SIGforum.com    Main Page  Hop To Forum Categories  What's Your Deal!    Your Password Has Expired
Page 1 2 
Go
New
Find
Notify
Tools
Reply
  
Your Password Has Expired Login/Join 
Protect Your Nuts
posted Hide Post
quote:
Originally posted by ensigmatic:

quote:
Originally posted by Whisp:
Passwords are harder to figure out, but early on programs were created to repeatedly try username and password combinations until they got a successful login, this is called a brute force dictionary attack.

Now from your roach infested apartment in Eastern Europe you can lease a bot-net of infected PCs world wide to launch credential stuffing attacks on anyone. A credential stuffing attack basically attempts usernames and passwords over and over again.


(The FTP ones are from China. Ninety-nine times out of a hundred those are from China, here. The Dovecot ones are obviously from a 'bot net. Rate is way too low to be even remotely worrisome.)

I used to see them every morning for all our Internet-facing servers when I was in I.T., too.

During my career I had servers and routers exposed to the Internet for just about ever since the 'net became commercially-available in the late 80's. Before that they had dial-up modem access. For a time they had both. Never once had an account compromised by an external brute-force attack.

Wasn't for lack of them trying Wink

Reasonably good password policies, enforced; reasonably competent I.T. staff (which I've found to be disappointingly uncommon), and decent defensive measures will thwart 99-44/100% of common attacks.



I agree, Brute Force is a dead concept in today’s world, but credential stuffing is a very real threat today. I see the same thing against Financial Institution servers, usually Online Banking or OFX (Quicken/Quickbooks Direct Connect) Servers. While the rate isn’t concerning, it’s the fact that the attackers are passing known credential combinations to attempt to see if any of those combinations are valid against the institution. While the failure rate is obviously extremely high, the attack is just about the validation.

The attacker makes money by then selling a known good username\password list, it’s usually another group that then runs the actual attack. For FIs it’s mostly Online Banking account take-over and small dollar extraction (usually under 5k), but done hundreds of thousands of times over it’s a huge enterprise. It also matters a whole lot to the account holder, who in all likelihood doesn’t even know their creds are exposed. When we see this traffic we redirect it to a mirrored server which returns an invalid credential response regardless of submission and then let the attacker run through their list.

The reason why I say password policies are shit is that at the end of the day people are the weak link in the chain. Every time I’ve run a generic phishing test on an organization I’ve captured at least 5% of targets. Directed or daisy-chained attacks I’ll get 20-30%. Doesn’t matter the training, doesn’t matter the competency of the people, how good IT staff is- someone in a rush or just not thinking is all it takes. 2FA in a lot of forms makes it harder for attackers, but people still compromise those codes all the time. SmartCard Auth is really the only solution today in my opinion, and it’s not perfect and really only viable from a corporate network standpoint.


------------------------------------------------------------------------------------
"deserves" ain't got nothin to do with it.
------------------------------------------------------------------------------------
 
Posts: 2668 | Location: VA, mostly | Registered: June 14, 2006Reply With QuoteReport This Post
Protect Your Nuts
posted Hide Post
quote:
Originally posted by Whisp:
quote:
Originally posted by ensigmatic:

quote:
Originally posted by Whisp:
Passwords are harder to figure out, but early on programs were created to repeatedly try username and password combinations until they got a successful login, this is called a brute force dictionary attack.

Now from your roach infested apartment in Eastern Europe you can lease a bot-net of infected PCs world wide to launch credential stuffing attacks on anyone. A credential stuffing attack basically attempts usernames and passwords over and over again.


(The FTP ones are from China. Ninety-nine times out of a hundred those are from China, here. The Dovecot ones are obviously from a 'bot net. Rate is way too low to be even remotely worrisome.)

I used to see them every morning for all our Internet-facing servers when I was in I.T., too.

During my career I had servers and routers exposed to the Internet for just about ever since the 'net became commercially-available in the late 80's. Before that they had dial-up modem access. For a time they had both. Never once had an account compromised by an external brute-force attack.

