Information Security News |
If you run an ssh server (especially if you still run it on the default port), you've no doubt had plenty of folks scan your machine and do password guessing attacks against it. BTW, you'll never get in mine that way, I only allow public/private key authentication, but that is beside the point here. I've done a couple of other reports analyzing passwords, and I really like pipal by Robin Wood for much of the analysis (you can grab it from here). I've been running a kippo ssh honeypot for the day job for about 2 years and I've done a couple of reports on the password guesses for the ThreatTraq webcast, but then I discovered that in addition to firewall logs and the 404 logs, we also collect kippo logs here at the SANS Internet Storm Center. Ooh, more data!! If you'd like contribute, please grab https://isc.sans.edu/kipposcript.pl. So, without further ado, here is what I've found in our kippo data (as of about 15 April 2013). I should note here, though, that these are the guesses the bad guys are making. They've developed their lists most likely based on what has worked for someone at some point, so they will be somewhat different from what you find in analyzing passwords from breaches like my analysis of last year's Yahoo breach.
Total entries = 15415314
Total unique entries = 46840
Top 10 passwords
123456 = 167854 (1.09%)
password = 113640 (0.74%)
cacutza = 99492 (0.65%)
__--_-__-_ = 79153 (0.51%)
123 = 63557 (0.41%)
root = 61560 (0.4%)
1234 = 58103 (0.38%)
123456789 = 57270 (0.37%)
12345 = 53445 (0.35%)
test = 52231 (0.34%)
Okay, the first thing to note, is that the default password for kippo is 123456, so that may skew the above a bit. The one I personally find most interesting is the 4th one, '__--_-__-_'.
Top 10 base words
password = 295354 (1.92%)
test = 192825 (1.25%)
pass = 127086 (0.82%)
root = 121704 (0.79%)
cacutza = 99492 (0.65%)
temp = 97145 (0.63%)
[email protected] = 92650 (0.6%)
p4ssword = 88344 (0.57%)
changeme = 74842 (0.49%)
p4ssw0rd = 74329 (0.48%)
So, some variation on password (with or without substitutions).
Password length (count ordered)
6 = 2708563 (17.57%)
8 = 2275062 (14.76%)
7 = 1550776 (10.06%)
9 = 1394644 (9.05%)
10 = 1234997 (8.01%)
4 = 1143617 (7.42%)
5 = 1025693 (6.65%)
12 = 766462 (4.97%)
11 = 647696 (4.2%)
3 = 437702 (2.84%)
The password guesses varied in length from 1 (do people actually allow 1 character passwords?) to 70 characters in length. The longest ones being shown below
56 = 4504 (0.03%)
57 = 180 (0.0%)
58 = 465 (0.0%)
60 = 17 (0.0%)
62 = 800 (0.01%)
63 = 69 (0.0%)
64 = 369 (0.0%)
70 = 9 (0.0%)
71 = 908 (0.01%)
One to six characters = 5463941 (35.44%)
One to eight characters = 9289779 (60.26%)
More than eight characters = 6125535 (39.74%)
Only lowercase alpha = 5126974 (33.26%)
Only uppercase alpha = 140773 (0.91%)
Only alpha = 5267747 (34.17%)
Only numeric = 1906165 (12.37%)
First capital last symbol = 135964 (0.88%)
First capital last number = 958843 (6.22%)
One to six characters = 5463941 (35.44%)
One to eight characters = 9289779 (60.26%)
More than eight characters = 6125535 (39.74%)
Only lowercase alpha = 5126974 (33.26%)
Only uppercase alpha = 140773 (0.91%)
Only alpha = 5267747 (34.17%)
Only numeric = 1906165 (12.37%)
First capital last symbol = 135964 (0.88%)
First capital last number = 958843 (6.22%)
Last digit
3 = 1621502 (10.52%)
1 = 1394507 (9.05%)
0 = 620126 (4.02%)
4 = 593100 (3.85%)
6 = 548727 (3.56%)
2 = 478758 (3.11%)
5 = 420699 (2.73%)
9 = 407320 (2.64%)
8 = 318715 (2.07%)
7 = 303304 (1.97%)
Last 3 digits (Top 10)
123 = 1156095 (7.5%)
456 = 380369 (2.47%)
234 = 340074 (2.21%)
345 = 234638 (1.52%)
321 = 212258 (1.38%)
789 = 192424 (1.25%)
678 = 166984 (1.08%)
567 = 154030 (1.0%)
001 = 146204 (0.95%)
111 = 91160 (0.59%)
Character sets
loweralpha: 5126974 (33.26%)
loweralphanum: 4803721 (31.16%)
numeric: 1906165 (12.37%)
loweralphaspecialnum: 803707 (5.21%)
mixedalphanum: 768137 (4.98%)
mixedalphaspecialnum: 641067 (4.16%)
loweralphaspecial: 344881 (2.24%)
upperalphanum: 181283 (1.18%)
mixedalpha: 151523 (0.98%)
special: 149786 (0.97%)
upperalpha: 140773 (0.91%)
upperalphaspecialnum: 133340 (0.86%)
mixedalphaspecial: 91536 (0.59%)
upperalphaspecial: 81044 (0.53%)
specialnum: 66165 (0.43%)
Character set ordering
allstring: 5419270 (35.16%)
othermask: 3833967 (24.87%)
stringdigit: 2622232 (17.01%)
alldigit: 1906165 (12.37%)
stringdigitstring: 478523 (3.1%)
digitstring: 446101 (2.89%)
stringspecial: 184687 (1.2%)
allspecial: 149786 (0.97%)
stringspecialstring: 117368 (0.76%)
digitstringdigit: 114141 (0.74%)
