[ISN] Hackers can crack most in less than a minute

From: InfoSec News (isnat_private)
Date: Fri May 24 2002 - 03:30:17 PDT

  • Next message: InfoSec News: "[ISN] NAI to pull plug on CyberCop"

    By Rob Lemos
    Staff Writer, CNET News.com
    May 22, 2002, 4:00 a.m. PT 
    When a regional health care company called in network protection firm
    Neohapsis to find the vulnerabilities in its systems, the
    Chicago-based security company knew a sure place to look.
    Retrieving the password file from one of the health care company's
    servers, the consulting firm put "John the Ripper," a well-known
    cracking program, on the case. While well-chosen passwords could take
    years--if not decades--of computer time to crack, it took the program
    only an hour to decipher 30 percent of the passwords for the nearly
    10,000 accounts listed in the file.
    "Just about every company that we have gone into, even large
    multinationals, has a high percentage of accounts with easily
    (cracked) passwords," said Greg Shipley, director of consulting for
    Neohapsis. "We have yet to see a company whose employees don't pick
    bad passwords."
    Fortune 100 corporations, small firms and even Internet service
    providers with strong security have an Achilles heel: users who pick
    easily guessable passwords. Some choose words straight out of
    Webster's dictionary, others use a pet's name, and still more choose
    the name of a secret lover. Many who think themselves tricky append a
    digit or two on the end of their chosen word. Such feeble attempts at
    deception are no match for today's computers, which are capable of
    trying millions of word variations per second and often can guess a
    good number of passwords in less than a minute.
    Treasure trove of magic words
    For network intruders, that's a gold mine. Bad passwords don't
    necessarily make it easier to break in to a company's network, but for
    hackers able to gain access to a corporate computer by other means,
    they're a treasure trove. Passwords discovered on one server will
    frequently open the way to other servers, and with the digital keys to
    a large fraction of the accounts on the network, an intruder can
    wander about with impunity and with the appearance of being a
    legitimate user.
    That's why network attackers grab passwords as soon as they can. Some
    viruses and worms send an infected computer's password file back to
    the creator. This week, a worm known as DoubleTap is doing just that,
    squirming its way in to computers with Microsoft's SQL Server 7.0
    installed. The 1i0n worm, which spread among Linux servers in early
    2001, grabbed password files, and the SirCam virus, in some cases,
    could send off the systems passwords as well.
    Even the most paranoid security group and high-tech digital fences
    can't do much if the CEO secures his critical files with "god123."  
    Worse, most companies and organizations still rely on a password--and
    nothing else--to authenticate their employees.
    In security circles, experts have been studying the problem for
    In the pre-Internet Age of 1979, when storage was measured in the
    number of bits that could fit on a foot of magnetic tape, a seminal
    paper on password security found that a third of users' passwords
    could be broken in less than five minutes.
    A search to find an eight-character password of random letters and
    digits would take 66 years on average for the big gun of the day, the
    PDP-11/70, which could crunch through nearly 50,000 combinations a
    minute in a brute-force search.
    Yet the study found that users almost invariably chose bad passwords,
    leading to shortcuts for anyone attacking the security of the system.
    Of nearly 3,300 passwords examined, the paper's authors, Ken Thompson
    and Robert Morris Sr., found about 17 percent consisted of three
    characters or less, nearly 15 percent had four characters that were a
    letter or a digit, and another 15 percent appeared in one of the
    dictionaries available at the time. In total, nearly half the
    passwords could be found in a search lasting less than six hours.
    Make no mistake: An eight-character password could be very secure,
    even if attacked by today's high-speed computers.
    There are more than 6.6 quadrillion different eight-character
    passwords using the 95 printable ASCII characters. Though some
    password-cracking programs can test nearly 8 million combinations
    every second on the latest Pentium 4 processor, breaking an
    eight-character password would still take more than 13 years on
    In fact, operating systems have evolved in the past two decades to
    increase the security surrounding passwords. At one time, anyone could
    read the password file--the collection of encrypted keys for the
    system's software locks--making it easy for a hacker to copy the file
    for later cracking on their own computer system.
    Now, operating systems typically allow only system administrators
    access to read the encrypted passwords, forcing hackers to get
    administrator rights on the system before they can grab the file. In
    addition, "three strikes" login rules have become common, locking out
    users who fail to provide the correct passwords in the first few
    Digital domino effect
    While such defenses have made hacking attempts based on repetitive
    password guesses using a list of common words--known as a dictionary
    attack--less feasible, such attacks are invaluable to hackers as a way
    of broadening access to a network. A single server or PC breached by
    an intruder can yield passwords reused on other systems in the
    network, bypassing the security on the systems in a digital domino
    The only defense is to make passwords nearly impossible to guess, but
    such strength requires that the password be selected in a totally
    random fashion. That's a tall order for humans, said David Evans, an
    assistant professor of computer science at the University of Virginia.
    "When humans make passwords, (they) are not very good at making up
    randomness," he said.
    Furthermore, because people usually have several passwords to keep
    track of, locking user accounts with random, but