Wasn't for lack of them trying Wink

Reasonably good password policies, enforced; reasonably competent I.T. staff (which I've found to be disappointingly uncommon), and decent defensive measures will thwart 99-44/100% of common attacks.



I agree, Brute Force is a dead concept in today’s world, but credential stuffing is a very real threat today. I see the same thing against Financial Institution servers, usually Online Banking or OFX (Quicken/Quickbooks Direct Connect) Servers. While the rate isn’t concerning, it’s the fact that the attackers are passing known credential combinations to attempt to see if any of those combinations are valid against the institution. While the failure rate is obviously extremely high, the attack is just about the validation.

The attacker makes money by then selling a known good username\password list, it’s usually another group that then runs the actual attack. For FIs it’s mostly Online Banking account take-over and small dollar extraction (usually under 5k), but done hundreds of thousands of times over it’s a huge enterprise. It also matters a whole lot to the account holder, who in all likelihood doesn’t even know their creds are exposed. When we see this traffic we fingerprint it and redirect it to a mirrored server which returns an invalid credential response regardless of submission and then let the attacker run through their list.

The reason why I say password policies are shit is that at the end of the day people are the weak link in the chain. Every time I’ve run a generic phishing test on an organization I’ve captured at least 5% of targets. Directed or daisy-chained attacks I’ll get 20-30%. Doesn’t matter the training, doesn’t matter the competency of the people, how good IT staff is- someone in a rush or just not thinking is all it takes. 2FA in a lot of forms makes it harder for attackers, but people still compromise those codes all the time. SmartCard Auth is really the only solution today in my opinion, and it’s not perfect and really only viable from a corporate network standpoint.


------------------------------------------------------------------------------------
"deserves" ain't got nothin to do with it.
------------------------------------------------------------------------------------
 
Posts: 2668 | Location: VA, mostly | Registered: June 14, 2006Reply With QuoteReport This Post
The Unmanned Writer
Picture of LS1 GTO
posted Hide Post
quote:
Originally posted by V-Tail:
quote:
She got called into HR for computer password abuse.
How did HR know her password? The whole point is, passwords should be known only to the user.

I do know that in UNIX type systems, the password is not stored in a readable form. I don't know about Windows passwords.


Sure asked that too. As it is a private company, the response was along the lines, " our computers, our network, our security rules."

It did change after the USAF found out since they were also on the network and assigned to the buildings.









Only in an insane world are the sane considered insane.


The memories of a man in his old age
Are the deeds of a man in his prime


 
Posts: 12838 | Location: It was Lat: 33.xxxx Lon: 44.xxxx now it's CA :( | Registered: March 22, 2008Reply With QuoteReport This Post
goodheart
Picture of sjtill
posted Hide Post
I like Kenpoist's cartoon example. For my personal computer and hard drives I use diceware-derived passwords, usually 6-7 words. For online I use Apple's generated passwords.
Now going back through the passwords identified by Apple as compromised, frequently used, easily guessed, used repeatedly and gradually getting rid of them.


_________________________
“We seem to be getting closer and closer to a situation where nobody is responsible for what they did but we are all responsible for what somebody else did.”--Thomas Sowell
 
Posts: 16631 | Location: One hop from Paradise | Registered: July 27, 2004Reply With QuoteReport This Post
Nullus Anxietas
Picture of ensigmatic
posted Hide Post
quote:
Originally posted by V-Tail:
quote:
She got called into HR for computer password abuse.
How did HR know her password? The whole point is, passwords should be known only to the user.

Correct.

When the company for which I'd worked was acquired by a new company, the new PHBs declared that, going forward, HR would maintain a record of all employees' passwords. "No," I replied, "they will not, or you're looking for a new Admin. And btw: You won't get any sensitive government contracts with that policy."

Hell, I once suspended a senior manager's network access for sharing his login credentials with a guest. I suspended several users' accounts, more than once, when they shared their login credentials with an abusive upper-level manager who thought the rules didn't apply to him. The asshole eventually learned to stop doing that. (They feared him. I did not.)

