The world runs computers. From small to large businesses, from the CEO down to level 1 support staff, everyone uses computers. This course is designed to give you a practical perspective on computer security. This course approaches computer security in a way that anyone can understand. Ever wonder how your bank website is secure when you connect to it? Wonder how other business owners secure their network? Wonder how large data breaches happen? This is practical computer security. It will help you answer the question – what should I focus on?
Practical Application of Hashing
Loading...
En provenance du cours de University of Colorado System
Introduction to Cybersecurity for Business
164 notes
À partir de la leçon
Practical Application of Daily Security
Often times we may not know how to assess our security daily. We may think we are secure when we may not be. This module covers some of the tools, ports, and protocols used in everyday computing to remain secure.
Rencontrer les enseignants
Greg WilliamsLecturer
Department of Computer Science
In this lesson, I'll talk about the practical application of hashing.
So at the end of the lesson you should be able to understand how hashing should
be used.
And you should be able to discuss where hashing is used today and
how failures of implementation of correct hashing has led to data breaches.
Let's talk about the technology that we use every day.
The websites that we want to register through.
Let's say Target, for example, or Home Depot, or
you name it, whatever you want to access now has some kind of login and password.
So if I look at my accounts through my password manager,
I have well over 200 websites that I've registered through.
Each of them have a different user name and
each of them have a different password.
So how many accounts do you actually have?
Each of those sites is going to store your password in some size, shape, or form.
Some have better security that others, and we'll talk about that here in a minute.
What about your phone?
How do you think your phone stores your pin, your password, or
your fingerprint, for example?
If you're on an Android platform,
maybe we even had a pattern on the screen that we go through with our finger.
What about your computer?
How does it store your password?
And your car, most of the newer cars nowadays have
a key that you have to go to the dealership in order to
reprogram the pairing of those two devices.
Our cars are getting smarter.
Our TVs are getting smarter.
Our home automation, everything is getting smarter.
However, with that we have to have some kind of security built around it.
Let's talk about how we log in to computers.
I mentioned in the previous lesson that Windows uses hashing to store passwords.
Windows uses the NTLM function, or
the NTLM technology to store password hashes.
This is from Microsoft.
So these are what the actual steps are.
The password is padded with null bytes to exactly 14 characters.
And if the password is longer than 14 characters it is
replaced with a 14 null bytes for the remaining operations.
So we're padding and making sure they're exact length.
The password is then converted to all lowercase and
then split into two, seven byte or 56 bit keys.
Each key is used to encrypt a fixed string.
And then the two results from the several steps above
are then concatenated and stored as the LM hash.
So LM stands for LAN manager and
NTLM actually stands for new technology LAN manager.
It has been the de facto standard for
a number of years how Windows actually stores password hashes.
Now in other operating systems like Linux and BSD,
they use various hashing algorithms, however, most are salted.
Now you might say what in the world is a salt, and how are they salted?
Well, salting is a way of appending a small random data
sequence onto the password or the hash password.
So that when somebody enters in,
let's say the actual password hash is compromised,
there is no way or very minimal chance to say,
okay well this salt actually goes with this hash.
So we'll talk about why that's really important in a minute.
Databases, several years ago, around ten years ago,
Microsoft actually published a study where they opted in a bunch of,
actually not a bunch, it was millions of users into their Microsoft Live
toolbar that said, hey, can we do some password analysis for you?
We're not going to actually store your password, but
we just want to do an analysis.
The results of that study were astonishing.
The results showed that a typical user only has five
to six unique passwords for all of their accounts.
So think about your bank account, think about your music,
Spotify, Pandora Amazon, Target, any online account that you have.
I bet you there is one of five different passwords that you use.
Now if I look, and I don't do that because I've
been in the security industry quite awhile and I know how these things get breached.
If you use a password manager then all of them can be unique, however,
the typical user only has five to six unique passwords.
So if we have a data breach on
one website how do you think that affects every other website?
