A plodding affairMention ?Chinese hackers? here in the West and most people?s minds instantly leap to allegations of government-sponsored infiltration of western commerce and infrastructure. Dispel those somewhat Hollywood notions. Reuters have today reported that a gang of Chinese criminals (who, they add, have since been caught) first gathered 99 million user credentials from multiple other sources (the report does not specify where), and then turned their attention to the Alibaba where they found over 20 million were also being used for its Taobao market place, confirming them by simply wading through the captured credentials and trying them (with machine assistance, of course).
Features of the attackAside from the obvious ensuing abuse of compromised accounts, a couple of things are striking about this report.
Firstly ? and this is a repeated mantra of mine ? do not share passwords across services. Implied by the broad sources the data the criminals gathered came from, it is clear that a significant proportion of people are still obviously in the habit of using the same user and password across multiple sites. Whilst it makes the task of remembering credentials less onerous, it also ? as clearly demonstrated here ? leaves the user and their various accounts wide open to abuse if any one service that they use happens to be compromised. By sharing passwords across platforms one is essentially entrusting the safety of all accounts to the site with the weakest security. Don?t do it. At the very least ensure that passwords are unique to each service.
Secondly, there is a lesson for the administrators here, too. The article states that the criminals were wading through their trove of credentials, testing them against Taobao between October and November last year, before the activity was finally detected. It is no more specific about the date the process started or was finally detected, but in the worst case that means operators failed to notice, and alarms were not triggered for as much as 8 weeks (from the beginning of October to the end of November), but at the very least it implies weeks rather than days or hours. This is not unusual. In this case the process was purely validating data the criminals already had possession of, but in first-line intrusion attempts the attackers will often start with very low-profile probes masked by the sheer volume of legitimate traffic, in order to test alarm thresholds and platform resilience. In forensic analysis of DDoS attacks it is not uncommon to be able to trace test traffic going back several weeks or even months before the final barrage. This is where skill comes in. Every platform?s traffic profile is as unique as the service it offers, and there is a fine line between too many false alarms and failing to alert early attack probes requiring attention, but active traffic monitoring is a must for any reasonably busy web site these days. Sometimes automated monitoring is all that is required to detect anomalies but sometimes it takes a human eye to spot something machines are not yet capable of recognising, and regular reviews of log summaries and statistics are a must.
ConclusionOf these two issues the first is very clearly a matter of education across the public audience, and some people will never come on board. The second is far easier to address, and falls within the remit of the service operators, utilising both technological solutions and competent human oversight and administration.
Hedgehog Security are a dedicated Information Security consultancy providing testing and advice tailored to individual client requirements. We are CREST, ISO-27001, ISO-9001, and PCI-DSS accredited and our testing regimes meet and exceed the requirements of all applicable industry standards. Our goal is to provide simple, effective and affordable Information Security improvements that support your drive to increase productivity and profitability.