In the previous article, we dealt with man in the middle attack whereby a hacker can steal information by intercepting network traffic. This month we are going to learn about authentication attack which is a relatively new genre of hacking techniques and it is capable of causing serious identity and data theft. We will also discuss how FOSS systems should be protected by such an attack.
By definition, authentication is the process of confirming truth or identity of an object. In the technical terms, it is a program or process which confirms user’s identity, to ensure that user really is who he claims to be. As we know, all the computer systems that require need to maintain user specific sessions or data-sets, need users to login thus requiring some sort of authentication mechanism in place. This holds true for client-server based systems, as well web enabled portals. Authentication plays an important role in the overall security of software applications and systems. Its purpose is primarily used to keep unauthorized persons from gaining access to the system and also to ensure that authorized person can access the resources they need. It is always assumed that authentication is all about passwords. While it is true to some extent, we will soon learn mechanism beyond that. To understand the security challenges, we need to first understand the working of authentication process.
Let’s see how a typical authentication system works. Please refer to Fig 1. The user tries to authenticate himself with the authentication verifier. The verifier is a secure software system, which first challenges user to provide his credentials such as a userid and a password. User enters the information which is sent to an authentication module. This module refers a backend authentication database which has information about user’s credentials. This information was created when the user’s profile was established in the past. Once the database entries and the presented information is compared and found to be matching, a token is provided to user. This token now becomes part of user’s active session, and eliminates authentication process for each further request. This example depicts the process of a user being authenticated by software system. There are situations wherein a software system authenticates other software systems as well. As shown in Fig 2, there are multiple protocols available for authentication, operating at different OSI layers, and each for a different purpose in terms of strengthening the security. Authentication can happen from layer 3 to layer 7. Below are few high level authentication types which are widely used.
Logon authentication – This type consists of the rudimentary userid and password combination as well as modern means of security such as using captcha images, biometrics, smart cards, pin numbers etc. The client server systems as well as web based systems used this method as the first level of defense.
Network authentication – This type operates at multiple OSI layers of networks, and verifies user identity for network resources being accessed. Usually the operating system does this job with the help of network driver and the protocol stack. For example, once a user authenticates and connects to a share, he is not asked for credentials again for that session.
IP authentication – This method operates at lower network layers and is primarily used to validate source and destination IP datagrams. This is achieved by using IPSec or Kerberos security modules at its core, or in some cases it uses public key cryptography.
Remote authentication – This type is used for authentication between remote computer systems communicating to each other for data transfer. Typically the virtual private networks (VPN) use this authentication and may use PAP, or CHAP protocols.
In the internet world where HTTP is the base protocol for communication, the application and session layer security is paramount. It is important to note that web portals use a variety of authentication mechanisms too. Below are few standard types widely in use.
Basic Authentication – This type uses Base-64 encoded clear text passwords. This is usually the default method for most of the web servers.
Digest – This type is similar to basic, but the passwords are encrypted using scrambling methods.
Form Based – In this method, HTTP protocol’s POST command is used to submit information of an HTML form to the receiving web page on the server side. Form based authentication can happen on a plain HTTP channel or a protected SSL channel.
NTLM – This is a Microsoft proprietary protocol operating at transport layer and session layer, and may be used by HTTP protocol as a vehicle to perform authentication for web portals. Its primary usage is to perform authentication among the windows or non-windows clients.
Client certificates – While SSL is used to endorse the identity of a website hosting server, the client certificate does the same for the user accessing that website. Typically a client certificate is used as an economic means to replace expensive smart cards or secureid tokens. Client certificates are implemented over SSL or TLS protocol, and need browser support to participate in the challenge response process.
As mentioned earlier, the authentication process is a crucial component in securing a software application or system. Hence securing authentication process itself, becomes an even important and imperative task. This is because the repercussions of successfully penetrating an authentication system can be seriously harmful. A hacker can gain access to sensitive information, and can delete, alter or corrupt valuable data. Furthermore, the hacker can assume someone’s identity, resulting into personal damage such as identity or monetary theft. If the hacked identity is of a network or server administrator, the damages are beyond imagination.
