KEMBAR78
hacking lecture 3c.ppt
Uploaded bypeter722626
PPT, PDF21 views

hacking lecture 3c.ppt

This document discusses various topics related to computer security and hacker attacks. It covers types of attacks like denial of service attacks, password attacks, spoofing, and buffer overflow attacks. It also explains security concepts like password security, network security, and different modes of hacker attacks over the internet, LAN, locally, and offline. The document emphasizes that as computer security improves, hackers are finding newer ways to compromise systems, so security is an ongoing challenge.

Download to read offline
Computer Security MSU07601 Hackers Peter kaaya
• Crisis • Computer Crimes • Hacker Attacks • Modes of Computer Security – Password Security – Network Security – Web Security – Distributed Systems Security – Database Security Topics
• Internet has grown very fast and security has lagged behind. • Legions of hackers have emerged as impedance to entering the hackers club is low. • It is hard to trace the perpetrator of cyber attacks since the real identities are camouflaged • It is very hard to track down people because of the ubiquity of the network. • Large scale failures of internet can have a catastrophic impact on the economy which relies heavily on electronic transactions Crisis
• Some of the sites which have been compromised – U.S. Department of Commerce – NASA – CIA – Greenpeace – Motorola – UNICEF – Church of Christ … • Some sites which have been rendered ineffective – Yahoo – Microsoft – Amazon … Why Security?
• Because they can – A large fraction of hacker attacks have been pranks • Financial Gain • Espionage • Venting anger at a company or organization • Terrorism Why do Hackers Attack?
• Active Attacks – Denial of Service – Breaking into a site • Intelligence Gathering • Resource Usage • Deception/cheating • Passive Attacks – Sniffing • Passwords • Network Traffic • Sensitive Information – Information Gathering Types of Hacker Attack
• Over the Internet • Over LAN • Locally • Offline • Theft • Deception Modes of Hacker Attack
Definition: An attacker alters his identity so that some one thinks he is some one else – Email, User ID, IP Address, … – Attacker exploits trust relation between user and networked machines to gain access to machines Types of Spoofing: 1. IP Spoofing: 2. Email Spoofing 3. Web Spoofing Spoofing
Definition: Attacker uses IP address of another computer to acquire information or gain access IP Spoofing – Flying-Blind Attack Replies sent back to 10.10.20.30 Spoofed Address 10.10.20.30 Attacker 10.10.50.50 John 10.10.5.5 From Address: 10.10.20.30 To Address: 10.10.5.5 • Attacker changes his own IP address to spoofed address • Attacker can send messages to a machine masquerading as spoofed machine • Attacker can not receive messages from that machine
Definition: Attacker spoofs the address of another machine and inserts itself between the attacked machine and the spoofed machine to intercept replies IP Spoofing – Source Routing Replies sent back to 10.10.20.30 Spoofed Address 10.10.20.30 Attacker 10.10.50.50 John 10.10.5.5 From Address: 10.10.20.30 To Address: 10.10.5.5 • The path a packet may change can vary over time • To ensure that he stays in the loop the attacker uses source routing to ensure that the packet passes through certain nodes on the network Attacker intercepts packets as they go to 10.10.20.30
Definition: Attacker sends messages masquerading as some one else What can be the repercussions? Types of Email Spoofing: 1. Create an account with similar email address – Sanjaygoel@yahoo.com: A message from this account can perplex the students 2. Modify a mail client – Attacker can put in any return address he wants to in the mail he sends 3. Telnet to port 25 – Most mail servers use port 25 for SMTP. Attacker logs on to this port and composes a message for the user. Email Spoofing
• Basic – Attacker registers a web address matching an entity e.g. votebush.com, geproducts.com, gesucks.com • Man-in-the-Middle Attack – Attacker acts as a proxy between the web server and the client – Attacker has to compromise the router or a node through which the relevant traffic flows • URL Rewriting – Attacker redirects web traffic to another site that is controlled by the attacker – Attacker writes his own web site address before the legitimate link • Tracking State – When a user logs on to a site a persistent authentication is maintained – This authentication can be stolen for masquerading as the user Web Spoofing
• Web Site maintains authentication so that the user does not have to authenticate repeatedly • Three types of tracking methods are used: 1. Cookies: Line of text with ID on the users cookie file – Attacker can read the ID from users cookie file 2. URL Session Tracking: An id is appended to all the links in the website web pages. – Attacker can guess or read this id and masquerade as user 3. Hidden Form Elements – ID is hidden in form elements which are not visible to user – Hacker can modify these to masquerade as another user Web Spoofing – Tracking State
