IRCRE201210116
Date: 2012-10-30
Each quarter, Akamai Technologies publishes "State of the Internet" report. Akamai’s globally distributed network of servers allows them to gather massive amounts of information on many metrics, including connection speeds, attack traffic, and network connectivity/ availability/ latency problems, as well as traffic patterns on leading Web sites. This report includes data gathered from across Akamai’s global server network during the second quarter of 2012 about security.
Attack Traffic, Top Originating Countries
During the second quarter of 2012, Akamai observed attack traffic originating from 188 unique countries/regions, up from 182 in the prior quarter. As shown in the next figure, China remained the source of the largest volume of observed attack traffic, accounting for approximately 16% of the total, consistent with the first quarter. The United States saw a slight quarterly increase, originating 12% of observed attacks in the second quarter. Nine of the top 10 countries remained consistent quarter-over-quarter, with the exception of Germany, which ceded its place on the list to Italy this quarter. Six of the top 10 countries saw quarterly growth in the associated percentage of observed attack traffic, while three saw a quarterly decline.
In examining the regional distribution of observed attack traffic in the second quarter, we found that nearly 38% originated in the Asia Pacific/Oceania region, just over 36% in Europe, 23% in North and South America, and just under 3% from Africa. The Asia Pacific/Oceania region was the only one where attack traffic concentration declined quarter-over-quarter.
Attack Traffic, Top Ports
As shown in the next figure, attack traffic concentration among the top 10 ports declined during the second quarter of 2012, with these ports responsible for 62% of observed attacks, down from 77% last quarter, and consistent with the level seen in the fourth quarter of 2011. It appears that this decline is largely attributable to the significant decline in the percentage of attacks targeting Port 445, after an unusually large increase last quarter.
In addition to the decrease seen in the percentage of attacks targeting Port 445, decreases were also seen for Port 23, Port 1433, Port 3389, Port 80, Port 22, and Port 4899. The average relative decline seen across these ports was on the order of 25%. Port 8080 saw the greatest increase quarter-over-quarter, jumping over 200% (but still the target of less than 2% of observed attacks), with Port 135 and Port 139 also seeing quarterly increases. Research does not indicate the discovery of any new attacks or vulnerabilities during the quarter that would account for the doubling of Port 8080-targeted attacks.
Port 445 remained the most targeted port in eight of the top 10 countries, accounting for as many as 85 times (in Romania) the number of attacks seen by the next most targeted port. Once again, Port 23 remained the most targeted port in observed attacks originating in Turkey, with seven times as many attacks targeting that port than Port 445, the next most targeted port. In China, Port 1433 remained the most targeted port, with 1.7 times as many attacks targeting that port as Port 3389, the next most targeted port for attacks observed to be originating from the country. Port 23 was the most common second-most targeted port, ranking second in India, South Korea, Taiwan, and the United States potentially indicating the prevalence of malware in these countries that attempts to exploit default or common passwords on remotely accessible systems that would allow attackers to gain access to these systems.
SSL Insight, Client-Side Ciphers
Next figure illustrates the distribution of SSL ciphers presented by Web clients (generally browsers) to Akamai’s Secure Content Delivery Network during the second quarter of 2012. Once again, the shifts in usage trends varied from those observed in prior quarters. As shown in the figure, it appears that usage of the RC4-MD5-128 cipher grew significantly during the quarter, including an unusual bump seen throughout May. Usage of this cipher increased from 10.3% at the start of the quarter, to 14.8% at the end of the quarter — an increase of 44%. Usage of other ciphers declined across the course of the quarter, with RC4-SHA-128 losing the most, declining from 3.7% to 3.2% — a loss of just over 14%. Usage of AES-256-SHA-1 once again declined slightly, losing 2.9% to end the quarter at 43.8% usage. AES128-SHA-1 also lost some ground in the second quarter, dropping 6.6% to 36.3% usage. Despite the declines, these two ciphers are still responsible for 80% of the ciphers presented to Akamai servers.
Password Hash Disclosures
On June 6th, 2012, it was discovered that 6.5 million password hashes from social networking site LinkedIn had been revealed by hackers, and that some 300,000 of these hashes had already been compromised. Later the same day, it was revealed that 1.5 million password hashes from eHarmony had also been posted to the Internet. The final member of this list, music site Last.fm, revealed that it had discovered a file containing 2.5 million password hashes of their own the week before. In total, unnamed attackers had disclosed nearly 10.5 million passwords from these three companies in the span of a week.
A hash, or message digest, is a one-way encryption algorithm that allows the original data to be verified, but makes it impossible to decrypt to find the original value of the data. In other words, a password can be hashed, and when the password is used again, it can be verified against the hash, but it is impossible to decrypt the hash to find the original password.
Hashes are used extensively on Web sites to protect passwords and maintain the integrity of the password files without exposing the actual password. Hashes can be broken, but to do so, requires methods such as dictionary or brute force attacks that hash words and random characters in order to find collisions with the hashed data. Dictionary attacks use common words in the hash function to find the collisions with the encrypted passwords and are quite fast. Brute force attacks use strings of random characters to find collisions with stronger passwords, but can be quite time and computing power intensive.
Examples of commonly used hashing algorithms include ‘Secure Hashing Algorithm 1’ or SHA-1, used by LinkedIn, and the slightly older and less secure Message Digest 5 or MD5, used by Last.fm and eHarmony. A well-implemented password hashing function includes what is called a ‘salt’, which is a series of random characters that are prepended to the password in order to greatly increase the amount of time and computing power required to find collisions with the hashed passwords. Unfortunately, none of the companies whose passwords were compromised were using salted hashes, meaning their compromised password files were much easier to find collisions in than they should have been.
All three companies have since implemented salt in their hashing functions for passwords, and have implemented ‘additional security features’, though the exact nature of these security measures has yet to be disclosed. One of the largest concerns with these compromises is that many users re-use passwords across many sites, for example using the same password for a site like eHarmony as they use for their banking site. The exposure of the password for one site may lead to a compromise of a completely unrelated site due to bad end-user password practices. Users of the affected sites were notified and asked to change their passwords, but many who are already overloaded by e-mail may have missed the notifications, or assumed the notifications were simply spam.
An ancillary concern from these compromises is the amount of user information that may have been compromised along with the passwords. Both LinkedIn and eHarmony have large amounts of very personal data about their users, and this data can be used to craft highly targeted phishing campaigns or to answer user security questions on other sites.
None of the three companies, LinkedIn, Last.fm or eHarmony, have disclosed much information on the nature of how they were compromised. Security researchers and hackers have used various tools to discover all of the passwords that were contained in these files, so it is important for users to verify that they have changed their passwords. Since password re-use is common, it is important for users to look at using password vault software to help create and store strong passwords, rather than reusing the same ones repeatedly.
Related Posts:
The State of the Internet, 1st Quarter of 2012
References:
The State of the Internet, Volume 5, Number 2, 2nd Quarter, 2012 Report
- 2