    difficult-to-remember, strings of characters such as "wX%95qd!" is a
    recipe for a support headache.
    "The idea is to make something that is easy to remember but that will
    make up a good password," he said.
    Many security administrators focus their efforts on teaching users how
    to use various mnemonics to create strong, but memorable, passwords. A
    common technique takes the first or last letter of each word in a
    saying or phrase familiar to the user. For example, by using random
    capitalization and substituting some punctuation marks and digits for
    letters, "Friends don't let friends give tech advice" might become
    The education doesn't seem to be sticking, and the password problem is
    getting worse as the percentage of less-tech-savvy computer users
    Giving away the keys
    In a recent study by security firm PentaSafe Security Technologies,
    the company found that four out of five workers would disclose their
    passwords to someone in the company, if asked.
    That's the good news. Another study by the same company found that
    nearly two-thirds of the workers polled at Victoria Station in London
    gave the pollster their passwords when asked. Their reward? A cheap
    Little wonder then that companies are becoming increasingly worried
    that the keys to their information kingdom are being handled so
    "Passwords are one of the biggest security problems that corporate
    America has," said Chris Pick, associate vice president for product
    strategy at PentaSafe. "Employees should at least know their company's
    password policy, but they don't."
    In fact, potential intruders value a password far more than the single
    computer it's protecting. A hacker who can get the password list from
    a server or PC can use those passwords to gain access to other
    computers on the network, bypassing all the high-tech security erected
    to keep him out. Moreover, once an intruder has collected the digital
    keys to a network, it's very hard for administrators to lock him back
    "There are some ISPs who have had 40,000 passwords stolen," said
    Neohapsis' Shipley. "They are not going to tell all their users to
    change their passwords." Doing so would only alert a hacker that he
    has been detected, Shipley said, and the ISP has no way of knowing if
    a legitimate user or the illicit trespasser has changed an account's
    "It's a support nightmare," Shipley said. "That's one hacker you
    aren't getting out of the system."
    The best solution is to not let them in. To block hackers, security
    companies and researchers are increasingly focusing on strengthening
    the weak link posed by passwords.
    Many corporations have boosted user education, concentrating on
    drilling their employees in the company's password policy. Such
    policies determine what a valid password is, the minimum number of
    characters in the string, and how often the keys to the account have
    to be changed.
    That still doesn't make the passwords any more memorable, researchers
    Picture this
    "The human limitation with precise recall is in direct conflict with
    the requirements of strong passwords," wrote University of California
    at Berkeley students Rachna Dhamija and Adrian Perrig in a recent
    paper discussing the possibility of a graphical password system called
    Deja Vu.
    Dhamija and Perrig, as well as several other researchers, are looking
    to capitalize on users' visual recall, rather than their ability to
    memorize characters. Deja Vu creates collections of digital art from
    which a user chooses several selections; then the system trains the
    user to remember the selections.
    Researchers at Microsoft, Lucent Technologies, New York University and
    the University of Virginia, among others, have studied techniques for
    creating graphical passwords.
    Such systems have problems as well. While the resulting password tends
    to be more random than one made of characters, the user training has
    to be done in secret or others might be able to view the sequence of
    images that make up the password. Moreover, the same attributes that
    make graphical passwords easier to remember for the user make them
    easier to pick up by, say, a not-so-friendly co-worker looking over
    someone's shoulder, said Chris Wysopal, director of research and
    development for digital security firm @Stake.
    "Pictures are going to be easier to shoulder-surf than keyboard
    passwords," Wysopal said, adding that weaknesses in how such passwords
    are stored on the computer system could also make them vulnerable to
    cracking attempts.
    While research has focused on creating new types of passwords,
    businesses are attempting to tackle the problem with software products
    that allow a single, strong password to be used to access all the
    services on a network. By letting users focus on just memorizing a
    single password, the onus for security is on the administrators who
    must force users to pick a strong password and change it frequently.
    This system has its own drawback, of course. A hacker able to wheedle
    a single password from a user gains access to everything that person
    had permission to use. That has many nervous companies adopting
    so-called two-factor authentication, where the second factor is a chip
    card or biometric. For the extremely security conscious, three-factor
    authentication is available as well.
    "If you want real high-level security," said University of Virginia's
    Evans, "people can authenticate themselves with something they know,
    like a password; something they have, like a smart card; and something
    they are, like a biometric."
    With fingerprint scanners and smart-card readers still not a common
    option on computers, such technology isn't an immediate solution, said
    Chris Christiansen, an analyst with market researcher IDC.
    "There is a huge, huge range of alternatives to passwords," he said.  
    "But nobody thinks passwords are going to go away."
    Until better alternatives are adopted, the users--and the passwords
    they choose--continue to be the greatest vulnerability.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri May 24 2002 - 06:23:48 PDT