Password Security – Letmein Monkey

In the past month I’ve noticed a large increase in the amount of spam being sent via SMTP Auth and Webmail accounts. These are old techniques but have the advantage of avoiding blocklists and sometimes bypassing anti-spam filters. In both cases a user name and password is required to send the spam and this is usually captured via brute force or phishing attacks.

As the name suggests, a brute force attack is when an attacker tries guessing a combination of user names and passwords at a server until authenticated. Some of the most common services attacked are ssh, ftp, snmp and smtp-auth. There are tools available that attackers can use to repeatedly hammer a server with authentication attempts. One method to help prevent the attack is to slow down or block an authentication attempt after a certain number of failures. For example, the fail2ban application can provide such protection on a Unix server. This makes life much more difficult for an attacker but a strict password policy is still necessary. Why?

An attacker needs to know both a user name and password to authenticate. It’s possible to guess a user name that’s common to many servers, such as root/info on a Unix server or User/Administrator on a Windows server. In the case of SMTP Auth attacks, the user name is already in the e-mail address so only the password needs to be brute forced. However, a bad choice of password makes the brute force attempt quite simple. If only one attempt is needed to guess the password then it could bypass checks for authentication failures. I recently investigated the case of a compromised mail server where the password was identical to the user name and it was sending out phishing e-mails.

So let me try and guess one of your passwords. Hmmm… is it “letmein”? No, how about “qwerty”? No. One more try, is it “monkey”? If I managed to guess your password, you should probably change it immediately as it’s one of the top 10 most common passwords, according to this article. This technique of guessing the password is based on how common a password is across a large user base. In December 2006, a MySpace phishing attack managed to steal 34,000 passwords but accidentally made them publicly available. Security researchers were able to analyze these to find the most common passwords.

I’ve discussed the use of common passwords but it’s also possible that your password could be socially engineered. If the attacker knows the victim then the password could be guessed if the password was related to a pets name, a hobby or a music band. I’m well aware of this so in my case my passwords aren’t Guinness, Snowboarding or U2 :o)

Unfortunately, even a well chosen password that’s difficult to guess can be compromised. In the case of webmail spam the login credentials are typically gathered using a phishing attack. I’ve previously discussed this spear phishing attack aimed at particular organizations and universities. If you e-mail your user name and password to a phisher it doesn’t really matter how long or complex your password is. When the phisher has these credentials they can use the webmail account to send spam from a non-blocked IP.

To summarize, a good anti-spam and anti-virus solution should be deployed to prevent phishing based attacks along with end user education. It’s important that an organization enforce a strict password policy where passwords must be changed on a regular basis and meet a minimum requirement. By changing passwords regularly it provides protection in the event of a password being compromised. Although prevention is better than cure and a brute force attack would be much more difficult if the password had to be at least a reasonable minimum length, contain both upper and lower case characters, contain digits and a non-alphanumeric password. It should also not appear on a post-it note attached to the monitor!