A new study by the University of Maryland's A. James Clark School of Engineering shows the Internet wilds are still teeming with hordes of good old-fashioned brute-force attacks and quantifies how frequently machines are attacked and the methods used.
Michel Cukier, Clark School assistant professor of mechanical engineering and an affiliate of the Clark School's Center for Risk and Reliability and Institute for Systems Research, deployed four Linux systems with "weak security" on the Internet and sat back to watch.
Not surprisingly, the attacks came fast and furiously - averaging one every 39 seconds, or 2,244 attacks per day.
"The majority of attacks came from relatively unsophisticated hackers using dictionary scripts" ... running through "lists of common usernames and passwords," the school reported. Analyzing the attacks showed which usernames and passwords were tried most often and provided insight into what hackers tried once they gained entry.
"'Root' was the top user name guess by dictionary scripts - attempted 12 times as often than the second-place 'admin,'" the school reported. "Successful 'root' access would open the entire computer to the hacker, while 'admin' would grant access to somewhat lesser administrative privileges. Other top usernames in the hackers' scripts were test, guest, info, adm, mysql, user, administrator and oracle."
The research showed the most common password-guessing ploy involved playing off usernames. "Some 43% of all password-guessing attempts simply reentered the username," the school reported. "The username followed by 123 was the second most-tried choice. Other common passwords attempted were 123456, password, 1234, 12345, passwd, 123, test, and 1."
Once inside, the hackers did what hackers do, in this sequence: try to access the systems' software configuration, change passwords, check the software and hardware configuration again, download a file, install the downloaded program, and then run it.
The scripts returned a list of other systems the hackers might be able to access, and the hackers then busied themselves with that task, often installing backdoors so the compromised machines could be used in botnets.
The study concluded with the obvious, but it is always worth repeating: "Computer users should avoid all of the usernames and passwords identified in the research and choose longer, more difficult and less obvious passwords with combinations of upper and lowercase letters and numbers that are not open to brute-force dictionary attacks."
Security is a people, process and technology problem and the weakest link in the chain are the people. Putting in place stronger password requirements could save some agony.