Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/21/2019
06:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Researchers Propose New Approach to Address Online Password-Guessing Attacks

Recommended best practices not effective against certain types of attacks, they say.

Automated online password-guessing attacks, where adversaries try numerous combinations of usernames and passwords to try and break into accounts, have emerged as a major threat to Web service providers in recent years.

Next week, two security researchers will present a paper at the Network and Distributed System Security Symposium (NDSS Symposium) in San Diego that proposes a new, more scalable approach to addressing the problem.

The approach — described in a paper titled "Distinguishing Attacks from Legitimate Authentication Traffic at Scale" — is designed specifically to address challenges posed by untargeted online password-guessing attacks. These are attacks where an adversary distributes password guesses across a very large range of accounts in an automated fashion.

Such "breadth-first" attacks are typically a lot harder to address for a large organization than a more targeted "depth-first" attack, where an attacker might try lots of password guesses against a relatively small number of online accounts, the research paper noted.

The typical approach to addressing online password attacks currently is to block or throttle repeated guesses against an account. The approach can work in depth-first attacks but is not very effective when password guesses are distributed against a wide range of accounts, the researchers said. "At large providers with tens, or hundreds, of millions of accounts, breadth-first attacks offer a way to send millions or even billions of guesses without ever triggering the depth-first defenses," they noted.

Cormac Herley, principal researcher at Microsoft Research and primary author of the report, says the challenge for organizations is figuring out a way to reliably distinguish legitimate traffic from attack traffic. "The traffic at an authentication password server is an unknown mixture of traffic from good users and attackers," he says.

Each request contains a username, password, and other data, such as IP address and browser information. It can be hard to distinguish requests from legitimate users attempting to log into their accounts with those from attackers trying to guess their way in, especially when attack volumes are large, Herley says. Companies like Microsoft, for instance, detect several million credential attacks against its identity systems on a daily basis.

The way to address this problem starts with figuring out the percentage of traffic on the network that is benign and the percentage that is attack traffic. "This sounds hard but is actually easy," Herley says.

Both attackers and legitimate users can a fail a login attempt. "However, legit users fail maybe 5% or so of the time, while an attacker who is guessing fails [over] 99% of the time," he says.

Herley's research shows how organizations can use this fact to estimate the ratio of good to bad traffic among login requests. It shows how they can then use the estimate to identify the segments of traffic that contain the most attack traffic and the segments that have little or none. "Finding some portions that look clean allows us to learn what the traffic from legit users looks like so that we can punish traffic that deviates from that pattern more," Herley says.

The impetus for developing a new approach that addresses online password attacks was prompted by the lack of innovation in the area. Account lockout approaches have been recommended for a very long time, with little effort put into understanding how effective they really are, Herely says.

There's little science or analysis, for instance, to show that a single, fixed account lockout threshold — for example, after 10 failed guesses — can work equally well for small organizations and those with massive user bases, such as Microsoft and Google, he says.

"We concluded that this problem needed a ground-up, systematic approach instead of the rag-bag of heuristics that were much-used but little studied," Herley says. The approach described in the paper is pretty easy for organizations to implement, he adds, and hinges on their gathering the right statistics from incoming traffic.

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Eduardo R.
50%
50%
Eduardo R.,
User Rank: Apprentice
4/26/2019 | 1:50:14 AM
Interesting Read
Definitely something to look out for. Thanks for taking the time to write this article. Really learned a lot out of it.

 

-Eduardo R. - Sioux Falls <a href="https://www.siouxfallshomecleaning.com/">House cleaning services</a>
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
3/1/2019 | 8:24:11 AM
Re: Breadth vs. Depth
Did not think of that but some sites have about 5 increase time-out periods before locked.  And some are damn hard to get into anyway.  Social Security asked about 5 questions about old loans that I totally forgot about or were sold to different financial carriers.  Bad answers?  Locked for 24 hours.  Not easy to get into.  Let's also get rid of admin/admin accounts for starters and default device passwords - inclusive of printers.  Web hosts by printers is a great way to gain entry and an internal IP address.  There was a Google search string years ago that provided the internal page of Office Jet printers around the world!  With internal IP too.  Oh, that is an open door.  So passwords - make 'em complex and change every 3 months or even 2 better.  
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/27/2019 | 2:12:08 PM
Re: Breadth vs. Depth
3 might be rather stringent. There are times I can't get it right in 6 tries.

But one bit of advice I heard once was to have gradually increasingly long pauses/periods for each successive attempt. Need 5 tries to get your password right? No big deal. Need 3,000? Then you're obviously a bot and the login will be effectively DDoS'd.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
2/27/2019 | 1:32:09 PM
Re: Breadth vs. Depth
This may seem really basic  but account lockout periods work too.  3 attempts and the account is locked for, oh 15 or 20 min.  
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/25/2019 | 8:13:11 PM
Breadth vs. Depth
At the same time, aren't breadth-first attacks more common insofar as attackers seek/prefer low-hanging fruit?

I suppose certain targets are juicier than others, but assuming all things being equal and you don't have a red dot on you, preparing against breadth-first attacks first seems like a good idea, no?
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "SpearPhish! Everyone out of the office!"
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13584
PUBLISHED: 2019-07-17
The remote admin webserver on FANUC Robotics Virtual Robot Controller 8.23 allows Directory Traversal via a forged HTTP request.
CVE-2019-13585
PUBLISHED: 2019-07-17
The remote admin webserver on FANUC Robotics Virtual Robot Controller 8.23 has a Buffer Overflow via a forged HTTP request.
CVE-2019-13631
PUBLISHED: 2019-07-17
In parse_hid_report_descriptor in drivers/input/tablet/gtco.c in the Linux kernel through 5.2.1, a malicious USB device can send an HID report that triggers an out-of-bounds write during generation of debugging messages.
CVE-2019-13614
PUBLISHED: 2019-07-17
CMD_SET_CONFIG_COUNTRY in the TP-Link Device Debug protocol in TP-Link Archer C1200 1.0.0 Build 20180502 rel.45702 and earlier is prone to a stack-based buffer overflow, which allows a remote attacker to achieve code execution or denial of service by sending a crafted payload to the listening server...
CVE-2019-10100
PUBLISHED: 2019-07-17
tinymce 4.7.11, 4.7.12 is affected by: CWE-79: Improper Neutralization of Input During Web Page Generation. The impact is: JavaScript code execution. The component is: Media element. The attack vector is: The victim must paste malicious content to media element's embed tab.