Let’s take another look at the authentication process we discussed above, from the security standpoint. Referring to Fig 1, there are three critical hack points (marked in red numbers) which can potentially make the process vulnerable. When the user is typing the credentials, those could be hacked by a man-in-browser script or attack. Similarly, when the credentials are being transmitted over the wire, those could be intercepted by a man in the middle attack. Lastly, when the credentials are being compared with the entries in the database, those could be altered to achieve a successful penetration. This shows us that packet intercepting, and packet crafting are used to collect and manipulate information, which in turn results in making the authentication mechanism vulnerable. Let us now discuss few authentication attack types in details.
Bypass attack – By human nature, hackers first wish to bypass the security, and authentication is no exception to that. Usually the root cause of an authentication bypass is either the failure of software system to impose access policies, or weakly designed authentication system architecture. For example, it had been observed that a web code that is performing authentication using user credentials, may be enforcing strict password policies, but simply might fail to disallow a blank password thus creating a serious loophole. As another example, often developers make a mistake by putting protected and unprotected files in the same folder, thus making the web code visible and vulnerable. Bypass attacks are usually tried against customized authentication systems, rather than robust industry standard ones.
Brute force for passwords – In a client server software system or web portals, passwords are a single point of security failure even today. Besides mere guessing, attackers use scripts and customized software programs which are fed with tons of userid and password combinations. These scripts are run against the authentication system to be hacked. In the beginning a set of combinations of all English words is fed to the program. This is called as a dictionary attack. Following to that, a pile of very commonly used userid and password credentials are tried, along with numeric values and special characters. Finally, large databases of credentials already used by various people are tried to break into the system. The idea is to try each and every possible combination of credentials, until one working combination works, because it is accepted by the authentication system. While this sounds like and actually is a very exhaustive work, with improved computing power and network bandwidths, it has become easier to crack into the authentication mechanisms. Modern attackers also use credential hashes called as rainbow tables to reduce the break-in time further.
Session eavesdropping — Since the authentication process involves challenge and response between two systems, the credentials pass over the wire. A hacker can deploy a packet capturing tools and wait for victim to use his credentials. While the authentication process is in progress, hacker intercepts the sessions and deciphers credential information out of it. For example, if a website uses simple HTML forms authentication which is not over SSL, it may be using simple clear text passwords which could be captured easily. In an advanced form, hacker can use session takeover attack, whereby the valid token received as an endorsement of authentication process, is captured and reused to take over the session. Hacker can then perform further actions by impersonating the victim.
Replay attack – In this type, bit different from session takeover, the hacker simply records the data of a successful authentication and initiates a new requests to the server or verifier. Along with this new request, hacker replays the recorded information to falsely authenticate and impersonate victim, and thus gain same set of rights and accesses as the victim.
Cookie intercept – As we know, the web portals needing users to enter their credentials, often rely on cookies which are stored on user’s browser. While the cookies are supposed to be harmless pieces of information, those are sometimes used by hackers. Many websites store user preferences such as their web browsing experiences, addresses, screen theme colors etc, often user’s authentication token is stored in cookies too. This token is an outcome of user’s successful login to the system. Cookies are presented by browsers to the web servers in each web request and could be intercepted by the hackers on the wire, or by using a Trojan on browser side. Once the authentication token information is compromised, attacker can use it to impersonate victim and perform further actions.
Verifier impersonation – We learnt in the past that a man in the middle attack is very difficult to detect due to its stealth nature. An advanced hacker can be a man in the middle and setup his own authentication system on the network and divert traffic using IP spoofing and other techniques we learnt earlier. Any victim, who initiates a connection and tries to send credentials, ends up revealing that information to the hacker. Though it is bit tough to implement this type of attack, it can be easily possible for an internal disgruntled employee.
