Based in my securityfocus topic responce, and also in some information security audits that i’ve done, i think in the idea to statistical prove the attack risk level at some organization.
Number of accounts | Having almost one weak key probability |
10 | 0.401 – 40.1% |
25 | 0.722 – 72.2% |
50 | 0.923 – 92.3% |
100 | 0.994 – 99.4% |
Today, there are a fashion in the account naming with LDAP and some other systems, ex. if my name is aaron and my surname is mizrachi, then the username is something like: amizrachi“…
This coorporative fashion, joined with bad security password policies, is exposing all the coorporate security…
There is a fact that at some administrative levels, the decisions are not taken thinking on security, the security are not taken seriously because the image of the coorporation are the first priority.
Exposed that, we will proceed to statistical expose the fact that how vulnerable we are…:
Supossing that an intruder found at google or with another system/program/method, the personnel list who are working in this company…
In addition to, there is statistical studies that confirms this fact: The probability of getting a weak key from a random choose is about 5%. The weakness of the key are known by the possibility of having this key in a finite preestablished set of elements. In this case of study, in a 100 common password list.
P( Get weak key ) = 0.05 (5%)
Then, we need to know the probability to have almost a weakness key on a server:
We Define: A = Number of weakness keys on the server n = Number of known accounts on the server |
We define the probability:
The number of weak keys have the possibility to be from zero to the number of existent accounts, assuming that every account have a key.
1 = P ( A >= 0 && A
This probability can be divided in the probability that there is no weak key on the server, and the probability that there is almost a one weak key.
1 = P( A = 0 ) + P ( A >= 1 && A
Solving, the probability that there is almost a one weak key is the complement of not having weak keys.
P ( A >= 1 && A
Therefore, to evaluate the probability that we have weak keys on our server, we have to evaluate the probability of not have any weak key…
not to have a weak key probability:
P ( A = 0 ) = (1-P( Get weak key ))n
This can be expressed as the sequence of n keys being all strong… (1-P(Get weak key)) is the probability that we have a strong key, and P(Get weak key) as we discussed before, are about 5% (0.05)
We need to find P ( A >= 1 && A That is the probability that we have almost a one weak key.
Replacing in 1 – P( A = 0 ), P( A = 0 ) by (1-P( Get a weak key ))n, we have the next general equation for the probability of have almost one weak key:
1-(1-P( Get a weak key ))n
And with our statistical data, having 5% of probability to be a weak key:
1-(1-0.05)n
=
1-(0.95)n
Now and then, all are statistical equations. At decision level this eq are not showing anything… before we evaluate their values:
n = Number of accounts | Having almost one weak key probability |
10 | 0.401 – 40.1% |
25 | 0.722 – 72.2% |
50 | 0.923 – 92.3% |
100 | 0.994 – 99.4% |
Conclusion: for ldap servers with more than one hundred of predictably accounts, there is about a 99.4% of probability or more to have a weak key compromising all the coorporation.
What to do?
Remove the weak keys in some systems are pretty easy, by example, there are key admin systems who enable you to filter weak keys using heuristics and wordlists, in addition to this word list,we must add identification numbers like passport number, social security number and birthdays in several formats … This is to avoid being used by the users.
We also recommend a blocking account policy with a small number of incorrect tries on key tipping, by ex. 3 tries.
And finally.. If we need more security, we have to avoid to use naming policy… There is not really necesary to be secure, unless you need to have extreme security.
What kind of impact have continue using bad policies?
This will depend on many factors, first, the privileges and access that have the weak victim, and how, across this privileges the intruder could attack.
Remember that the intruder can obtain the username list from your organization from several ways, looking for your company in google, using programs like “maltego”, or even, doing trashing, This means that the intruder will be looking in your trash.
Moreover this techniques, we have to measure the impact.
- Email: The victim could manage one coorporate account. This victim could consider that is not necessary to enforce their security password policy because their position and their email are not so imporant. However, for the attacker, any mail account could be useful. This could be used as a effective communication mechanism between the hacker and another pearson. Changing the signature, the attacker could change their apparent position on the company, even using the name of a low position victim. Also we have to know that SMTP protocol allow to set any email and forge that, but, with a real sent-receive email, the attacker also could receive responses and establish a communication
- VPN Access / Intranet / Wireless: Possibly without the victim acknowledge, this victim have rights on extranet services like vpn , wireles or some web app login. The attacker could use this to elevate their privileges into the organization and obtain full internal access.
- Shell Access and Remote Desktop: Every day more, there systems get centralized, and enable the users to work in many stations indifferently, This is probably why the victim will have shell access, Remote Desktop, or Remote Directory inclusive. In such cases and most times some privileges will enable to the attacker elevate their privileges across the organization.
- Other accesses: Every organization have a different network structure, and also different user permissions sets. Other systems who are with centralized authentication can also suffer the consequences
- SPAM List and corporate fraud: The email exposing danger and other artifact in our organization are raising up to the second level of risk. The first level is the spam. The most simple to do is a deliberated spam strategy to the organization. But the most dangerous hazard to our organization are the coorporative espinage, specially the case when a enemy company found easy the email list of certain people working on key positions and offer by email a tentative remuneration for passing information. This emails can appear by naming conventions and/or by the compromised email.
Known this, there is no more that i have to recommend that the best strategy is follow the security policy and additionally, realize periodic security audits.