kingdom to Access All Your Data

Still Passing the Hash 15 Years Later Using the Keys to the Kingdom to Access All Your Data Alva Skip Duckwall Chris Campbell Help Us Get Better! Please Fill Out The Speaker Surveys! Do You Know Who I Am? Alva 'Skip' Duckwall

647 views • 54 slides
Keys to a Winning MBA Applica3on Harvard Club of the

Keys to a Winning MBA Applica3on Harvard Club of the

Keys to a Winning MBA Applica3on Harvard Club of the United Kingdom Alex Leventhal PrepMBA.com When is the Right Time to Apply? Average

497 views • 17 slides
2010 2500 keys > 100 uses 1250 keys > 1000 uses 2018 11000 keys >

2010 2500 keys > 100 uses 1250 keys > 1000 uses 2018 11000 keys >

2010 2500 keys > 100 uses 1250 keys > 1000 uses 2018 11000 keys > 100 uses 4450 keys > 1000 uses An excursion in to the world of OSM tagging presets Simon Poole, SOtM 2018 In the beginning Bus

686 views • 50 slides
Week 7: August 6, 2017 Review The Kingdom The The The The Partial The Prophesied of God

Week 7: August 6, 2017 Review The Kingdom The The The The Partial The Prophesied of God

Week 7: August 6, 2017 Review The Kingdom The The The The Partial The Prophesied of God Pattern of the Kingdom Perished Kingdom Promised Kingdom Kingdom Kingdom Gods Abrahams Remnant of Israel, & Adam & Eve No One

657 views • 41 slides
The Kingdom of Heaven The Kingdom of God or The Kingdom of Heaven Only in

The Kingdom of Heaven The Kingdom of God or The Kingdom of Heaven Only in

The Kingdom of Heaven The Kingdom of God or The Kingdom of Heaven Only in Matthews Gospel In The Other 3 Gospels The Kingdom of God The Kingdom of Heaven The Kingdom of God or The Kingdom of God

701 views • 52 slides
Week 6: July 30, 2017 Review The Kingdom The The The The Partial of God Pattern of the

Week 6: July 30, 2017 Review The Kingdom The The The The Partial of God Pattern of the

Week 6: July 30, 2017 Review The Kingdom The The The The Partial of God Pattern of the Kingdom Perished Kingdom Promised Kingdom Kingdom Gods Abrahams Adam & Eve No One The Israelites People Descendants Canaan (And

465 views • 27 slides
London, United Kingdom 52% CO 2 London, United Kingdom The ABC of behaviour change

London, United Kingdom 52% CO 2 London, United Kingdom The ABC of behaviour change

Practice-ing thermal comfort: Is home heating and cooling all about energy behaviours? Auckland, New Zealand London, United Kingdom Brendan Doody PhD Candidate, Durham University London, United Kingdom 52% CO 2 London, United Kingdom The ABC

172 views • 16 slides
Week 4: July 9, 2017 Review The Kingdom of The The The God Pattern of the Kingdom

Week 4: July 9, 2017 Review The Kingdom of The The The God Pattern of the Kingdom

Week 4: July 9, 2017 Review The Kingdom of The The The God Pattern of the Kingdom Perished Kingdom Promised Kingdom Gods People Adam & Eve No One Abrahams Descendants Gods Place The Garden Banished Canaan Gods

671 views • 35 slides
THY KINGDOM COME Its the Second Petition of the Lords Prayer WHAT IS THE KINGDOM OF GOD?

THY KINGDOM COME Its the Second Petition of the Lords Prayer WHAT IS THE KINGDOM OF GOD?

THY KINGDOM COME Its the Second Petition of the Lords Prayer WHAT IS THE KINGDOM OF GOD? It may not be what youre thinking! THE KINGDOM OF POWER in Him all things hold together (Colossians 1:17) the earth is the Lords,

117 views • 9 slides
Password Human beings : Short keys; possibly used to generate longer keys Dictionary

Password Human beings : Short keys; possibly used to generate longer keys Dictionary

Password Human beings : Short keys; possibly used to generate longer keys Dictionary attack: adversary tries more common keys (easy with a large set of users) Trojan horse Countermeasures: slow login, close after several

563 views • 14 slides
Everglades excerpts of a talk by Fritz Davis 2004 John Kunkel Small The Keys Lower

Everglades excerpts of a talk by Fritz Davis 2004 John Kunkel Small The Keys Lower

The Keys Everglades excerpts of a talk by Fritz Davis 2004 John Kunkel Small The Keys Lower keys Upper keys Miami Rocklands (Everglades Keys) Sea of saw grass. Sea of pine trees sea of tropical

201 views • 9 slides
Driving the 5 Keys Smiths 5 Keys 1- Aim High in Steering 2- Get the Big Picture 3-

Driving the 5 Keys Smiths 5 Keys 1- Aim High in Steering 2- Get the Big Picture 3-

