Hackers favor authentication-based attacks, report shows

Hackers favor authentication-based attacks, report shows

Summary: A suitable password replacement could disrupt or defeat 80% of these attacks, report concludes.

TOPICS: Security, Networking

Authentication-based attacks factored into about four of every five breaches involving hacking in 2012, according to Verizon's Data Breach Investigations Report released Monday.

The methods involved guessing, cracking, or reusing valid credentials, according to the 63-page report, which noted that the authentication results looked familiar from past years. 

Hacking was the most prevalent form of attack and was cited in 52% of breaches. Malware came in at 40%, while Physical, at 35%, rounded out the top three. Authentication-based attacks were the most popular hacking threat action.

"The easiest and least-detectable way to gain unauthorized access is to leverage someone’s (or something’s) authorized access," the report stated. "Why reinvent the wheel? So, it really comes as no surprise that authentication-based attacks factored into about four of every five breaches involving hacking in our 2012 dataset. Nor is it all that surprising that we see this year after year."

But the report did not pull any punches on what an alternative to passwords might mean.

"If we could collectively accept a suitable replacement (for passwords), it would’ve forced about 80% of these attacks to adapt or die. We’ve talked about the shortcomings of passwords for years now, and if it were an easy problem (or the pain caused by password problems was greater), it’d be fixed by now."

The critique seemed as much a realization as a challenge for innovators to come up with a password replacement.

The theft of passwords has been a near epidemic in the past few years.

ZapposGawkerSony, Apple, Fox, CBS, Warner Brosrootkit.com, LinkedIn, eHarmony, Last.fm are among companies that have felt the sting of stolen credentials along with the hundreds of millions of end-users who owned them.

While the report identifies 40 varieties of hacking, nearly all of the activity is contained in five threat categories, a scenario the report labeled "remarkable." After stolen credentials, the list is made up of: use of backdoor or C2, brute force, unknown and SQLi. "Other" accounts for 2% and the rest of the categories each totaled 1% or less.

"Readers will reasonably ask how attackers steal credentials in order to reuse them to gain unauthorized access. Sometimes users are socially engineered to give them up. Sometimes malware captures them from keystrokes, browser cache, or system files," the report said.

The report noted that more sophisticated espionage cases examined by the study featured combinations of factors, including information theft at rest and in process, combined with credential theft via keylogging malware followed by use of the stolen passwords to access a file server.

"All in all, 2012 reminded us that breaches are a multi-faceted problem, and any one-dimensional attempt to describe them fails to adequately capture their complexity," Dave Hylender, an infosec expert at Verizon, wrote on the corporate blog. "Shaping the many threads into a coherent story that did the dataset justice was probably the most challenging aspect of this year’s report."

The Verizon report highlighted for enterprises two of its 20 Critical Security Controls, originally developed by the Center for Strategic and International Studies and The SANS Institute, that will benefit from strong authentication: Secure Configurations for Network Devices (such as firewalls, routers, and switches), and Controlled Use of Administrative Privileges.

The 2013 data breach report includes 621 confirmed data breaches and more than 47,000 reported security incidents. Over the nine-year range of the study, that tally now exceeds 2,500 data breaches and 1.2 billion compromised records. Verizon, along with 18 organizations from around the world, contributed data and analysis to the report.

Topics: Security, Networking


John Fontana is a journalist focusing on authentication, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he also blogs about industry issues and standards work, including the FIDO Alliance.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Given SSAN

    Given that our most commonly used idiotic authenticator is the much leaked Social Security Account Number, let's start by getting rid of that. SSAN as a password is only incrementally better than street address and date of birth -- and people are using that, too.

    Why? They prefer it to biometrics that can be used to trace where they go and who they interact with, but the threat they avoid is for most only hypothetical, while the threat they accept is real.
    • The real threat with biometrics ...

      ... is crappy security. You won't find a lot of real security experts who thinks they are a good idea outside thinks like bank vaults where there are armed guards that can detect and deter tampering. Biometric systems are simply too easy to fool, they can only be relied on in combination with trusted humans and other measures.

      The better option is two-factor authentication, and I prefer physical "tokens" for this purpose since that is the most secure option.
      • Mythbusters Fingers the Problem!

        In an episode of the Mythbusters TV show last year (or year before, maybe), they fooled a fingerprint reader of the type commercially available as a USB plugin by surreptitiously getting a fingerprint (from a drinking container) and (I forgot the exact method, but would not put it into a post anyway) turning it into a rubber cement coating worn on the intruder's finger. The intruder got in.

        Biometrics can always be fooled by copying the pattern of an authorized body part, or for the totally amoral, removing the body part. Another example from fiction (which would be very difficult to test ethically, of course) involved murdering the authorized user near the door and removing his EYE, to fool a retina scanner.

        Way back in the 1960's, when the processing power required made it impractical, there were speculations about analyzing the KEYSTROKE RHYTHMS of the user entering the login information, on the assumption that the authorized user would type some key sequences smoothly and others with hesitations, depending on familiarity. And of course, the authorized user would type his/her user ID and password smoothly due to constant practice, while an intruder would be reading it off a document (and even if the intruder practiced on a dummy device for an hour, the intruder would develop a slightly different rhythm than the true user. The main drawbacks are to "tolerate" entry of a recently changed password, using a different device than usual, and special accounts INTENDED to be shared between users.