Well if we are using the password from one site and
the same username, we could just take both of those combinations, and
go to another website, which I would probably guarantee that you're on.
So for example, if your Spotify account or your Pandora account
is the same username and password as your Gmail account, which has great security.
How do you think attackers are going to get in?
Very simply, they compromise the one that doesn't have great security.
Now I'm not saying Spotify or Pandora has terrible security, I actually don't
know but I'm just talking about something that doesn't have as many users.
Think about if you want to exchange Spotify and
Pandora with your favorite gaming blog website.
Okay, generally those smaller websites don't have great security.
So if you're username and password is compromised on that blog then they go
to Gmail or Google, they could compromise your account there very easily.
Databases, however, should encrypt your password.
And that's done through hashing.
Additionally, we should also salt.
Remember the randomized string appended or
prepended onto your actual hash.
So that if the attacker out there were able to get into that database and
post the hashes, your hash, even though it would be the same password,
would be different from site to site.
Because we have a different random salt on each of those websites.
Rainbow tables, rainbow tables are used to store many
different hashes for certain types of hashing algorithms.
There's rainbow tables for NTLM passwords,
wireless, and a bunch of other ones that are unique.
They are precomputed to easily find the password.
Now, if you wanted to go through the entire, let's say that we also had
just eight characters, eight character password,
that hashing rainbow table is going to be very, very small.
We could go through a rainbow table of all the hashes for
an eight character password on Windows within a matter of one or two minutes.
We can also use online crackers to do this or
graphics cards to speed up the process of obtaining or
identifying the hash that goes with a password.
Now remember, a hash has to be unique.
So it can't be a reversed function.
So what we have to do with rainbow tables is a rainbow table is
the representation the hash in password form.
So we have a bunch of hashes and they say, this hash matches this password.
Rainbow tables can be very large or in most cases, well,
in most cases they are large, but in some cases they are relatively small.
Intrusion and antivirus detection also use hashes.
Many antivirus companies use these hashes to detect malicious software.
The same with intrusion detection.
So if we look at the 2016 Verizon
data breach investigational reports, which is a great resource.
They come out with it every year.
Last year, they actually had data to show that
99% of malware out there is only up for 58 seconds.
The reason why is because malware writers are constantly changing their code to
bypass detection.
So every time they manipulate their code, the hash changes
because it's a unique representation of that file.
There are plenty of invasion techniques that utilize hashing, and
putting in random code here and there, to bypass antivirus or intrusion detection.
The best antivirus intrusion detection or intrusion prevention software
uses machine learning and other heuristics to detect maliciousness and
not necessarily relies on a software hash.
Let's talk about data breaches.
The biggest data breach, and the failure of using hashing correctly,
came out last year from Yahoo.
1 billion accounts were compromised,
because they only secured their database with MD5 hashes.
Now MD5 hashes, as you recall, are very, very easy to compute and
are very small bit length.
So if we have all one billion accounts,
running those through a rainbow table, and
looking at all the MD5 hashes out there, we can come up with 75% or
750 million passwords in a matter of a couple days.
I can't remember how long it actually was, but we've come up
with huge amounts of data and actual passwords for all those Yahoo users.
So once that happened, Yahoo said, change your password.
Another failure was Cupid Media several years ago.
42 million accounts across many different
websites that they owned had no encryption or
no hashing algorithm on the password at all.
LinkedIn also back in 2012 had 6.5 million accounts hacked.
They were encrypted, however, they didn't have salts attached.
So if we were able to obtain the hash from another website or
went through them with a rainbow table or they were precomputed somewhere else,
then we would have been able to find or identify the password.
Explorer notre catalogue
Rejoignez-nous gratuitement et obtenez des recommendations, des mises à jour et des offres personnalisées.
Coursera propose un accès universel à la meilleure formation au monde,
en partenariat avec des universités et des organisations du plus haut niveau, pour proposer des cours en ligne.
© 2018 Coursera Inc. Tous droits réservés.
