forearmed. - phishing attacks and password cracking

Forearmed.Phishing Attacks and Password Cracking.

Prof. Dr. Andreas Aßmuth

Technical University of Applied SciencesOTH Amberg-Weiden

Department of Electrical Engineering, Media andComputer Science

2021-05-29

About me

Professor of Computer Networks and Mathematics

Dean of Studies

Teaching:Mathematics, Computer Networks, Cryptography, Coding Theory,Information Security

Research:Applied Cryptography, Information Security, Ethical Hacking

IARIA Fellow

© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 2

Anatomy of a Hacked Smartphone

Surveillance

+ Audio+ Camera+ Call logs+ Position+ SMS

Surveillance

Data Theft

+ Account infos+ Contacts+ Call logs+ Theft through apps+ Device infos (IMEI)

Surveillance

Data Theft

Money

+ Premium SMS+ Theft of TANs+ Ransomware+ Fake Antivirus+ Overpriced calls

Surveillance

Data Theft

Money

Faked Identity

+ Re-routing of SMS+ Sending emails+ Posts on social media

Surveillance

Data Theft

Money

Faked Identity

“Zombie Smartphone”+ DDoS attacks+ Clickbait

© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 3

Anatomy of a Hacked Smartphone

Surveillance

+ Audio+ Camera+ Call logs+ Position+ SMS

Surveillance

Data Theft

+ Account infos+ Contacts+ Call logs+ Theft through apps+ Device infos (IMEI)

Surveillance

Data Theft

Money

+ Premium SMS+ Theft of TANs+ Ransomware+ Fake Antivirus+ Overpriced calls

Surveillance

Data Theft

Money

Faked Identity

+ Re-routing of SMS+ Sending emails+ Posts on social media

Surveillance

Data Theft

Money

Faked Identity

“Zombie Smartphone”+ DDoS attacks+ Clickbait

© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 3

Anatomy of a Hacked Smartphone

Surveillance

+ Audio+ Camera+ Call logs+ Position+ SMS

Surveillance

Data Theft

+ Account infos+ Contacts+ Call logs+ Theft through apps+ Device infos (IMEI)

Surveillance

Data Theft

Money

+ Premium SMS+ Theft of TANs+ Ransomware+ Fake Antivirus+ Overpriced calls

Surveillance

Data Theft

Money

Faked Identity

+ Re-routing of SMS+ Sending emails+ Posts on social media

Surveillance

Data Theft

Money

Faked Identity

“Zombie Smartphone”+ DDoS attacks+ Clickbait

© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 3

Anatomy of a Hacked Smartphone

Surveillance

+ Audio+ Camera+ Call logs+ Position+ SMS

Surveillance

Data Theft

+ Account infos+ Contacts+ Call logs+ Theft through apps+ Device infos (IMEI)

Surveillance

Data Theft

Money

+ Premium SMS+ Theft of TANs+ Ransomware+ Fake Antivirus+ Overpriced calls

Surveillance

Data Theft

Money

Faked Identity

+ Re-routing of SMS+ Sending emails+ Posts on social media

Surveillance

Data Theft

Money

Faked Identity

“Zombie Smartphone”+ DDoS attacks+ Clickbait

© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 3

Anatomy of a Hacked Smartphone

Surveillance

+ Audio+ Camera+ Call logs+ Position+ SMS

Surveillance

Data Theft

+ Account infos+ Contacts+ Call logs+ Theft through apps+ Device infos (IMEI)

Surveillance

Data Theft

Money

+ Premium SMS+ Theft of TANs+ Ransomware+ Fake Antivirus+ Overpriced calls

Surveillance

Data Theft

Money

Faked Identity

+ Re-routing of SMS+ Sending emails+ Posts on social media

Surveillance

Data Theft

Money

Faked Identity

“Zombie Smartphone”+ DDoS attacks+ Clickbait

© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 3

Anatomy of a Hacked Smartphone

Surveillance

+ Audio+ Camera+ Call logs+ Position+ SMS

Surveillance

Data Theft

+ Account infos+ Contacts+ Call logs+ Theft through apps+ Device infos (IMEI)

