T 5.9 Unauthorised use of IT systems

Without mechanisms for the identification and authentication of users, it is virtually impossible to gain control over the unauthorised use of IT systems. Even on IT systems that provide identification and authentication functions in the form of user IDs and password checks, there is still a risk of unauthorised use when the passwords and user IDs are obtained illicitly.

In order to guess the secret password, an unauthorised person could enter a possible password during the login procedure. The corresponding response of the IT system would indicate whether the password was correct or not. Passwords can be guessed by trial and error in this manner.

However, a much more promising attack approach is to use a single word as an assumed password and try it out with all user IDs entered in the system. A valid user ID/password combination is often found in this manner when the number of users is correspondingly large.

If it is possible to misuse the identification and authentication function, then it may even be possible to automate the attempts to log in by developing a program that systematically tests all conceivable passwords.

Example:

• In 1988, an Internet worm exploited a vulnerability present in some Unix operating systems to find valid passwords even though the passwords were stored in encrypted form. To accomplish this, the program tried all entries in a dictionary by encrypting them with the local encoding function and comparing them to the stored, encrypted passwords. A match meant that a valid password had been discovered.