Smith System Driving the 5 Keys Smiths 5 Keys 1- Aim High in Steering 2- Get the Big Picture 3- Keep Your Eyes Moving 4- Leave Yourself an Out 5- Make Sure They See You Aim im Hig igh The first rule for this method is

682 views • 10 slides
United Kingdom The official name of the UK is The United Kingdom of Great Britain and

United Kingdom The official name of the UK is The United Kingdom of Great Britain and

United Kingdom The official name of the UK is The United Kingdom of Great Britain and Northern Ireland. Islands of the United Kingdom Many small islands belong to the UK, such as the Isle of Wight. Capital Cities England London

443 views • 21 slides
(CAN,Tapestry, Pastry) Freenet: search towards keys, but no guarantees Chord: Map keys

(CAN,Tapestry, Pastry) Freenet: search towards keys, but no guarantees Chord: Map keys

Napster: central search engine (CAN,Tapestry, Pastry) Freenet: search towards keys, but no guarantees Chord: Map keys to linear search space Stoica, R. Morris, D. Karger, F. Kaashoek, and Keep pointers (fingers) into

281 views • 12 slides
Related work SQRL design details Research questions Research method Research

Related work SQRL design details Research questions Research method Research

A closer look at SQRL Agenda SQRL introduction Related work SQRL design details Research questions Research method Research findings Conclusion UvA-SNE-RP1 presentation 1 A closer look at SQRL SQRL introduction:

394 views • 25 slides
Authentication Using Graphical Password: Effects of Increased Security on Usability William M.

Authentication Using Graphical Password: Effects of Increased Security on Usability William M.

Authentication Using Graphical Password: Effects of Increased Security on Usability William M. Martin Aaron G. Cass March 3, 2018 Introduction 01 Human Computer Interface Security (HCIsec) 02 Password Problem 03 Graphical User

633 views • 31 slides
Authorized Tall lly Sales, Service, Integrator & Extender Partner www.dexterityindia.com

Authorized Tall lly Sales, Service, Integrator & Extender Partner www.dexterityindia.com

Authorized Tall lly Sales, Service, Integrator & Extender Partner www.dexterityindia.com %%&%% !'!

240 views • 20 slides
RWIS Automated Advisory System Centralized advisory system for the control of Dynamic Message

RWIS Automated Advisory System Centralized advisory system for the control of Dynamic Message

RWIS Automated Advisory System Centralized advisory system for the control of Dynamic Message Signs Presented by: Jeremy Duensing Product Manager Schneider Electric Presentation Learning Outcomes Weather can have large impacts on small

785 views • 30 slides
THE PHI PROJECT THE FINANCIAL IMPACT OF BREACHED PROTECTED HEALTH INFORMATION A

THE PHI PROJECT THE FINANCIAL IMPACT OF BREACHED PROTECTED HEALTH INFORMATION A

THE PHI PROJECT THE FINANCIAL IMPACT OF BREACHED PROTECTED HEALTH INFORMATION A BUSINESS CASE FOR ENHANCED PHI SECURITY THE PHI PROJECT REQUIRED: Enhanced programs for safeguarding Protected Health Information (PHI) WHO:

436 views • 29 slides
CYBER - SECURITY PART 2 Keeping you safe in an electronic age David Gibb, Cyber Protect Officer,

CYBER - SECURITY PART 2 Keeping you safe in an electronic age David Gibb, Cyber Protect Officer,

CYBER - SECURITY PART 2 Keeping you safe in an electronic age David Gibb, Cyber Protect Officer, Essex Police Barry Linton, Thorpe Bay U3A Thorpe Bay U3A HOW DO I PROTECT MYSELF 2 ALL ABOUT PASSWORDS Change your passwords regularly.

425 views • 27 slides
Identifying & Addressing Health-Harming Legal Issues www.comm communit nityle

Identifying & Addressing Health-Harming Legal Issues www.comm communit nityle

Justice & Health Partnership Workshop Series: Identifying & Addressing Health-Harming Legal Issues www.comm communit nityle ylega galcen lcentr treca eca 158 George Street, Level 1 Toll Free: 1-877-966-8686 Belleville,

447 views • 31 slides
CES WEST DISTRICT NOVEMBER 29, 2012 1 TOPICS NCSU Internal Audit: Who are We and How Can We

CES WEST DISTRICT NOVEMBER 29, 2012 1 TOPICS NCSU Internal Audit: Who are We and How Can We

TOOLS AND TIPS FOR MINIMIZING RISKS CES WEST DISTRICT NOVEMBER 29, 2012 1 TOPICS NCSU Internal Audit: Who are We and How Can We Help? Self Assessments: Why Do Them? Fraud Awareness and How to Report Suspected Fraud at NCSU IT Security Tips

412 views • 37 slides

More recommend