Surveillance

Data Theft

Money

+ Premium SMS+ Theft of TANs+ Ransomware+ Fake Antivirus+ Overpriced calls

Surveillance

Data Theft

Money

Faked Identity

+ Re-routing of SMS+ Sending emails+ Posts on social media

Surveillance

Data Theft

Money

Faked Identity

“Zombie Smartphone”+ DDoS attacks+ Clickbait

© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 3

Cryptographic Hash Functions

Cryptographic hash functions must have certain properties:

(i) Fast and easy computation of hashes.

(ii) One-way function: Given a hash, it must be infeasible to find an input that generates exactly thathash.

(iii) Collision resistance: It must not be possible to find any two inputs that generate the same hash.

© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 4

Cryptographic Hash Functions

Cryptographic hash functions must have certain properties:

(i) Fast and easy computation of hashes.

(ii) One-way function: Given a hash, it must be infeasible to find an input that generates exactly thathash.

(iii) Collision resistance: It must not be possible to find any two inputs that generate the same hash.

© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 4

Cryptographic Hash Functions

Cryptographic hash functions must have certain properties:

(i) Fast and easy computation of hashes.

(ii) One-way function: Given a hash, it must be infeasible to find an input that generates exactly thathash.

(iii) Collision resistance: It must not be possible to find any two inputs that generate the same hash.

© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 4

How Does a Login Procedure Work?

Crea

tionof

ane

wac

coun

t

username

password

alice

*************

4 7

hash password

store usernameand hash

Loginto

acco

unt

username

password

alice

*************

4 7

hash password

?compare hashes

© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 5

How Does a Login Procedure Work?

Crea

tionof

ane

wac

coun

t

username

password

alice

*************

4 7

hash password

store usernameand hash

Loginto

acco

unt

username

password

alice

*************

4 7

hash password

?compare hashes

© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 5

How Does a Login Procedure Work?

Crea

tionof

ane

wac

coun

t

username

password

alice

*************

4 7

hash password

store usernameand hash

Loginto

acco

unt

username

password

alice

*************

4 7

hash password

?compare hashes

© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 5

Password Cracking Offline Attack

Markov chains

Dictionary + rules

Dictionary (words)

Brute-Force (length limit)

List of worstpasswords

Password space → Brute-Force Attack (no length limit)

Human-chosenpasswords

Strengthtrivialnon-trivial

Cf. Javier Galbally, Iwen Coisel and Ignacio Sanchez, “A New Multimodal Approach for Password Strength Estimation—Part I: Theory and Algorithms”,IEEE Trans. on Information Forensics and Security, Vol. 12, No. 12, pp. 2829-2844, doi: 10.1109/TIFS.2016.2636092, IEEE, 2017.

© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 6

Password Cracking Offline Attack

Markov chains

Dictionary + rules

Dictionary (words)

Brute-Force (length limit)

List of worstpasswords

Password space → Brute-Force Attack (no length limit)

Human-chosenpasswords

Strengthtrivialnon-trivial

Cf. Javier Galbally, Iwen Coisel and Ignacio Sanchez, “A New Multimodal Approach for Password Strength Estimation—Part I: Theory and Algorithms”,IEEE Trans. on Information Forensics and Security, Vol. 12, No. 12, pp. 2829-2844, doi: 10.1109/TIFS.2016.2636092, IEEE, 2017.

© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 6

Password Cracking Offline Attack

Markov chains

Dictionary + rules

Dictionary (words)

Brute-Force (length limit)

List of worstpasswords

Password space → Brute-Force Attack (no length limit)

Human-chosenpasswords

Strengthtrivialnon-trivial

Cf. Javier Galbally, Iwen Coisel and Ignacio Sanchez, “A New Multimodal Approach for Password Strength Estimation—Part I: Theory and Algorithms”,IEEE Trans. on Information Forensics and Security, Vol. 12, No. 12, pp. 2829-2844, doi: 10.1109/TIFS.2016.2636092, IEEE, 2017.

© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 6

Password Cracking Offline Attack

Markov chains

Dictionary + rules

Dictionary (words)

Brute-Force (length limit)

List of worstpasswords

Password space → Brute-Force Attack (no length limit)

Human-chosenpasswords

Strengthtrivialnon-trivial

Cf. Javier Galbally, Iwen Coisel and Ignacio Sanchez, “A New Multimodal Approach for Password Strength Estimation—Part I: Theory and Algorithms”,IEEE Trans. on Information Forensics and Security, Vol. 12, No. 12, pp. 2829-2844, doi: 10.1109/TIFS.2016.2636092, IEEE, 2017.

© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 6

Password Cracking Offline Attack

Markov chains

Dictionary + rules

Dictionary (words)

Brute-Force (length limit)

List of worstpasswords

Password space → Brute-Force Attack (no length limit)

Human-chosenpasswords

Strengthtrivialnon-trivial

Cf. Javier Galbally, Iwen Coisel and Ignacio Sanchez, “A New Multimodal Approach for Password Strength Estimation—Part I: Theory and Algorithms”,IEEE Trans. on Information Forensics and Security, Vol. 12, No. 12, pp. 2829-2844, doi: 10.1109/TIFS.2016.2636092, IEEE, 2017.

© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 6

Password Cracking Offline Attack

Markov chains

Dictionary + rules

Dictionary (words)

Brute-Force (length limit)

List of worstpasswords

Password space → Brute-Force Attack (no length limit)

Human-chosenpasswords

Strengthtrivialnon-trivial

Cf. Javier Galbally, Iwen Coisel and Ignacio Sanchez, “A New Multimodal Approach for Password Strength Estimation—Part I: Theory and Algorithms”,IEEE Trans. on Information Forensics and Security, Vol. 12, No. 12, pp. 2829-2844, doi: 10.1109/TIFS.2016.2636092, IEEE, 2017.

© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 6

Grapucino Graphic Processing Unit Cluster in a Box

Graphics CardsGeForce GTX 1080

Riser Adapter Boards1x → 16x

Temperature Sensors

Fan ControlArduino Uno

MainboardAsus Mining Expert

Power Supply1600W

256 GB SSD

Figure created by Tobias Nickl, M.Sc.

© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 7

Grapucino Graphic Processing Unit Cluster in a Box

Graphics CardsGeForce GTX 1080

Riser Adapter Boards1x → 16x

Temperature Sensors

Fan ControlArduino Uno

MainboardAsus Mining Expert

Power Supply1600W

256 GB SSD

Figure created by Tobias Nickl, M.Sc.

© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 7

Password Cracking

Demonstration

© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 8

Secure Passwords Summary

Source: Randall Munroe, https://xkcd.com/936/

© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 9

Phishing Example 1

+ https://gglks.com/8i43k

© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 10

Phishing Example 1

+ https://gglks.com/8i43k

© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 10

Phishing Example 2

+ https://thewhiteroomcreative.com/it-service.oth-aw.de/

© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 11

Phishing Example 2

+ https://thewhiteroomcreative.com/it-service.oth-aw.de/

© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 11

Phishing Example 3

© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 12

Phishing Example 4

© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 13

Malicious COVID-19 Apps

© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 14

Phishing Attack

Demonstration

© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 15

Prof. Dr. Andreas AßmuthProfessor für Rechnernetze und MathematikOTH Amberg-WeidenFakultät Elektrotechnik, Medien und InformatikKaiser-Wilhelm-Ring 23, 92224 AmbergTel.: +49 9621 482 3604Fax: +49 9621 482 4604Email: a.assmuth@oth-aw.dePGP: 0x93E4D0FAWeb: https://www.andreas-assmuth.de

https://www.oth-aw.de

Wor

dcloud

crea

tedby

Asha

shyo

u,CC

BY-SA

4.0