Definition: Process of taking over an existing active session Modus Operandi: 1. User makes a connection to the server by authenticating using his user ID and password. 2. After the users authenticate, they have access to the server as long as the session lasts. 3. Hacker takes the user offline by denial of service 4. Hacker gains access to the user by impersonating the user Session Hijacking
• Attacker can – monitor the session – periodically inject commands into session – launch passive and active attacks from the session Session Hijacking Bob telnets to Server Bob authenticates to Server Bob Attacker Server Die! Hi! I am Bob
• Attackers exploit sequence numbers to hijack sessions • Sequence numbers are 32-bit counters used to: – tell receiving machines the correct order of packets – Tell sender which packets are received and which are lost • Receiver and Sender have their own sequence numbers • When two parties communicate the following are needed: – IP addresses – Port Numbers – Sequence Number • IP addresses and port numbers are easily available so once the attacker gets the server to accept his guesses sequence number he can hijack the session. Session Hijacking – How Does it Work?
Definition: Attack through which a person can render a system unusable or significantly slow down the system for legitimate users by overloading the system so that no one else can use it. Types: 1. Crashing the system or network – Send the victim data or packets which will cause system to crash or reboot. 2. Exhausting the resources by flooding the system or network with information – Since all resources are exhausted others are denied access to the resources 3. Distributed DOS attacks are coordinated denial of service attacks involving several people and/or machines to launch attacks Denial of Service (DOS) Attack
Types: 1. Ping of Death 2. SSPing 3. Land 4. Smurf 5. SYN Flood 6. CPU Hog 7. Win Nuke 8. RPC Locator 9. Jolt2 10. Bubonic 11. Microsoft Incomplete TCP/IP Packet Vulnerability 12. HP Openview Node Manager SNMP DOS Vulneability 13. Netscreen Firewall DOS Vulnerability 14. Checkpoint Firewall DOS Vulnerability Denial of Service (DOS) Attack
• This attack takes advantage of the way in which information is stored by computer programs • An attacker tries to store more information on the stack than the size of the buffer How does it work? Buffer Overflow Attacks • Buffer 2 Local Variable 2 Buffer 1 Local Variable 1 Return Pointer Function Call Arguments • Fill Direction Bottom of Memory Top of Memory Normal Stack • Buffer 2 Local Variable 2 Machine Code: execve(/bin/sh) New Pointer to Exec Code Function Call Arguments • Fill Direction Bottom of Memory Top of Memory Smashed Stack Return Pointer Overwritten Buffer 1 Space Overwritten
• Programs which do not do not have a rigorous memory check in the code are vulnerable to this attack • Simple weaknesses can be exploited – If memory allocated for name is 50 characters, someone can break the system by sending a fictitious name of more than 50 characters • Can be used for espionage, denial of service or compromising the integrity of the data Examples – NetMeeting Buffer Overflow – Outlook Buffer Overflow – AOL Instant Messenger Buffer Overflow – SQL Server 2000 Extended Stored Procedure Buffer Overflow Buffer Overflow Attacks
• A hacker can exploit a weak passwords & uncontrolled network modems easily • Steps – Hacker gets the phone number of a company – Hacker runs war dialer program • If original number is 555-5532 he runs all numbers in the 555-55xx range • When modem answers he records the phone number of modem – Hacker now needs a user id and password to enter company network • Companies often have default accounts e.g. temp, anonymous with no password • Often the root account uses company name as the password • For strong passwords password cracking techniques exist Password Attacks
• Password hashed and stored – Salt added to randomize password & stored on system • Password attacks launched to crack encrypted password Password Security Hash Function Hashed Password Salt Compare Password Client Password Server Stored Password Hashed Password Allow/Deny Access
• Find a valid user ID • Create a list of possible passwords • Rank the passwords from high probability to low • Type in each password • If the system allows you in – success ! • If not, try again, being careful not to exceed password lockout (the number of times you can guess a wrong password before the system shuts down and won’t let you try any more) Password Attacks - Process
• Dictionary Attack – Hacker tries all words in dictionary to crack password – 70% of the people use dictionary words as passwords • Brute Force Attack – Try all permutations of the letters & symbols in the alphabet • Hybrid Attack – Words from dictionary and their variations used in attack • Social Engineering – People write passwords in different places – People disclose passwords naively to others • Shoulder Surfing – Hackers slyly watch over peoples shoulders to steal passwords • Dumpster Diving – People dump their trash papers in garbage which may contain information to crack passwords Password Attacks - Types
• Computer Security is a continuous battle – As computer security gets tighter hackers are getting smarter • Very high stakes Conclusions