Hell, I'm not even sure a company can achieve PCI compliance (essentially minimum security standards to be allowed to process credit card transactions) with a policy like that--and PCI compliance is pretty weak tea, IMO.

quote:
Originally posted by V-Tail:
I do know that in UNIX type systems, the password is not stored in a readable form. I don't know about Windows passwords.

It is in MS-Windows, as well.

quote:
Originally posted by LS1 GTO:
Sure asked that too. As it is a private company, the response was along the lines, " our computers, our network, our security rules."

We had the same policy. This has nothing to do with "our stuff, our rules," but just plain bad practice.

quote:
Originally posted by LS1 GTO:
It did change after the USAF found out since they were also on the network and assigned to the buildings.

Ha! I bet it did Smile Without going into detail, an AF contractor and AF network security personnel went through our network security policies, interviewed me in depth, and, IIRC, randomly interviewed some of my coworkers before we were allowed to take on a sensitive contract.

They were not fooling around.




"America is at that awkward stage. It's too late to work within the system,,,, but too early to shoot the bastards." -- Claire Wolfe
"If we let things terrify us, life will not be worth living." -- Seneca the Younger, Roman Stoic philosopher
"The dominant media is no more ``mainstream`` than leftists are liberals." -- me
 
Posts: 20512 | Location: S.E. Michigan | Registered: January 06, 2008Reply With QuoteReport This Post
Prepared for the Worst, Providing the Best
Picture of 92fstech
posted Hide Post
StateFarm is the worst offender for this. Their requirements are stupid complex, and they force you to change it so often that every time I have to log in to pay my bill I have to use the forgot my password thing. Which ultimately results in me writing the new password down somewhere, which is less secure than if they just let me use one that I would remember. I actually just sent them an email complaining about it this week, and they sent me an e-mail back with instructions on how to change my password Roll Eyes. Out of touch, condescending crap like that might finally push me to find a new insurance company...
 
Posts: 4516 | Location: In the Cornfields | Registered: May 25, 2006Reply With QuoteReport This Post
His Royal Hiney
Picture of Rey HRH
posted Hide Post
for work, I settled on a format IloveRey!01
Next password: IloveRey!02 and so on.

It's only been a little over a year when I went on a password manager. I wish I has started way sooner.



"It did not really matter what we expected from life, but rather what life expected from us. We needed to stop asking about the meaning of life, and instead to think of ourselves as those who were being questioned by life – daily and hourly. Our answer must consist not in talk and meditation, but in right action and in right conduct. Life ultimately means taking the responsibility to find the right answer to its problems and to fulfill the tasks which it constantly sets for each individual." Viktor Frankl, Man's Search for Meaning, 1946.
 
Posts: 16488 | Location: The Free State of Arizona - Ditat Deus | Registered: March 24, 2011Reply With QuoteReport This Post
Member
posted Hide Post
I write my passwords down, and use a different password for everything. I use underscores between words, and the words are altered, with numbers and letters and symbols, and I try to change the passwords on an irregular basis.

dO_No?t_LiK3_gRaP5!

I also make a point not to answer emails I don't know, and all the other basic precautions. I check each email address before I open it, even if I do know it. I compartmentalize information, don't share between parties or sites or sources, use false names, dates, etc, and change them up between any online sources.

I've had passwords crop up as used in an attack, and at least with individual passwords I can focus on which one was compromised. For somethings, I just don't go online, like banking. I go to the bank.

I still use a written daytimer for everything, and I keep track of my most used information there...the obvious security issue is if the daytimer gets lost or stolen. I'm neither smart enough, nor have a good enough memory to do without, so it's still pen and ink.
 
Posts: 6094 | Registered: September 13, 2006Reply With QuoteReport This Post
  Powered by Social Strata Page 1 2  
 

SIGforum.com    Main Page  Hop To Forum Categories  What's Your Deal!    Your Password Has Expired

© SIGforum 2021