CSC 386 – Computer Security Scott Heggen. Agenda Authentication.

Slides:



Advertisements
Similar presentations
1 Identification Who are you? How do I know you are who you say you are?
Advertisements

ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.
CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.
Social Network Security Issues: Social Engineering and Phishing Attacks Jeffrey Allen, Leon Gomez, Marlon Green, Phillip Ricciardi, Christian Sanabria.
P ASSWORD S ECURITY. I F SOMEONE HAS YOUR PASSWORD, EITHER FROM YOU GIVING IT OUT OR THEM FIGURING OUT, THEY COULD : 1.Send abusive or threatening .
What is identity theft, and how can you protect yourself from it?
Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.
Help! I Forgot My Password for ADP Self Service!
Your NEW Social Services Verification Tool
Education Professional Standards Board Password Recovery Process.
Web Pricing User Manual
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Users Are Not Dependable How to make security indicators that protect them better Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Don’t Lose Your Identity – Protect Yourself from Spyware Dan Frommer Sherry Minton.
Public Works and Government Services Canada Travaux publics et Services gouvernementaux Canada Password Management for Multiple Accounts Some Security.
Network & Computer Security Training.  Prevents unauthorized access to our network and your computer  Helps keep unwanted viruses and malware from entering.
1 Securing Passwords Against Dictionary Attacks Base on an article by Benny Pinkas & Tomas Sander 2002 Presented by Tomer Conforti.
Scams and Schemes. Today’s Objective I can understand what identity theft is and why it is important to guard against it, I can recognize strategies that.
BTT12OI.  Do you know someone who has been scammed? What happened?  Been tricked into sending someone else money (not who they thought they were) 
How to Create (and use) Strong & Unique Passwords Larry Magid Co-director ConnectSafely.org.
Upay User Guide WELCOME TO UPAY This guide aims to help you use the upay website. You will receive a welcome from Wolfson College.
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
CHC DI Group. What We Will Cover Securing your devices and computers. Passwords. s. Safe browsing for shopping and online banks. Social media.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
MAKING GOOD PASSWORDS (AND HOW TO KEEP THEM SAFE).
Reliability & Desirability of Data
CIS 450 – Network Security Chapter 8 – Password Security.
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
File Protection Mechanisms  All-None Protection Lack of trustLack of trust All or nothingAll or nothing Timesharing issuesTimesharing issues ComplexityComplexity.
10/8/20151 Computer Security Authentication. 10/8/20152 Entity Authentication Entity Authentication is the process of verifying a claimed identity It.
Access Control Identification and Authentication.
1 Lecture 8: Authentication of People what you know (password schemes) what you have (keys, smart cards, etc.) what you are (voice recognition, fingerprints,
Internet and Social Media Security. Outline Statistics Facebook Hacking and Security Data Encryption Cell Phone Hacking.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
BTT12OI.  Do you know someone who has been scammed online? What happened?  Been tricked into sending someone else money (not who they thought they were)
All Input is Evil (Part 1) Introduction Will not cover everything Healthy level of paranoia Use my DVD Swap Shop application (week 2)
G53SEC 1 Authentication and Identification Who? What? Where?
 Access Control 1 Access Control  Access Control 2 Access Control Two parts to access control Authentication: Are you who you say you are? – Determine.
G53SEC 1 Authentication and Identification Who? What? Where?
Inappropriate Content Hackers Phishers Scammers Child Abusers Bullies.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholder to insert your own image. Cyber.
Activity 4 Catching Phish. Fishing If I went fishing what would I be doing? On the Internet fishing (phishing) is similar!
NEW USER REGISTRATION. Completing New User Registration activates your profile! Users only need to complete this process once. Let’s get started…
NC Wise Security & Passwords Revised: July 29, 2008 Developed by: Jennifer Jenkins, Cabarrus County Schools.
1 Day 2 Logging in, Passwords, Man, talk, write. 2 Logging in Unix is a multi user system –Many people can be using it at the same time. –Connections.
CHAPTER 5 MANAGING USER ACCOUNTS & GROUPS. User Accounts Windows 95, 98 & Me do not need a user account like Windows XP Professional to access computer.
Phishing and online fraud What parents need to know.
CSCE 201 Identification and Authentication Fall 2015.
Internet safety. Dangers of a poor password How people guess your password Your partner, child, or pet's name, possibly followed by a 0 or 1 The last.
Smart, Safe, and Secure Online Spam commercial messages that you didn’t ask for (a company trying to sell things by sending out thousands of messages at.
Todays’ Agenda Private vs. Personal Information Take out your notebook and copy the following information. Private information – information that can be.
Catching Phish. If I went fishing what would I be doing? On the Internet fishing (phishing) is similar! On the internet people might want to get your.
INTRO TO COMPUTER SECURITY LECTURE 4 IDENTIFICATION AND AUTHENTICATION M M Waseem Iqbal
7/10/20161 Computer Security Protection in general purpose Operating Systems.
Done by… Hanoof Al-Khaldi Information Assurance
Using the Computer Responsibly
Identification and Authentication
Protecting What’s Yours: Your Identity
Password Management Limit login attempts Encrypt your passwords
Cybersecurity Awareness
Scams and Schemes.
Lesson 2: Epic Security Considerations
Computer Security Authentication
Computer Security Protection in general purpose Operating Systems
Employee Self-Service (ESS) Portal
Presentation transcript:

CSC 386 – Computer Security Scott Heggen

Agenda Authentication

What’s the most common form of authentication today? Why do we need authentication? The user identity is a parameter in access control decisions. The user identity is recorded when logging security relevant events in an audit trail.

Identification and Authentication What’s the difference? ? mYP4$$w0rd!

Passwords Passwords are a secret shared between the user and the system. How does the user initially get the password? The mere process of distributing a password is a security issue!

Devil’s Advocate Could I guess someone’s password? Exhaustive search (brute force): try all possible combinations of valid symbols up to a certain length. Intelligent search: search through a restricted name space, e.g. passwords that are somehow associated with a user like name, names of friends and relatives, car brand, car registration number, phone number,…, or try passwords that are generally popular. Typical example for the second approach: dictionary attack trying all passwords from an on-line dictionary. You cannot prevent an attacker from accidentally guessing a valid password, but you can try to reduce the probability of a password compromise.

Defense What can you do to reduce the probability of someone guessing your password? Set a password: if there is no password for a user account, the attacker does not even have to guess it. Change default passwords: often passwords for system accounts have a default value like “manager”. Avoid guessable passwords Length Variety Randomness

Good Passwords Which password is best? PasswordBrute ForceDictionary AttackIntelligent Search passwordSum(46) from 1 to 8(# of words)^1 MyPasswordSum(46) from 1 to 10(# of words)^2 from 1 to 10? from 1 to 10? from 1 to 10? RedHatBrownCatYouFatSum(46) from 1 to 20(# of words)^6 ?

Good Passwords

Additional Defenses Password ageing: set an expiry dates for passwords to force users to change passwords regularly. Prevent users from reverting to old passwords, e.g. keep a list of the last ten passwords used. Limit login attempts: the system can monitor unsuccessful login attempts and react by locking the user account (completely or for a given time interval) to prevent or discourage further attempts. Inform user: after successful login, display time of last login and the number of failed login attempts since, to warn the user about recently attempted attacks.

Good Passwords Which password is best? Can you memorize it? Do you need to write it down? Does it change too often? Are you reusing a favorite password? Password password MyPassword RedHatBrownCatYouFat

Devil’s Advocate Say you are authenticating with a remote system (e.g., a website). What ways can someone learn your username and password? Spoofing Phishing Social Engineering

Spoofing “Hi, I’m your bank. There was a bank error in your favor. Click here to see the error.”Click here

Countermeasures Display number of failed logins: may indicate to the user that an attack has happened. Trusted path: guarantee that user communicates with the operating system and not with a spoofing program; e.g., Windows has a secure attention key CTRL+ALT+DEL for invoking the operating system logon screen. Mutual authentication: user authenticated to system, system authenticated to user.

Phishing “Hi, I’m a Kenyan prince. I want to send you $2,000,0000,00 dollars. Send me your SSN, birth date, address, full legal name, driver’s license number, ….”

Countermeasures Take care to enter your passwords only at the “right” site (but how do you know?) No legitimate business will ask you for your password via Why would they need it? They can access all of your information already!

Social Engineering Attacker impersonates the user to trick someone else into releasing information: faciliated-by-simple-social-engineering/#.U_3x0cVdWs0 faciliated-by-simple-social-engineering/#.U_3x0cVdWs0