More Related Content

PPT
2hacking.ppt
byLatinaLatina1
 
PPTX
APpresebtstuobvghgftytfhyrfyttrfgPT.pptx
bysarojrk0710
 
PPT
Hacking
byAnil Shrivastav
 
PPT
Hacking
byLutfulM
 
PPT
Hacking
byMuhammad Ruhul Mowla
 
PPT
hacking.ppt project (1) computer science
byNatashaDalal1
 
PPT
PPIT Lecture 20
byKashif Sohail
 
PPT
hackingggggggggggggggggggggggggggggg.ppt
byganeshdas9449
 
2hacking.ppt
byLatinaLatina1
 
APpresebtstuobvghgftytfhyrfyttrfgPT.pptx
bysarojrk0710
 
Hacking
byAnil Shrivastav
 
Hacking
byLutfulM
 
Hacking
byMuhammad Ruhul Mowla
 
hacking.ppt project (1) computer science
byNatashaDalal1
 
PPIT Lecture 20
byKashif Sohail
 
hackingggggggggggggggggggggggggggggg.ppt
byganeshdas9449
 

Similar to hacking lecture 3c.ppt

PPT
Computer Security
byGreater Noida Institute Of Technology
 
PPT
Computer Security Hacking
byErdo Deshiant Garnaby
 
PPT
Ethical Hacking : Why Do Hackers Attack And How ?
byHBServices7
 
PPTX
Avirup_Ray_18700219054_Cyber_Security_1.pptx
byAvirupRay2
 
PPTX
Network Security
byPuneet Abichandani
 
PPTX
Cyper security & Ethical hacking
byCmano Kar
 
PPTX
Computer security system Unit1.pptx
byVIRAJDEY1
 
PPT
basic knowhow hacking
byAnant Shrivastava
 
PPTX
Understanding computer attacks and attackers - Eric Vanderburg - JURINNOV
byEric Vanderburg
 
PPTX
UNIT 5 (2).pptx
byjanani603976
 
PPT
Security Attacks.ppt
byZaheer720515
 
PPTX
NIS1ppt (1).pptxhgfchgfhgfhgfgjdgfdhgdhgfehft
bybalajihegade1648
 
PDF
Network Security & Attacks
byNetwax Lab
 
PPTX
Network security and firewalls
byMurali Mohan
 
PPT
Meletis Belsis - Introduction to information security
byMeletis Belsis MPhil/MRes/BSc
 
PPTX
Hacking by Pratyush Gupta
byTenet Systems Pvt Ltd
 
PPT
Computer Security
byVaibhavi Patel
 
PPT
Computer Security
byVaibhavi Patel
 
PPT
Web security
byJin Castor
 
PPTX
Cyber.pptx
byMahalakshmiShetty3
 
Computer Security
byGreater Noida Institute Of Technology
 
Computer Security Hacking
byErdo Deshiant Garnaby
 
Ethical Hacking : Why Do Hackers Attack And How ?
byHBServices7
 
Avirup_Ray_18700219054_Cyber_Security_1.pptx
byAvirupRay2
 
Network Security
byPuneet Abichandani
 
Cyper security & Ethical hacking
byCmano Kar
 
Computer security system Unit1.pptx
byVIRAJDEY1
 
basic knowhow hacking
byAnant Shrivastava
 
Understanding computer attacks and attackers - Eric Vanderburg - JURINNOV
byEric Vanderburg
 
UNIT 5 (2).pptx
byjanani603976
 
Security Attacks.ppt
byZaheer720515
 
NIS1ppt (1).pptxhgfchgfhgfhgfgjdgfdhgdhgfehft
bybalajihegade1648
 
Network Security & Attacks
byNetwax Lab
 
Network security and firewalls
byMurali Mohan
 
Meletis Belsis - Introduction to information security
byMeletis Belsis MPhil/MRes/BSc
 
Hacking by Pratyush Gupta
byTenet Systems Pvt Ltd
 
Computer Security
byVaibhavi Patel
 
Computer Security
byVaibhavi Patel
 
Web security
byJin Castor
 
Cyber.pptx
byMahalakshmiShetty3
 

Recently uploaded

PPTX
psychoanalytic Theory.pptx, MSc. Nursing
byKomalJaiswal46
 
PPTX
Hudson Vitale "AI Essentials: From Tools to Strategies: A 2025 NISO Training ...
byNational Information Standards Organization (NISO)
 
