Wednesday, October 26, 2016

Passphrases and DDOS


Level 2
The impact of not having adequate passphrases.  I alluded to the 'great internet outage' of 10/20 previously.  It's not an understatement to say that the entire event was made possible due to very simple and lazy login/passphrases.  On the morning of October 20th a Domain Name Service, Dyn, was overwhelmed with internet traffic.  It was quickly guessed that this was a Distributed Denial of Service(DDOS) attack. This type of attack has been in use for over 15 years and most large companies have been hit and have learned to deal with them. To explain a DDOS attack in a different way, imagine a Subway sandwich shop near your house.  Let's assume that the normal foot traffic for the store is about 10 customers at a time.  If 20 people show up to order sandwiches at the same time, it's pretty busy. If you call everyone you know, and get them to call everyone they know to show up at the same time, you could have 10,000 people trying to get into a Subway at the same time. Regulars that always eat there at this time, would be unable to get their footlong meatball sub.  Service Denied, by a distributed group of people.  The DDOS attack on Dyn involved over tens of millions of unique requests.  Imagine everyone from your home state going to that same Subway at noon tomorrow.
Back to passphrases. Those unique requests were mostly from hacked Internet of Things (IoT) devices that had week security.  A malicious program found and hacked DVRs and other home electronics that have internet access and were installed using the default log/pass pairs.  "root" and "password" or "admin" and "password" were very common on these devices.  Do you have any home electronics hooked up to the internet? IP security cameras perhaps.  If so, you could have unwittingly participated with one of three major DDOS attacks in the last month.  By the way, the name of the malware that was behind the attacks is "Mirai" and the code was made public last month.  I fear that we'll be hearing from this one again.
Last note on passphrases: size matters.  The longer the passphrase, the longer it takes to brute force.
For example, the passphrase ‘1234567890’ would take about .111 seconds for an offline fast attack. (one hundred billion guess per second). Using the same method, ‘ 12345678901234567890’ would take about 35.33 years to brute force. This is the concept of entropy, or the randomness and unpredictability of data.
And to prove a point, the ‘Pr8f8]]8dte’ password that we generated earlier would take around 18.28 centuries to crack in an offline fast attack.

2016-10-26
MDux
Posted by at
Labels: , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)