Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/21/2019
06:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Researchers Propose New Approach to Address Online Password-Guessing Attacks

Recommended best practices not effective against certain types of attacks, they say.

Automated online password-guessing attacks, where adversaries try numerous combinations of usernames and passwords to try and break into accounts, have emerged as a major threat to Web service providers in recent years.

Next week, two security researchers will present a paper at the Network and Distributed System Security Symposium (NDSS Symposium) in San Diego that proposes a new, more scalable approach to addressing the problem.

The approach — described in a paper titled "Distinguishing Attacks from Legitimate Authentication Traffic at Scale" — is designed specifically to address challenges posed by untargeted online password-guessing attacks. These are attacks where an adversary distributes password guesses across a very large range of accounts in an automated fashion.

Such "breadth-first" attacks are typically a lot harder to address for a large organization than a more targeted "depth-first" attack, where an attacker might try lots of password guesses against a relatively small number of online accounts, the research paper noted.

The typical approach to addressing online password attacks currently is to block or throttle repeated guesses against an account. The approach can work in depth-first attacks but is not very effective when password guesses are distributed against a wide range of accounts, the researchers said. "At large providers with tens, or hundreds, of millions of accounts, breadth-first attacks offer a way to send millions or even billions of guesses without ever triggering the depth-first defenses," they noted.

Cormac Herley, principal researcher at Microsoft Research and primary author of the report, says the challenge for organizations is figuring out a way to reliably distinguish legitimate traffic from attack traffic. "The traffic at an authentication password server is an unknown mixture of traffic from good users and attackers," he says.

Each request contains a username, password, and other data, such as IP address and browser information. It can be hard to distinguish requests from legitimate users attempting to log into their accounts with those from attackers trying to guess their way in, especially when attack volumes are large, Herley says. Companies like Microsoft, for instance, detect several million credential attacks against its identity systems on a daily basis.

The way to address this problem starts with figuring out the percentage of traffic on the network that is benign and the percentage that is attack traffic. "This sounds hard but is actually easy," Herley says.

Both attackers and legitimate users can a fail a login attempt. "However, legit users fail maybe 5% or so of the time, while an attacker who is guessing fails [over] 99% of the time," he says.

Herley's research shows how organizations can use this fact to estimate the ratio of good to bad traffic among login requests. It shows how they can then use the estimate to identify the segments of traffic that contain the most attack traffic and the segments that have little or none. "Finding some portions that look clean allows us to learn what the traffic from legit users looks like so that we can punish traffic that deviates from that pattern more," Herley says.

The impetus for developing a new approach that addresses online password attacks was prompted by the lack of innovation in the area. Account lockout approaches have been recommended for a very long time, with little effort put into understanding how effective they really are, Herely says.

There's little science or analysis, for instance, to show that a single, fixed account lockout threshold — for example, after 10 failed guesses — can work equally well for small organizations and those with massive user bases, such as Microsoft and Google, he says.

"We concluded that this problem needed a ground-up, systematic approach instead of the rag-bag of heuristics that were much-used but little studied," Herley says. The approach described in the paper is pretty easy for organizations to implement, he adds, and hinges on their gathering the right statistics from incoming traffic.

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Eduardo R.
50%
50%
Eduardo R.,
User Rank: Apprentice
4/26/2019 | 1:50:14 AM
Interesting Read
Definitely something to look out for. Thanks for taking the time to write this article. Really learned a lot out of it.

 

-Eduardo R. - Sioux Falls <a href="https://www.siouxfallshomecleaning.com/">House cleaning services</a>
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
3/1/2019 | 8:24:11 AM
Re: Breadth vs. Depth
Did not think of that but some sites have about 5 increase time-out periods before locked.  And some are damn hard to get into anyway.  Social Security asked about 5 questions about old loans that I totally forgot about or were sold to different financial carriers.  Bad answers?  Locked for 24 hours.  Not easy to get into.  Let's also get rid of admin/admin accounts for starters and default device passwords - inclusive of printers.  Web hosts by printers is a great way to gain entry and an internal IP address.  There was a Google search string years ago that provided the internal page of Office Jet printers around the world!  With internal IP too.  Oh, that is an open door.  So passwords - make 'em complex and change every 3 months or even 2 better.  
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/27/2019 | 2:12:08 PM
Re: Breadth vs. Depth
3 might be rather stringent. There are times I can't get it right in 6 tries.

But one bit of advice I heard once was to have gradually increasingly long pauses/periods for each successive attempt. Need 5 tries to get your password right? No big deal. Need 3,000? Then you're obviously a bot and the login will be effectively DDoS'd.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
2/27/2019 | 1:32:09 PM
Re: Breadth vs. Depth
This may seem really basic  but account lockout periods work too.  3 attempts and the account is locked for, oh 15 or 20 min.  
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/25/2019 | 8:13:11 PM
Breadth vs. Depth
At the same time, aren't breadth-first attacks more common insofar as attackers seek/prefer low-hanging fruit?

I suppose certain targets are juicier than others, but assuming all things being equal and you don't have a red dot on you, preparing against breadth-first attacks first seems like a good idea, no?
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19040
PUBLISHED: 2019-11-17
KairosDB through 1.2.2 has XSS in view.html because of showErrorMessage in js/graph.js, as demonstrated by view.html?q= with a '&quot;sampling&quot;:{&quot;value&quot;:&quot;&lt;script&gt;' substring.
CVE-2019-19041
PUBLISHED: 2019-11-17
An issue was discovered in Xorux Lpar2RRD 6.11 and Stor2RRD 2.61, as distributed in Xorux 2.41. They do not correctly verify the integrity of an upgrade package before processing it. As a result, official upgrade packages can be modified to inject an arbitrary Bash script that will be executed by th...
CVE-2019-19012
PUBLISHED: 2019-11-17
An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or ...
CVE-2019-19022
PUBLISHED: 2019-11-17
iTerm2 through 3.3.6 has potentially insufficient documentation about the presence of search history in com.googlecode.iterm2.plist, which might allow remote attackers to obtain sensitive information, as demonstrated by searching for the NoSyncSearchHistory string in .plist files within public Git r...
CVE-2019-19035
PUBLISHED: 2019-11-17
jhead 3.03 is affected by: heap-based buffer over-read. The impact is: Denial of service. The component is: ReadJpegSections and process_SOFn in jpgfile.c. The attack vector is: Open a specially crafted JPEG file.