38 adding the next large bit, and looking at the output. Some assumptions in cracking things this way are that he must be able to identify the output as cracked when it actually is. If the clear text were English text, then it shouldnt be too hard, but what if the input data was another crypted message? This would ensure that all brute force outputs would look like garbage, even in the event of a successful crack. Another assumption is that there is time enough to spend cycling through all possible keys. If the encryption algorithm is slow, it may take a second or so to calculate the cipher; if there are several billion combinations for the key, the amount of time needed to crack the code would be between 50 and 100 years. We are not that patient, and figure that no one else is either.

2.4.2.6 Password guessers and dictionary attacks

If you are not familiar with Crack, the most common of the tools available to the would-be break-in artist, establish a way to check your own passwords by using it. Although we covered the DES encryption algorithm in detail previously in this chapter, we will present a short discussion on password cracking. Crack is available from http:www.atstake.com . Most computers use the DES algorithm to protect the passwords on the authentication system. Unix systems, which account for the bulk of the Internet-based systems, are the largest installed base of DES authentication units. Simply put, DES takes a users clear text password, like the example password MucH007, and converts it into a 13-character pile of seeming gibberish, such as HnX2a4gLaMv3k. It is mathematically difficult to divine the original password from the encrypted one using brute force. So password-guessing programs dont try every possible string; they reduce the number of tries to a more feasible level by guessing what sorts of passwords people are likely to use. The Crack password-guessing program uses a dictionary of common words in several languages, including a ton of proper nouns such as peoples names and places, and tries them as the password. This is why you hear your system administrator trying to persuade you to use something uncommon or something unnatural as a password. Simple passwords are almost equivalent to having no password at all.

2.4.2.7 Social engineering

Dont think that all threats come from the online front. One of the most traditional cracks is simply to call a person and ask them questions. Or, send them a survey, ripe with personal queries, and a 20.00 bill, for their trouble. You would be amazed at what people will tell you. This is how system attackers might get potential material for assisting them in piecing together password attempts. As we discussed earlier, a brute force hack of a password may take months on a fairly significant machine, yet by reducing the total combinations to just real words found in a dictionary, in turn reducing the time spent on cracking that user to about 10 to 15 minutes, you can see where using personal information can drive guessing even complex passwords down to a trivial amount of time. Semi-public data such as phone numbers, birthdays, license plates, girlfriends, and favorites movies, music, stores, etc., can provide valuable resources to a password cracker. Social engineering can come in many forms, and is generally regarded as the easiest and most successful attack. Remember, even your 1024-bit RSA private key is protected by a passphrase or password that could be easily socially engineered. 39

2.4.3 Network Compromises and Attacks

Why would somebody want to hurt your site? If you have any public visibility, you could well attract unwanted attention from unsavory characters who are holding a grudge, nosy competition trying to ferret out new product information, or disgruntled employees out for a joyride.

2.4.3.1 Denial of service attacks

These types of attacks are usually hate- or vendetta-driven, because they have only one aim: to prevent you or anyone else, for that matter from using your own equipment. A couple of strategies of this nature are: flooding a network interface with traffic, making use of the whole network impossible, or sending specific invalid packets to a computer that cause it to crash several times an hour. A good analogy for this type of attack would be someone wasting your whole afternoon by repeatedly calling you and hanging up. Although there is little you can do in this instance, once an attack is isolated, a system administrator can use a firewall to block inbound requests that would normally cripple the machine or the network. Unfortunately, there is only experimental work being done right now that would allow a scanning process or router to dynamically block such attacks when it notices them and verifies that they are valid threats.

2.4.3.2 Address spoofing

TCPIP, because of its widespread use, large-scale deployment, and ongoing worldwide development, is definitely the lingua franca of the Internet and will continue to be so. Enhancements to the lower levels of the protocol such as IPSec will not only support IPs use in a worldwide environment to deliver data, but will do so securely. The strengths derived from using the current IP implementation, unfortunately, make the protocol unsecure. Because of how packet routing works and how header information is constructed, it becomes very difficult to conclusively prove the path a packet takes from point A to point B, and difficult to guarantee that some packet originated from A to begin with. Because of this, attackers can masquerade or spoof their targets routers and systems into thinking packets originated from someplace they did not. By doing this, all manner of mischief can be wrought.

2.4.3.3 Session hijacking

By building a foundation of IP source spoofing in the above example, an attacker can effectively hijack an entire session between A and B. The parties need not be two individuals sending messages back and forth. More than likely, one of the parties involved will be a server of some sort, which the attacker will impersonate during the span of the communication. By posing as an organizations mail server or file server, he can collect a ton of private material and analyze it at his leisure.

2.4.3.4 Man-in-the-middle attack

Also built on the foundation of IP address spoofing, an attacker can not only stage a session hijack, but can also mimic A and complete the original requests made to B directly. Imagine that we are M, and are able to convince A we are B, and B we are A. Traffic sent to B from A could be caught by M, analyzed, modified, stored or merely witnessed, and then sent on to B, no one at all the wiser. Traffic returning from B to A could be treated in a similar fashion. The