Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/21/2019
06:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Researchers Propose New Approach to Address Online Password-Guessing Attacks

Recommended best practices not effective against certain types of attacks, they say.

Automated online password-guessing attacks, where adversaries try numerous combinations of usernames and passwords to try and break into accounts, have emerged as a major threat to Web service providers in recent years.

Next week, two security researchers will present a paper at the Network and Distributed System Security Symposium (NDSS Symposium) in San Diego that proposes a new, more scalable approach to addressing the problem.

The approach — described in a paper titled "Distinguishing Attacks from Legitimate Authentication Traffic at Scale" — is designed specifically to address challenges posed by untargeted online password-guessing attacks. These are attacks where an adversary distributes password guesses across a very large range of accounts in an automated fashion.

Such "breadth-first" attacks are typically a lot harder to address for a large organization than a more targeted "depth-first" attack, where an attacker might try lots of password guesses against a relatively small number of online accounts, the research paper noted.

The typical approach to addressing online password attacks currently is to block or throttle repeated guesses against an account. The approach can work in depth-first attacks but is not very effective when password guesses are distributed against a wide range of accounts, the researchers said. "At large providers with tens, or hundreds, of millions of accounts, breadth-first attacks offer a way to send millions or even billions of guesses without ever triggering the depth-first defenses," they noted.

Cormac Herley, principal researcher at Microsoft Research and primary author of the report, says the challenge for organizations is figuring out a way to reliably distinguish legitimate traffic from attack traffic. "The traffic at an authentication password server is an unknown mixture of traffic from good users and attackers," he says.

Each request contains a username, password, and other data, such as IP address and browser information. It can be hard to distinguish requests from legitimate users attempting to log into their accounts with those from attackers trying to guess their way in, especially when attack volumes are large, Herley says. Companies like Microsoft, for instance, detect several million credential attacks against its identity systems on a daily basis.

The way to address this problem starts with figuring out the percentage of traffic on the network that is benign and the percentage that is attack traffic. "This sounds hard but is actually easy," Herley says.

Both attackers and legitimate users can a fail a login attempt. "However, legit users fail maybe 5% or so of the time, while an attacker who is guessing fails [over] 99% of the time," he says.

Herley's research shows how organizations can use this fact to estimate the ratio of good to bad traffic among login requests. It shows how they can then use the estimate to identify the segments of traffic that contain the most attack traffic and the segments that have little or none. "Finding some portions that look clean allows us to learn what the traffic from legit users looks like so that we can punish traffic that deviates from that pattern more," Herley says.

The impetus for developing a new approach that addresses online password attacks was prompted by the lack of innovation in the area. Account lockout approaches have been recommended for a very long time, with little effort put into understanding how effective they really are, Herely says.

There's little science or analysis, for instance, to show that a single, fixed account lockout threshold — for example, after 10 failed guesses — can work equally well for small organizations and those with massive user bases, such as Microsoft and Google, he says.

"We concluded that this problem needed a ground-up, systematic approach instead of the rag-bag of heuristics that were much-used but little studied," Herley says. The approach described in the paper is pretty easy for organizations to implement, he adds, and hinges on their gathering the right statistics from incoming traffic.

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Eduardo R.
50%
50%
Eduardo R.,
User Rank: Apprentice
4/26/2019 | 1:50:14 AM
Interesting Read
Definitely something to look out for. Thanks for taking the time to write this article. Really learned a lot out of it.

 

-Eduardo R. - Sioux Falls <a href="https://www.siouxfallshomecleaning.com/">House cleaning services</a>
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
3/1/2019 | 8:24:11 AM
Re: Breadth vs. Depth
Did not think of that but some sites have about 5 increase time-out periods before locked.  And some are damn hard to get into anyway.  Social Security asked about 5 questions about old loans that I totally forgot about or were sold to different financial carriers.  Bad answers?  Locked for 24 hours.  Not easy to get into.  Let's also get rid of admin/admin accounts for starters and default device passwords - inclusive of printers.  Web hosts by printers is a great way to gain entry and an internal IP address.  There was a Google search string years ago that provided the internal page of Office Jet printers around the world!  With internal IP too.  Oh, that is an open door.  So passwords - make 'em complex and change every 3 months or even 2 better.  
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/27/2019 | 2:12:08 PM
Re: Breadth vs. Depth
3 might be rather stringent. There are times I can't get it right in 6 tries.

But one bit of advice I heard once was to have gradually increasingly long pauses/periods for each successive attempt. Need 5 tries to get your password right? No big deal. Need 3,000? Then you're obviously a bot and the login will be effectively DDoS'd.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
2/27/2019 | 1:32:09 PM
Re: Breadth vs. Depth
This may seem really basic  but account lockout periods work too.  3 attempts and the account is locked for, oh 15 or 20 min.  
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/25/2019 | 8:13:11 PM
Breadth vs. Depth
At the same time, aren't breadth-first attacks more common insofar as attackers seek/prefer low-hanging fruit?

I suppose certain targets are juicier than others, but assuming all things being equal and you don't have a red dot on you, preparing against breadth-first attacks first seems like a good idea, no?
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3493
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
CVE-2021-3492
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
CVE-2020-2509
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 Build 20210202 and later Q...
CVE-2020-36195
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
CVE-2021-29445
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...