PDF
The Minority Caucus in Parliament has called on government to take immediate ...
bynservice241
 
PPTX
Project Dashboard in Odoo 18 Project
byCeline George
 
DOCX
PRESS STATEMENT - Response to Minority_ Press Ready.docx
bynservice241
 
PPTX
GAS chromatography ppt (Presentation) by Jatin Chauhan
byjatinchauhan1618
 
PPTX
Capital Budgeting - Risk Analysis Using Sensitivity Analysis
bySundar B N
 
PDF
Admin Slides for Oct'25 semester - PBO - MC1.pdf
byMark Kor
 
PDF
The Children’s Support Fund, set up to support the welfare and education of c...
bynservice241
 
PDF
Admin Slides for Oct'25 semester (Progression)
byGreat Files
 
PPTX
Safety Needs and Prevention of environmental hazards.pptx
byAneetaSharma15
 
PPTX
THERAPEUTIC ENVIORNMENT.............pptx
byAneetaSharma15
 
PPTX
Single entry System Vs Double entry System.pptx
bylavanyafranklin0804
 
PPTX
ILA 2025 Prague CLS Presentation of Leadership journal
byjohanalvehus
 
DOCX
Extension Education: From theory to practice by Dr Subin K Mohan.docx
byDrSubinKMohan
 
PDF
TUYỂN CHỌN 30 ĐỀ THI CHỌN HỌC SINH GIỎI LỚP 9 CÁC TỈNH NĂM 2024-2025 MÔN TIẾN...
byNguyen Thanh Tu Collection
 
PPTX
Basics for Conducting Bibliometric Analysis - Dr Ahsan Riaz
bySystematic Reviews Network (SRN)
 
PDF
Learning English by Project Based Learning: How to Make Foreign Friends
bysilvianalevana
 
PDF
Total Quality Management : A presentation by a third year student.
byMbalenhle Ndlovu
 
PPTX
Capital Budgeting - Risk Analysis Using Payback Period Method
bySundar B N
 
psychoanalytic Theory.pptx, MSc. Nursing
byKomalJaiswal46
 
Hudson Vitale "AI Essentials: From Tools to Strategies: A 2025 NISO Training ...
byNational Information Standards Organization (NISO)
 
The Minority Caucus in Parliament has called on government to take immediate ...
bynservice241
 
Project Dashboard in Odoo 18 Project
byCeline George
 
PRESS STATEMENT - Response to Minority_ Press Ready.docx
bynservice241
 
GAS chromatography ppt (Presentation) by Jatin Chauhan
byjatinchauhan1618
 
Capital Budgeting - Risk Analysis Using Sensitivity Analysis
bySundar B N
 
Admin Slides for Oct'25 semester - PBO - MC1.pdf
byMark Kor
 
The Children’s Support Fund, set up to support the welfare and education of c...
bynservice241
 
Admin Slides for Oct'25 semester (Progression)
byGreat Files
 
Safety Needs and Prevention of environmental hazards.pptx
byAneetaSharma15
 
THERAPEUTIC ENVIORNMENT.............pptx
byAneetaSharma15
 
Single entry System Vs Double entry System.pptx
bylavanyafranklin0804
 
ILA 2025 Prague CLS Presentation of Leadership journal
byjohanalvehus
 
Extension Education: From theory to practice by Dr Subin K Mohan.docx
byDrSubinKMohan
 
TUYỂN CHỌN 30 ĐỀ THI CHỌN HỌC SINH GIỎI LỚP 9 CÁC TỈNH NĂM 2024-2025 MÔN TIẾN...
byNguyen Thanh Tu Collection
 
Basics for Conducting Bibliometric Analysis - Dr Ahsan Riaz
bySystematic Reviews Network (SRN)
 
Learning English by Project Based Learning: How to Make Foreign Friends
bysilvianalevana
 
Total Quality Management : A presentation by a third year student.
byMbalenhle Ndlovu
 