Reflection attack – This is very advanced type of attack and does not necessarily be limited to web technology. It tries to exploit vulnerabilities in a customized challenge response software authentication system. Hacker first initiates connection with the victim. Victim challenges hacker for authentication as a normal process. Hacker in this case, opens a fresh new connection with victim and sends it its own challenge. Again as a normal authentication process, the target responds back with a valid response to it. Hacker captures that response and sends it on the first initiated connection. Since the challenge and response both fall in victim’s list of valid authentication parameters, it falls prey to this attack. This attack is rarely used in real life, but is common for weak public key encryption ciphers. It is also found that a simple SQL based authentication system which is not properly architected and does not perform intelligent error handling, can be vulnerable to this attack.
Keylogger attack – This is a well known type in which a Trojan is sent to user’s machines which sits quietly in the background and records all keystrokes. It then creates a report of website urls being accessed and the credentials typed in, and sends that report silently to the hacker via email. Many modern spywares which run in stealth mode, contain a keylogger. Usually spywares are gathering keystrokes to detect user’s browsing experience but there is not guarantee that the passwords are not being stolen.
Server side authentication attacks – So far we talked about attacks on client side and over the wire. While a web server or LDAP server is performing authentication, there can be security challenges too. Usually the hackers would make an attempt to steal administrator’s password to login to the main authentication server which would further reveal entire credential’s database. Man-in-the-middle attacks are often used to decipher information and gain access to the root system. Server side attacks typically start with a script or a Trojan being installed on the server, which opens up stealth ports. Hacker then uses those ports to run commands on the server to fetch the required information. Even today, modern websites use SQL based authentication, or LDAP authentication which internally uses SQL as backend for validating the credentials, and are found to be vulnerable. Malformed web requests, or running malicious script by exploiting an un-patched web server, can result into stealing SQL data as we learnt in the web hacking article of this series. Compromising these crucial servers can result into a mass information and data theft.
Protecting FOSS systems
While the authentication attacks are difficult to detect and tackle, there are few preventive mechanisms that every network administrator should adopt in their infrastructure. From technology management perspective, it is highly advised to have a single authentication system for a corporate than having multiples, solely because it leaves less scope for hack points. From the technical standpoint, please refer to the table which shows multi factor authentication types which can be used to validate and authorize users’ identity.
|First Factor||What user knows||Passwords, Security Questions|
|Second Factor||What user has||SecureID Token, Smart card|
|Third Factor||What user really is||Biometrics, Retina scanner|
|Fourth Factor||Where user is||GPS Token|
Using a strict and complex password scheme is usually the first line of defense. Password expiration policy and account lock policy are very important too. Encryption of passwords being stored on the centralized system is a must. All these ways help protect against a manual or programmatic brute force password attack. Since the authentication can be hacked from multiple sides, the authentication system design needs to be properly architected and controlled, which protects the systems from authentication bypass attack. Using IPSec and Kerberos can help prevent session stealing and hijacking. Tricks such as using session tokens or time-stamping requests and performing error handling based on time stamps, can help mitigate risk against authentication replay attack. As for cookie interception attack, using SSL or some sort of client and server side cookie encryption technique is strongly suggested.
At the network layer, Linux FOSS systems come with a built in feature called as the source address verification. It is a kernel feature which when turned on, starts dropping packets which appear to be arriving from the internal network, but in reality are not. Most of the latest kernels such as Ubuntu and CentOS etc, do support it, but if your Linux distro does not support, it is the time to upgrade it. This usually helps a step towards reducing the chances of packet spoofing, which is primarily used by the hackers to achieve authentication attacks. Modifying hosts.conf file to add “nospoof on” is another level of defense to try. Needless to mention, having a robust and automatic open source security patching system, and antivirus deployment is essential.
Authentication attack is a serious type of hacking which can result into compromising entire IT infrastructure and software system. It can also lead to personal identity theft and monetary losses to individuals and hence every corporate firm must take this attack seriously and design their systems to defend against it. Having a properly architectured authentication system with appropriate set of policies is important for an organization’s data security.