Thursday, September 4, 2014

Are Recent Password Guessing Attacks Tied to Devastating Morris Worm?

With recent reports of online password guessing attacks, like those Apple customers may have experienced, is it possible that the Morris worm is responsible?  Yes, I mean the Morris worm from 1988.  The one that impersonated users with weak passwords as part of an attack arsenal that allowed it to spread and overwhelm the then nascent Internet.  Since password guessing was detected shouldn't we assume this worm has resurfaced?

“But Bruce,” you protest, “you're offering no evidence that these things are in any way associated!”  And to you I reply “Well, why should that stop us from speculating?”

Ok, my claim is a bit exaggerated but it was inspired by real news from Namecheap on Monday.  The web hosting company warned customers that they had detected a credential guessing attack, which “likely” matched a recently revealed Russian password collection.  This collection, publicized by security consultant Alex Holden in August, purportedly included 1.2 billion unique credentials stolen by a hacking group nicknamed "CyberVor".  It attracted a lot of attention in the news, along with its own controversy.

So why did Namecheap think the attempted usernames and passwords were associated with CyberVor?  They don't offer a reason in their posted warning.  Furthermore, I don't believe they have a good reason.  The Russian credential cache has not been made public so there are no username or password records for them to compare to the guesses they saw.

My suspicion is that the CyberVor story was still fresh in the mind of someone at Namecheap and they made an assumption that the group's data was involved when faced with their own attack.  Maybe there was also some circumstantial evidence, such as password guesses originating from Russian IP addresses.  Regardless, there's no apparent way for them to know and there's likewise no reason to assume there is a connection.

I can forgive a company for including a seemingly unrelated statement when they aren't accustomed to disclosing details about an attack, but what really bothered me was how a few members of the media failed to question it.

An article by The Register mentioned that the Namecheap news offered "anecdotal evidence" of a CyberVor connection but seems to otherwise present the information as fact.  Infosecurity Magazine's coverage also didn't question how the two events were related, and goes on to wonder if it was the first time the Russian credentials were used in an attack against another site.

I understand that news cycle driven journalism means not being able to fact check every detail being shared, but I feel like the Namecheap claim was important enough to raise a red flag, especially at these two publications.

Meanwhile, IDG News Service did challenge how Namecheap could make this connection and actually took the time to ask Alex Holden (the only person outside of CyberVor known to have a copy of their credential cache) about the claim.  Holden agreed that there wasn't support for thinking CyberVor data was involved.  A SecurityWeek article also questioned whether timing of the two incidents was the only evidence that led to the conclusion, and apparently did try to verify the statement with Namecheap.

In reality, automated password guessing, or brute-forcing, attacks have been a threat long before CyberVor made the news.  The US Department of Defense Password Management Guidelines advised setting minimum password policy standards to combat the threat of login password guessing back in 1985.  Although since the cutting edge technology of that day required passwords to be tried over 1200 baud modems the attacks took a slight bit longer to carry out.

More recently, both web sites and other Internet services have faced increased password guessing attacks.  In 2012 the video game development company ArenaNet (who hosts the Guild Wars 2 MMO) responded to thousands of customer support tickets when criminals successfully guessed player passwords.  Last year, both Konami (PDF) and Nintendo experienced millions of login attempts, taking place over several weeks, aimed at compromising their customer accounts.

One factor these attacks all seemed to share was that the hackers behind them were leveraging usernames and passwords stolen from other hacked sites.  The dangerous and common practice of reusing passwords for different companies can mean that your site is more vulnerable to attack if you have users that also maintain accounts on less secure sites.  If one of those sites is breached and their user database is stolen (possibly with passwords stored in plaintext) it can improve the success that criminals have when attempting to guess credentials on your site.  This likelihood of success probably grows when the hacked site and yours both cater to a similar customer base.

So while it is likely that the credentials tried against Namecheap customer accounts originated from one or more hacked sites, there are plenty of more likely sources for collecting password records other than the CyberVor stash.

On a positive note, Namecheap does deserve praise for having monitoring in place to detect unusual login activity, which allowed them to quickly take steps to protect their customers' accounts.  Instead of the weeks noted above in the Konami and Nintendo cases, Namecheap personnel responded within hours of the attack.  That probably made a big difference in limiting how much damage the attackers were able to do.

Hopefully the company will continue to conduct effective incident monitoring and response just in case the Morris worm does rear its ancient head.