Keystroke logging
One of the best techniques for capturing passwords is remote keystroke logging — the use of software or hardware to record keystrokes as they’re typed.Be careful with keystroke logging. Even with good intentions, monitoring employees raises various legal issues if it’s not done correctly. Discuss with your legal counsel what you’ll be doing, ask for her guidance, and get approval from upper management.
Logging tools used by hackers
With keystroke-logging tools, you can assess the log files of your application to see what passwords people are using:- Keystroke-logging applications can be installed on the monitored computer. Check out Veriato's Cebral, as one example. Dozens of such tools are available online.
- Hardware-based tools fit between the keyboard and the computer or replace the keyboard.
A keystroke-logging tool installed on a shared computer can capture the passwords of every user who logs in.
Countermeasures against logging tools
The best defense against the installation of keystroke-logging software on your systems is to use an antimalware program or a similar endpoint protection software that monitors the local host. It’s not foolproof but can help. As with physical keyloggers, you’ll need to inspect each system visually.The potential for hackers to install keystroke-logging software is another reason to ensure that your users aren’t downloading and installing random shareware or opening attachments in unsolicited emails. Consider locking down your desktops by setting the appropriate user rights through local or group security policy in Windows.
Alternatively, you could use a commercial lockdown program, such as Fortres 101 for Windows or Deep Freeze Enterprise for Windows, Linux, and macOS X. A different technology that still falls into this category is Carbon Black’s “positive security” allow listing application, called Cb Protection, which allows you to configure which executables can be run on any given system. It’s intended to fight off advanced malware but could certainly be used in this situation.Weak password storage
Many legacy and stand-alone applications — such as email, dial-up network connections, and accounting software — store passwords locally, which makes them vulnerable to password hacking. By performing a basic text search, you can find passwords stored in clear text on the local hard drives of machines. You can automate the process even further by using a program called FileLocator Pro.How hackers search for passwords
You can try using your favorite text-searching utility — such as the Windows search function,findstr
, or grep
— to search for password or passwd on your computer's drives. You may be shocked to find what’s on your systems. Some programs even write passwords to disk or leave them stored in memory.
Weak password storage is a criminal hacker’s dream. Head it off if you can. This doesn’t mean that you should immediately run off and start using a cloud-based password manager, however. As we’ve all seen over the years, those systems get hacked as well!
Countermeasures against weak passwords
The only reliable way to eliminate weak password storage is to use only applications that store passwords securely. This practice may not be practical, but it’s your only guarantee that your passwords are secure. Another option is to instruct users not to store their passwords when prompted.Before upgrading applications, contact your software vendor to see how it manages passwords, or search for a third-party solution.
How hackers use network analyzers to crack passwords
A network analyzer sniffs the packets traversing the network, which is what the bad guys do if they can gain control of a computer, tap into your wireless network, or gain physical network access to set up their network analyzer. If they gain physical access, they can look for a network jack on the wall and plug right in.Finding password vulnerabilities with network analyzers
The image below shows how crystal-clear passwords can be through the eyes of a network analyzer. This shows how Cain & Abel can glean thousands of passwords going across the network in a matter of a couple of hours. As you can see in the left pane, these clear text password vulnerabilities can apply to FTP, web, Telnet, and more. (The actual usernames and passwords are blurred to protect them.)If traffic isn’t tunneled through some form of encrypted link (such as a virtual private network, Secure Shell, or Secure Sockets Layer), it’s vulnerable to attack.
Cain & Abel is a password-cracking tool that also has network analysis capabilities. You can also use a regular network analyzer, such as the commercial products Omnipeek and CommView, as well as the free open-source program Wireshark. With a network analyzer, you can search for password traffic in various ways. To capture POP3 password traffic, for example, you can set up a filter and a trigger to search for the PASS command. When the network analyzer sees the PASS command in the packet, it captures that specific data.Network analyzers require you to capture data on a hub segment of your network or via a monitor/mirror/span port on a switch. Otherwise, you can’t see anyone else’s data traversing the network — just yours. Check your switch’s user guide to see whether it has a monitor or mirror port and for instructions on how to configure it. You can connect your network analyzer to a hub on the public side of your firewall. You’ll capture only those packets that are entering or leaving your network — not internal traffic.
Countermeasures against network analyzers
Here are some good defenses against network analyzer attacks:- Use switches on your network, not hubs. Ethernet hubs are things of the past, but they are still used occasionally. If you must use hubs on network segments, a program like sniffdet for Unix/Linux-based systems and PromiscDetect for Windows can detect network cards in promiscuous mode (accepting all packets, whether they’re destined for the local machine or not). A network card in promiscuous mode signifies that a network analyzer may be running on the network.
- Make sure that unsupervised areas, such as an unoccupied lobby or training room, don’t have live network connections. An Ethernet port is all someone needs to gain access to your internal network.
- Don’t let anyone without a business need gain physical access to your switches or to the network connection on the public side of your firewall. With physical access, a hacker can connect to a switch monitor port or tap into the unswitched network segment outside the firewall and then capture packets.
Switches don’t provide complete security because they’re vulnerable to ARP poisoning attacks.
How hackers break weak BIOS passwords
Most computer BIOS (basic input/output system) settings allow power-on passwords and/or setup passwords to protect the computer’s hardware settings that are stored in the CMOS chip. Here are some ways around these passwords:- You usually can reset these passwords by unplugging the CMOS battery or by changing a jumper on the motherboard.
- Password-cracking utilities for BIOS passwords are available on the Internet and from computer manufacturers.
Check cirt.net for a good list of default system passwords for various vendor equipment.
Tons of variables exist for hacking and hacking countermeasures depending on your hardware setup. If you plan to hack your own BIOS passwords, check for information in your user manual, or refer to the BIOS password-hacking guide. If protecting the information on your hard drives is your ultimate goal, full (sometimes referred to as whole) disk is the best way to go.The good news is that newer computers (within the past five years or so) use a new type of BIOS called unified extensible firmware interface (UEFI), which is much more resilient to boot-level system cracking attempts. Still, a weak password may be all it takes for the system to be exploited.
Weak passwords in limbo
Bad guys often exploit user accounts that have just been created or reset by a network administrator or help desk. New accounts may need to be created for new employees or even for security testing purposes. Accounts may need to be reset if users forget their passwords or if the accounts have been locked out because of failed attempts.Password weaknesses in user account
Here are some reasons why user accounts can be vulnerable:- When user accounts are reset, they’re often assigned an easily cracked or widely-known password (such as the user’s name or the word password). The time between resetting the user account and changing the password is a prime opportunity for a break-in.
- Many systems have default accounts or unused accounts with weak passwords or no passwords at all. These accounts are prime targets.
Countermeasures against passwords in limbo
The best defenses against attacks on passwords in limbo are solid help-desk policies and procedures that prevent weak passwords from being available at any given time during the new-account-generation and password-reset processes. Following are perhaps the best ways to overcome this vulnerability:- Require users to be on the phone with the help desk or to have a help-desk member perform the reset at the user’s desk.
- Require that the user immediately log in and change the password.
- If you need the ultimate in security, implement stronger authentication methods, such as challenge/response questions, smart cards, or digital certificates.
- Automate password reset functionality via self-service tools on your network so that users can manage most of their password problems without help from others.