Tuesday, July 10, 2007

Types of attack on Password


It always seems to be very simple when we type our credentials to get into banking sites to do some transaction or commercial sites for purchasing some stuff but in this post I am trying to explain some of the types of attacks on password which can make you bankrupt, I am no kidding read on:




1) Hardware Device: When we talk about hardware we think that it will take time to install and only experts will be able to use this attack but NO this hardware device is very simple to install and can be installed by a kid in 10 seconds or less. See the below image to get an idea how simple it could be. Criminals have installed this device on bank machines to get the bank credentials which has costed millions of pounds to banks. Students installed them on there teachers system to get an access to the exam papers. there could be lot of other instances where these simple plugs can be installed and exploited.







2)Software Malware - Keyboard logger: We all enjoy free stuff and now and then we tend to use free softwares available on the internet. These softwares can save couple of dollars in your pocket but may cost you a lot. Imagine a scenario in which you down-loaded some free software and that software has a malware which modifies the OS kernel to get your credentials when you login to the system. These malwares can also capture the credentials when you access different banking sites. They can store these passwords locally and send them to there servers where attackers can use your bank credentials to transfer money to there bank or play in casino. Be very careful when you use free softwares.




3) Dictionary Attack: We all use dictionary and know that most of our password comes from one or the combination of words from dictionary. Yes you got me what I am going to talk. Smart people have written softwares which can be hooked in a PC to try all the possible combinations of password on a system. One solution to this problem which many organizations/banks have already implemented are locking the account after N number of unsuccessful password attempts.




4) Social Engineering Attack: If you get a call from a person saying that he is from the security team and they got an alert that your account is having some problem and it may lead to delete all of your data from the box. They can fix that for you if you can just let them know your account password, there are chances that some of us will agree to this and simply give it. I have seen many organizations where users give there choice of password to the help-desk persons and ask them to reset there password to the one they want. Users don't realize that this can give open door for other person to access to the secure stuff they should not be looking into.




5) James Bond Attack: Research institutes are challenging that they can listen to the keystrokes and guess the users password with 90% of accuracy. This is one of the reason that very confidential rooms does not let even a single voice go out of the room.





No comments: