Upgrade & Secure Your Future with DevOps, SRE, DevSecOps, MLOps!

We spend hours on Instagram and YouTube and waste money on coffee and fast food, but won’t spend 30 minutes a day learning skills to boost our careers.
Master in DevOps, SRE, DevSecOps & MLOps!

Learn from Guru Rajesh Kumar and double your salary in just one year.

Get Started Now!

Home Machine Learning How machine learning-powered password guessing impacts security

How machine learning-powered password guessing impacts security

Machine Learning · December 8, 2017 · 1 Comment

Source – techtarget.com

A new password guessing technique takes advantage of machine learning technologies. Expert Michael Cobb discusses how much of a threat this is to enterprise security.

What happens when authentication and access control measures are attacked by adversaries equipped with machine learning? This question has been examined in a couple of recent university studies, and it’s worth taking a look at the potential impact of their findings on the security of real-world information systems.

Password guessing impacts system security in both online and offline attacks. An online password guessing attack can be found in the logs of every server that’s on the internet — a constant series of attempts to log in remotely using guessed credentials. Such attacks can be thwarted by having complex passwords, limiting the number of attempted logins and requiring two-factor authentication.

In an offline password guessing attack, the adversary obtains a set of system or application credentials, usernames and hashed passwords. They can then attempt to guess passwords on their own machine. This is done by checking to see if a hash of the guess, such as password, matches any of the hashes obtained from the target system.

Offline password guessing depends on having a large collection of plausible passwords, often called a password cracking dictionary. A real dictionary is used as the starting point, and then variations are added based on common tricks, like character swapping — D1sn3yW0rld — and adding special characters — password! Hackers also add actual passwords disclosed in breaches, such as LinkedIn and RockYou, to these dictionaries.

How machine learning increases the threat

A new approach to improving password guessing techniques is harnessing the power of machine learning algorithms. For example, researchers at the Stevens Institute of Technology and the New York Institute of Technology came up with something they call PassGAN, a novel technique that “leverages Generative Adversarial Networks (GANs) to enhance password guessing.”

Without going into the science of Generative Adversarial Networks, a GAN uses two neural networks, one of which tries to fool the other with fake data that is very close to actual data. What researchers found is that, by training a GAN on a list of leaked passwords, it can rapidly produce a large number of plausible password guesses, potentially outperforming password guessing tools such as Hashcat and John the Ripper.

What does this mean for information system security, apart from underlining the importance of protecting password hashes, given that cybercriminals are increasingly likely to apply machine learning to offline cracking? Password cracking tools are classic examples of the double-edged phenomenon: security technology that can be used for evil or good; and in this case, it can be adapted to measure the strength of passwords before users are allowed to use them based on an ease of guessing score.

Of course, this latest research also adds to the reasons why system security needs to use stronger authentication than passwords alone to protect access. One popular technology is a one-time passcode generated on a mobile device assumed to be under the control of the device owner.

However, the reliability of that assumption is somewhat undermined by another piece of research, this time from Newcastle University. Researchers there have developed a proof-of-concept attack called PINlogger that uses machine learning and a neural network to analyze sensor data on a mobile device to detect when a PIN is being entered, and then determine the actual PIN.

With several dozen sensors on a mobile device — from the touchscreen to sensors for motion, speed, orientation, rotation and more — it is perhaps not surprising that combined sensor output, when analyzed with machine learning, can reveal a lot about a user’s physical interaction with a device.

However, there are some constraints on this PINlogger attack. It requires the mobile device to have a web browser that supports JavaScript and web APIs that can access onboard sensors. Also, the user needs to be led to the attacker’s malicious webpage and must keep that page open during an attack. However, the use of JavaScript to access sensors via the browser means that the attack does not require users to download an app to become victims.

The researchers were not content just to create a proof of concept for this sensor-based attack; they actually studied how mobile device users perceived the risks from sensors typically found in these systems. The results showed that many people were not aware of all the sensors on their devices or the potential for information like mobile orientation and motion to be used to defeat security measures like a PIN. The researchers also noted a lack of granularity in sensor access control policies.

As more sensors are added to mobile devices, the potential for abuse is likely to grow, and the researchers concluded that the problem of sensor-based attacks is a hard one to solve, but needs to be addressed fairly urgently, before they start appearing in the wild. Update your security awareness training content now.

 

aiuniverse

Related Posts

Machine Learning

What is Machine Learning and what are the Types of Machine Learning Tools Available?

· May 25, 2023 · 0 Comment

What is Machine Learning? Machine Learning is a subfield of Artificial Intelligence that incorporates statistical models and algorithms to help computer systems learn from data and improve Read More

Read More
Machine Learning

What is an Autonomous System and what are Applications of Autonomous Systems?

· May 8, 2023 · 0 Comment

Introduction to Autonomous Systems Autonomous systems, once the stuff of science fiction, have become a reality in our world today. From self-driving cars to drones, robots, and Read More

Read More
Machine Learning

What is Predictive Analytics and what is the Types of Predictive Analytics Tools

· May 8, 2023 · 0 Comment

Introduction to Predictive Analytics Tools As businesses continue to collect vast amounts of data, it becomes increasingly challenging to make informed decisions that drive growth and improve Read More

Read More
Machine Learning

What is Neural Network Libraries and What are the popular neural network libraries available today?

· May 5, 2023 · 0 Comment

1. Introduction to Neural Network Libraries Neural networks are being used more and more in today’s technology landscape, powering everything from image recognition algorithms to natural language Read More

Read More
Machine Learning

What is Reinforcement Learning and What are Reinforcement Learning Libraries?

· May 5, 2023 · 0 Comment

Introduction to Reinforcement Learning Reinforcement learning is a machine learning technique that involves training an agent to make decisions based on trial and error. It is an Read More

Read More
Machine Learning

What are Graphical Models? Why use Graphical Models Libraries and Types of Graphical Models Libraries?

· May 5, 2023 · 0 Comment

Graphical Models Libraries are powerful tools that allow developers and data scientists to build complex models with more accuracy and less complexity. These libraries help in capturing Read More

Read More
Subscribe
Notify of
guest
1 Comment
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
1
0
Would love your thoughts, please comment.x
()
x