There were quite a few statistics that jumped out at me in this year?s data breach report, however one of them stuck in my head: 79% of all attacks were classified as ?opportunistic?. We define opportunistic attacks in the report as ?The victim isn?t specifically chosen as a target; they were identified and attacked because they exhibited a weakness the attacker knew how to exploit.? And that got me thinking? If attackers are poking around the Internet and attacking anything that appears weak, that sounds like all of these opportunistic attacks would show up in a honeypot. So I set up a rather simple honeypot with a fake ssh server that records the username and passwords from login attempts. It was attacked almost immediately and the login attempts kept rolling in.
It?s been 6 weeks now and the honeypot has been running most of that time, and I?ve collected 63,303 attempted passwords and usernames through SSH. What makes this list rather interesting is that these are the passwords the attackers are trying ? not the passwords the users are using. There?s an interesting distinction there if we stop and think about it.
The first thing that jumped out at me is that 23.4% of the passwords matched the usernames: bob/bob, alice/alice, root/root kind of thing. I suspect that?s much higher than other network services. If memory serves, adding a user in some *nix flavors (used to?) set the password equal to the username. But rather than go into a top-X list of ?bad? password, I wanted to do some analysis on character sets. Everyone has probably seen the password restrictions being enforced, ?choose a password that contains upper and lower case, numbers and/or special characters? type of thing. So how effective would those be? Can we look at the passwords that attackers are trying to brute-force with and determine which sets would be the best to choose from?
The Setup
I started by identifying the four basic character sets:
- Lower case (a-z)
- Upper case (A-Z)
- Numeric (0-9)
- Special Characters (!@#$, etc)
Then I went through the passwords and identified which specific category they fell into and created (of course) a visualization from that. I chose the trusty Venn diagram to show relative size of each character set and how they relate (any section not labeled is less than 1%).
What?s this tell us?
First take a look at the size of the circles, a whopping 86.7% of the attempted passwords include lower case. Perhaps then, a good strategy (in avoiding brute-force attempts) is to use a password that excludes lower case characters. But take a look at the circle for upper case characters; it?s the smallest of all of them (who would?ve thought that?!)
For example, the #2 ranked ?password? appears 1,125 times in the list, while ?Password? appears 6 times and ?PASSWORD? appears once, (incidentally, ?Password1? appears 50 times).
But let?s take a look at the ?best? character sets. Which character sets had the least amount of attempts against them? The best combination appears to be the union of upper case and special characters with only 78 total password attempts (out of 63,000) from there followed by just upper case passwords coming in with 105 password attempts? ?PASSWORD!? never made it on this list.
Some Caveats
As I mentioned in the beginning, these are attempts against the SSH service. We can only safely assume that this analysis applies to SSH logins and we should probably limit our lessons to that. The dictionaries and tactics used against an open RDP server (for example) may be completely different and they may again be completely different when we talk about attacks against a social networking site or tactics used in cracking a list of passwords offline.
The final caveat I?d like to make is that this is all meaningless against something like key loggers (which were used in 41% of the breaches we studied in 2011), and that the use of stolen credentials appears to be a problem for large and small orgs. In other words, pursuing ?strong? passwords may be much less of a problem than keeping the passwords out of the hands of the attacker at all and we have to keep all of that in perspective.
Finally, I hope to post the data used in this analysis ?real soon now?.? Once that happens, I?ll end this post and include a link.
Tags: honeypot, password
Source: http://securityblog.verizonbusiness.com/2012/06/28/6-weeks-and-60000-passwords-later/
detroit tigers st louis weather guinea bissau google stock google stock gawker hayden panettiere
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.