stringspecialdigit: 101918 (0.66%)
specialstring: 25205 (0.16%)
specialstringspecial: 15951 (0.1%)
Okay, there is some interesting stuff there and if you are interested in the pieces of the standard pipal report that I didn't include there, I've put the full report up on my handler page. One of the other thing I took a look at was how many in the mix satisfy the standard definition of a "complex" password [lower case, upper case, digits, special characters] (choose 3) and length >= 8. 620413 (4.02%) of the passwords satisfy this definition of complex. However, when you look at unique passwords, only 1286 (2.75% of the 46840 unique ones) are complex. So, at least one takeaway is that the more complex you make your crucial passwords the less likely you are to fall victim to this type of password guessing attack. Of course, 173 of those 1286 were some variation on 'password' with subsitutions or digits and/or special characters tacked on the end. So, what do you think? Is there some other aspect of the passwords that I should have looked at? Let us know in the comment section below or via our contact form.
---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu
The opinions expressed here are strictly those of the author and do not necessarily represent those of SANS, the Internet Storm Center, the author's spouse, kids, or pets (except maybe the ornery cat).
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.If you've ever been nagged about the weakness of your password while changing account credentials on Google, Facebook, or any number of other sites, you may have wondered: do these things actually make people choose stronger passcodes? A team of scientists has concluded that the meters do work—or at least they have the potential to do so, assuming they're set up correctly.
The researchers—from the University of California at Berkeley, the University of British Columbia in Vancouver, and Microsoft—are among the first to test the effect that the ubiquitous password meters have on real users choosing passwords. They found that meters grading the strength of passwords had a measurable impact in helping users pick stronger passcodes that weren't used on other accounts. But the group also discovered these new, stronger passwords weren't any harder for users to remember than weaker ones.
The scientists were quick to point out caveats to their findings. For one, the meters provided little benefit when users were choosing passwords while setting up a new account, as opposed to changing passwords for an already established account. And the meters provided no improvement for accounts people considered unimportant.
Read 13 remaining paragraphs | Comments
by Dan Goodin
Mobily, a Saudi Arabian telecommunications company with 4.8 million subscribers, is working on a way to intercept encrypted data sent over the Internet by Twitter, Viber, and other mobile apps, a security researcher said Monday.
Moxie Marlinspike, the pseudonymous cryptographer who has identified several security bugs in the secure sockets layer protocol used to protect website transactions, said he learned of the project after receiving an e-mail from company officials. Carrying the subject line "Solution for monitoring encrypted data on telecom," it said the project was required by "the regulator." Marlinspike believed this meant the government of Saudi Arabia. In follow-up e-mails, the Mobily officials said they were looking for ways to bypass the protections built into the SSL and Transport Layer Security protocols so telecom workers could monitor messages spreading terrorism.
"One of the design documents that they volunteered specifically called out compelling a [certificate authority] in the jurisdiction of the UAE or Saudi Arabia to produce SSL certificates that they could use for interception," Marlinspike wrote in a blog post. "A considerable portion of the document was also dedicated to a discussion of purchasing SSL vulnerabilities or other exploits as possibilities."
Read 5 remaining paragraphs | Comments
Posted by InfoSec News on May 13
http://www.rusi.org/publications/journal/ref:A517E5BC42E13D/#.UZCpTIpDsdiPosted by InfoSec News on May 13
http://www.thestate.com/2013/05/08/2761786/sc-hacking-solution-could-cost.htmlPosted by InfoSec News on May 13
http://www.nytimes.com/2013/05/11/business/media/privacy-breach-on-bloombergs-data-terminals.htmlPosted by InfoSec News on May 13
http://online.wsj.com/article/SB10001424127887324059704578475461266801742.htmlPosted by InfoSec News on May 13
http://www.timesofoman.com/News/Article-15279.aspx