Capital Budgeting - Risk Analysis Using Payback Period Method
bySundar B N
 

hacking lecture 3c.ppt

  • 1.
  • 2.
    • Crisis • ComputerCrimes • Hacker Attacks • Modes of Computer Security – Password Security – Network Security – Web Security – Distributed Systems Security – Database Security Topics
  • 3.
    • Internet hasgrown very fast and security has lagged behind. • Legions of hackers have emerged as impedance to entering the hackers club is low. • It is hard to trace the perpetrator of cyber attacks since the real identities are camouflaged • It is very hard to track down people because of the ubiquity of the network. • Large scale failures of internet can have a catastrophic impact on the economy which relies heavily on electronic transactions Crisis
  • 4.
    • Some ofthe sites which have been compromised – U.S. Department of Commerce – NASA – CIA – Greenpeace – Motorola – UNICEF – Church of Christ … • Some sites which have been rendered ineffective – Yahoo – Microsoft – Amazon … Why Security?
  • 5.
    • Because theycan – A large fraction of hacker attacks have been pranks • Financial Gain • Espionage • Venting anger at a company or organization • Terrorism Why do Hackers Attack?
  • 6.
    • Active Attacks –Denial of Service – Breaking into a site • Intelligence Gathering • Resource Usage • Deception/cheating • Passive Attacks – Sniffing • Passwords • Network Traffic • Sensitive Information – Information Gathering Types of Hacker Attack
  • 7.
    • Over theInternet • Over LAN • Locally • Offline • Theft • Deception Modes of Hacker Attack
  • 8.
    Definition: An attacker altershis identity so that some one thinks he is some one else – Email, User ID, IP Address, … – Attacker exploits trust relation between user and networked machines to gain access to machines Types of Spoofing: 1. IP Spoofing: 2. Email Spoofing 3. Web Spoofing Spoofing
  • 9.
    Definition: Attacker uses IPaddress of another computer to acquire information or gain access IP Spoofing – Flying-Blind Attack Replies sent back to 10.10.20.30 Spoofed Address 10.10.20.30 Attacker 10.10.50.50 John 10.10.5.5 From Address: 10.10.20.30 To Address: 10.10.5.5 • Attacker changes his own IP address to spoofed address • Attacker can send messages to a machine masquerading as spoofed machine • Attacker can not receive messages from that machine
  • 10.
    Definition: Attacker spoofs theaddress of another machine and inserts itself between the attacked machine and the spoofed machine to intercept replies IP Spoofing – Source Routing Replies sent back to 10.10.20.30 Spoofed Address 10.10.20.30 Attacker 10.10.50.50 John 10.10.5.5 From Address: 10.10.20.30 To Address: 10.10.5.5 • The path a packet may change can vary over time • To ensure that he stays in the loop the attacker uses source routing to ensure that the packet passes through certain nodes on the network Attacker intercepts packets as they go to 10.10.20.30
  • 11.
    Definition: Attacker sends messagesmasquerading as some one else What can be the repercussions? Types of Email Spoofing: 1. Create an account with similar email address – Sanjaygoel@yahoo.com: A message from this account can perplex the students 2. Modify a mail client – Attacker can put in any return address he wants to in the mail he sends 3. Telnet to port 25 – Most mail servers use port 25 for SMTP. Attacker logs on to this port and composes a message for the user. Email Spoofing
  • 12.
    • Basic – Attackerregisters a web address matching an entity e.g. votebush.com, geproducts.com, gesucks.com • Man-in-the-Middle Attack – Attacker acts as a proxy between the web server and the client – Attacker has to compromise the router or a node through which the relevant traffic flows • URL Rewriting – Attacker redirects web traffic to another site that is controlled by the attacker – Attacker writes his own web site address before the legitimate link • Tracking State – When a user logs on to a site a persistent authentication is maintained – This authentication can be stolen for masquerading as the user Web Spoofing
  • 13.
    • Web Sitemaintains authentication so that the user does not have to authenticate repeatedly • Three types of tracking methods are used: 1. Cookies: Line of text with ID on the users cookie file – Attacker can read the ID from users cookie file 2. URL Session Tracking: An id is appended to all the links in the website web pages. – Attacker can guess or read this id and masquerade as user 3. Hidden Form Elements – ID is hidden in form elements which are not visible to user – Hacker can modify these to masquerade as another user Web Spoofing – Tracking State
  • 14.
    Definition: Process of takingover an existing active session Modus Operandi: 1. User makes a connection to the server by authenticating using his user ID and password. 2. After the users authenticate, they have access to the server as long as the session lasts. 3. Hacker takes the user offline by denial of service 4. Hacker gains access to the user by impersonating the user Session Hijacking
