Thursday, February 21, 2008

Distributed Account Lockout Attack

Over the past few days I've been pondering an older threat against applications - lockout attacks. The old attack would involve a single user who wanted to lockout another individual or group of individuals by entering multiple unsuccessful passwords. The goal isn't to guess the password, but to lock the account by sending multiple unsuccessful login attempts. Now, if this user was particularly malicious he could try to enumerate all of the usernames for an online system and then use a script to lock out all of the users. This is a real threat for current online systems. However, once the system owners detected this attack they could respond and block incoming requests from the IP address and likely track down previous activity from that user.

Lets take this idea and add make it a distributed attack originating from a botnet. Instead of a single user attacking multiple user accounts, we now have thousands of individual machines scattered throughout the world attacking a small number of accounts. How would we defend against this sort of attack? Previously a single machine was launching the attack and action could easily be taken against the offending IP address. But now the number of malicious machines increases to the thousands - all locking 10-20 accounts each.

How does this attack compare to a distributed network based denial of service? One key item is the attacker does not have to actually exhaust network resources. A network based denial of service requires a large number of machines for it to be successful. Each machine sends legitimate requests to the site in an attempt to use up all the available bandwidth on the server side. Once the bandwidth from the botnet attack stops clogging the pipe, the attack is over. However, an account lockout attack would cause damage with any number of attacking machines. 1000 machines wouldn't cause a DDOS against a major online site, but it could lock out 50,000 users without difficulty. Another issue with this attack is simply unlocking the affected accounts won't solve anything. The attacked site must quickly identify the attacking machines or eliminate their ability to lock out accounts. Otherwise any accounts which are unlocked, will just be locked by the next wave of attacks.

I can see this type of attack being a real threat to the massive social networking sites and possibly financial sites which have not added multi-factor authentication. Given the large botnets that have been forming, I'm almost surprised we haven't seen this type of attack yet (please correct me if I'm missing some).

Here are some solutions I came up with:

  • A captcha of some sort may be a good option. We are seeing this in more financial sites. But for those sites that don't want a captcha for every login, consider requiring the captcha after 3 failed logins. At this point we should get suspicious and want to confirm that we are dealing with a person and not a bot.

  • Incident response should be prepared for this type of attack. Be able to quickly pull metrics showing IP addresses which have a large number of failed logins or have locked out more than 1 account in a small amount of time.

  • Along that line, it may be worthwhile to generate an IDS alert whenever a single IP locks more than 1 account in a small window of time. Generating alerts on this behavior could provide information on the beginnings of an attack (instead of hearing from the helpdesk that you just received thousands of password reset phone calls)

-Michael Coates

Tuesday, February 19, 2008

Upcoming ChiSec Event

For all of you fellow Security enthusiasts in the Chicago area, there is an upcoming social event.

From the ChiSec Website:
An informal meetup of information security professionals in Chicago. Unlike other meetups, you will not be expected to pay dues, "join up", or present a zero-day exploit to attend.

The basics
Thursday, February 28, 2008
Houlihan's on Wacker (in the back)
7pm - about 10pm
RSVP Required? Nope
Membership Required? No

More info here:

Hope to see you there.

-Michael Coates

Tuesday, February 12, 2008

I'll hack your pets instead of your passwords

Ok, I give up, people are starting to use stronger passwords. Maybe not all of the time, but it is getting tougher to guess a person's password in the first three tries. So perhaps the attackers should stop trying to break into people's accounts. Or maybe, they'll just stop trying to guess the user's passwords. Don't get excited yet, the attackers are done attacking, they're just refocusing the attack. Whats the new target you ask? Password Resets Screens

Say you forget your password and click on the friendly little 'forgot my password' link. You enter in your username and are presented with some questions to validate your identity. These questions include items like what city were you born in, what is your mother's maiden name or what is your pet's name. Hold on, my pet's name? How on earth is that secure?

How many people know the name of your pet? If while talking about your pets with a coworker would you stop and think 'oh I shouldn't mention there names, this guy might use that info to break into my account'. Of course not! Why then, is this kind of information considered to be a valid form of identification.

Let's consider the best case, you live by yourself in the mountains with 20 cats and no one knows any of their names. The attacker realizes he can't get the cats names from you so he will just guess. He tries Tigger, Boots, Fluffy (top 20 pet names: How many popular names are out there for cats 20, 50, 100? Sure, 100 possibilities is more than a few, but that pales in comparison to a password. A 7 character password with numbers and letters has 78 million possibilities (78,364,164,096 to be exact). I sure bet the attacker has a better chance at guessing your pet's name than guessing your password. True there may be some other controls present such as an email to the registered email for the account with a reset link, but realistically the solution is still misguided if it is using simple questions at all.

I guess those hackers are on to something...

-Michael Coates