        The most secure protocol that comes to my mind is voice recognition of a randomly chosen word or character sequence displayed on the screen. However, if the user develops laryngitis, or the intruder records enough samples to program a speech synthesizer with the user's voice ...
        • tape recorder

          Hi :)
          or phone.

          Getting past voice recognition is fairly trivial too. People would have to learn the same sorts of tricks that would make passwords safer. Do something odd and unusual. People refuse to learn it for typing in passwords so why would they learn it for voice recognition?

          For finger print recognition does everyone use their forefinger, the most commonly used finger? Surely just sticky-tape could capture one from a beer glass or coffee cup if it was in good condition. Does it even have to be a finger? It might look odd to swipe your little toe but if no-one else knows then they wont get in no matter how many fingers they cut off.

          On the other hand wouldn't it be better to just let them have access if they are going to try stuff like that?
          Regards from
          Tom :)
  • Where'd you learn math?

    > Hacking... was cited in 52% of beaches.
    > Malware came in at 40%,
    > while Physical, at 35%, rounded out the top three.

    That's 127%. Then you go on to say that authentication makes up 80% of the attacks. 80% of what -- hacking, malware, physical? You could be a lot clearer about drilling down into those stats.
    • Yup, confusing stats

      From the report: "very incident contains one or more actions, often causing percentages to add up to more than 100%. "

      Since in 2012 the percentages add up to 171%, it would suggest that on average each breach fell into 1.71 categories. So multiple security failures were probably involved in the majority of breaches (a guess, not a guarantee)
      Mr. Copro Encephalic to You
  • Use a password manager

    People who use simple easy to guess passwords or use the same password in multiple places, deserve to get ripped off. With a number of good password manager programs, it is inexcusable to reuse passwords or have short simple ones. I have 71 different Internet logins which all have different passwords between eight and 13 characters. The only password I have to remember is the master password. When I connect my iPod to my computer, the passwords automatically synchronize. Of course they are all encrypted so the program requires the password at least once a day or whenever the computer is shut off or goes to sleep and then wakes up again.
    • That's a simplistic solution

      The problem with your view is that it's not only the people with the weak password that can get ripped off. Internal employees with access and weak passwords threaten the whole corporate network. Do all the Sony customers deserve to be ripped off because an employee left a weakly protected server at a spot where others can access it? The software my son's Cub Scout pack uses had a pack that lost all their data because one of the authorized unit leader's account was guessed. Did those den leaders deserve to have the advancement data lost because someone else had a weak password?
    • not a practical solution

      Your password manager only is useful if you always use the same device (computer, tablet, phone, ...) to log into these sites. I use several different computers, a tablet and my phone. there is no one password manager that can sync all those devices to keep (as you use, ... 71) different passwords all accessible. Most people have only two choices, use their memory, or use a list written down somewhere. I won't use paper as it would almost always be NOT where I am when I need it. It might be lost or discovered by someone and hence I'm screwed. So I rely on my memory but there's no way I can remember 71 different passwords, so again, I'm screwed. what else can I do.
  • @arminw

    Cuold you suggest a review of p/w managers, or do a mini review for us?
  • A weakness of password managers ...

    is that they use the URL where the signup or password reset process takes place to "harvest" a new user-entered password and ID, but the web site has a different URL for regular logins, which does not always match the manager-saved URL. Also, some sites have a following screen on which a randomly selected security question is displayed. Password managers remember, and auto-fill, the answer to only ONE of the security questions. For example, the password manager might record the answer to "where were you born?" (which opens another can of worms, but that's a different discussion), while the user also registers "what is your favorite author?" "where did you spend your honeymoon" and possibly more. But regardless of which extra-security question is displayed on a given login, the password manager fills in the city where the user was born. Users have to be careful to overtype it with the correct answer to TODAY'S question. Also, some APPLICATIONS that are able to open multiple DATABASE files (e.g. Quicken) allow the password to be stored (as a hash, of course) in the encrypted (I hope) data file, but password manager programs do not save passwords indexed by program AND file name, so the manager can only supply the correct password for ONE of the files the application can access.

    Perfect security will have to wait for brainwave recognition, I guess. :-)
  • It industry on the wrong path

    every 6/12 month the whole IT industry is selling us hundreds of new gimmicks, which we never will use. At the same time the basics of internet security are not covered.(means safe).
    It starts with the fact that we still do send 99% of our emails non encrypted (neither certs or tools like pgp could win the market); further most https..etc.. connections are much slower than non safe links, so the user decide for http...; two way identification is not really developed (pw+sms). And even much more important: there is no internet driving licence where standard users can learn to care their online security. And finally there is no standard hardware recognition system in the market. If I could register all my hardware at a database and a security provider would take over the task of logging me in, then I would need only a pin number as second identification. For the case I am not on my standard hardware the "normal log in ID+PW could take place and at the same time my security provider would be informed that someone logged in at not registered hardware. The other way would be a TOKEN (like the RSA log in token, which exists as hardware or as software).
    However, there is a long way to go...............written by a frustrated user , who has to remember too many PWs
  • When passwords become fingerprints ...

    people will end up losing their fingers to unauthorized users. Biometrics turn a passphrase in your head into a physical object that the greedy will need to obtain. That makes YOU the target instead of your computer. That is much more dangerous.
    • risk based authentication

      how about employing risk based authentication wherever it is reasonable for authentication related attacks. from the server end basically.
      mahesh kumar hiremath