  • 15.
    • Attacker can –monitor the session – periodically inject commands into session – launch passive and active attacks from the session Session Hijacking Bob telnets to Server Bob authenticates to Server Bob Attacker Server Die! Hi! I am Bob
  • 16.
    • Attackers exploitsequence numbers to hijack sessions • Sequence numbers are 32-bit counters used to: – tell receiving machines the correct order of packets – Tell sender which packets are received and which are lost • Receiver and Sender have their own sequence numbers • When two parties communicate the following are needed: – IP addresses – Port Numbers – Sequence Number • IP addresses and port numbers are easily available so once the attacker gets the server to accept his guesses sequence number he can hijack the session. Session Hijacking – How Does it Work?
  • 17.
    Definition: Attack through whicha person can render a system unusable or significantly slow down the system for legitimate users by overloading the system so that no one else can use it. Types: 1. Crashing the system or network – Send the victim data or packets which will cause system to crash or reboot. 2. Exhausting the resources by flooding the system or network with information – Since all resources are exhausted others are denied access to the resources 3. Distributed DOS attacks are coordinated denial of service attacks involving several people and/or machines to launch attacks Denial of Service (DOS) Attack
  • 18.
    Types: 1. Ping ofDeath 2. SSPing 3. Land 4. Smurf 5. SYN Flood 6. CPU Hog 7. Win Nuke 8. RPC Locator 9. Jolt2 10. Bubonic 11. Microsoft Incomplete TCP/IP Packet Vulnerability 12. HP Openview Node Manager SNMP DOS Vulneability 13. Netscreen Firewall DOS Vulnerability 14. Checkpoint Firewall DOS Vulnerability Denial of Service (DOS) Attack
  • 19.
    • This attacktakes advantage of the way in which information is stored by computer programs • An attacker tries to store more information on the stack than the size of the buffer How does it work? Buffer Overflow Attacks • Buffer 2 Local Variable 2 Buffer 1 Local Variable 1 Return Pointer Function Call Arguments • Fill Direction Bottom of Memory Top of Memory Normal Stack • Buffer 2 Local Variable 2 Machine Code: execve(/bin/sh) New Pointer to Exec Code Function Call Arguments • Fill Direction Bottom of Memory Top of Memory Smashed Stack Return Pointer Overwritten Buffer 1 Space Overwritten
  • 20.
    • Programs whichdo not do not have a rigorous memory check in the code are vulnerable to this attack • Simple weaknesses can be exploited – If memory allocated for name is 50 characters, someone can break the system by sending a fictitious name of more than 50 characters • Can be used for espionage, denial of service or compromising the integrity of the data Examples – NetMeeting Buffer Overflow – Outlook Buffer Overflow – AOL Instant Messenger Buffer Overflow – SQL Server 2000 Extended Stored Procedure Buffer Overflow Buffer Overflow Attacks
  • 21.
    • A hackercan exploit a weak passwords & uncontrolled network modems easily • Steps – Hacker gets the phone number of a company – Hacker runs war dialer program • If original number is 555-5532 he runs all numbers in the 555-55xx range • When modem answers he records the phone number of modem – Hacker now needs a user id and password to enter company network • Companies often have default accounts e.g. temp, anonymous with no password • Often the root account uses company name as the password • For strong passwords password cracking techniques exist Password Attacks
  • 22.
    • Password hashedand stored – Salt added to randomize password & stored on system • Password attacks launched to crack encrypted password Password Security Hash Function Hashed Password Salt Compare Password Client Password Server Stored Password Hashed Password Allow/Deny Access
  • 23.
    • Find avalid user ID • Create a list of possible passwords • Rank the passwords from high probability to low • Type in each password • If the system allows you in – success ! • If not, try again, being careful not to exceed password lockout (the number of times you can guess a wrong password before the system shuts down and won’t let you try any more) Password Attacks - Process
  • 24.
    • Dictionary Attack –Hacker tries all words in dictionary to crack password – 70% of the people use dictionary words as passwords • Brute Force Attack – Try all permutations of the letters & symbols in the alphabet • Hybrid Attack – Words from dictionary and their variations used in attack • Social Engineering – People write passwords in different places – People disclose passwords naively to others • Shoulder Surfing – Hackers slyly watch over peoples shoulders to steal passwords • Dumpster Diving – People dump their trash papers in garbage which may contain information to crack passwords Password Attacks - Types
  • 25.
    • Computer Securityis a continuous battle – As computer security gets tighter hackers are getting smarter • Very high stakes Conclusions