There are numerous authentication mechanisms to choose from. If not correctly selected and implemented, the authentication mechanism can expose vulnerabilities that attackers can use to gain access to your system.
Vulnerabilities
Network Eavesdropping
If authentication credentials are passed in plaintext, an attacker armed with basic network monitoring software on a host on the same network can capture traffic and obtain user names and passwords.
Note: This type of attack implies the network has already been compromised.
Brute Force Attacks
Brute force attacks rely on computational power to crack hashed passwords or other secrets secured with hashing and encryption. Brute force attacks typically involve trying to work through all possible key combinations to decrypt a string and are, therefore, difficult to accomplish.
Dictionary Attacks
This attack is used to obtain passwords held as hashes. On such systems, users are authenticated by re-computing the hash based on the user-supplied password value and comparing it against the system-stored hash value. If an attacker manages to obtain the list of hashed passwords, a brute force attack can be used to crack the password hashes.
With the dictionary attack, an attacker uses a program to iterate through all of the words in a dictionary and computes the hash for each word. The resultant hash is compared with values in the data store. Weak passwords such as “Yankees” or “Mustang” will be cracked quickly. Stronger passwords such as “RuN4PhuN”, are less likely to be cracked.
Cookie Replay Attacks
With this type of attack, the attacker captures the user’s authentication cookie using monitoring software and replays it to the application to gain access under a false identity. See Session Hijacking and Replay and Man in the Middle Attacks for more information.
Credential Theft
If your application implements its own user store containing user account names and passwords, compare its security to the credential stores provided by the platform, for example, a Microsoft Active Directory® service user store. Current implementation uses Active Directory® as the user store, but Gemstone should not rely solely on the fortitude of the chosen user store.
Browser history and cache also store user login information for future use. If the terminal is accessed by someone other than the user who logged on, and the same page is hit, the saved login will be available.
Recommendations
· Secure the channel
· Encrypt it
· Strong authentication requirements
· Avoid holding long sessions
· Re-Authenticate
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment