back to article Bad news: 43% of login attempts 'malicious' Good news: Er, umm...

An extraordinary 43 per cent of all attempted online account logins are malicious, Akamai claims in its latest internet security report. "Credential abuse" is an increasingly popular line of attack, thanks in large part to the readily availability of huge user/password databases that has been stolen and are sold online. …

  1. Voland's right hand Silver badge

    What's wrong with Anthrax Candy?

    Anthrax Candy is nice. Especially with Yersinia Pestis icing on top.

    I am surprised it is only 43%. I would have expected something in the 90%+.

    1. This post has been deleted by its author

      1. m0rt

        Re: What's wrong with Anthrax Candy?

        Same here. I use fail2ban but surely if you take a superset of All Login Attempts, then the automated SSH attempts must make a massive chunk of those malicious ones?

        1. defiler

          Re: What's wrong with Anthrax Candy?

          automated SSH attempts must make a massive chunk of those malicious ones

          My home SSH server finally got broken into last year. Should have had Fail2Ban installed before. I now have a VM in a different VLAN with only one user on it, that only accepts SSH. If I want in further then I have to tunnel into the internal network.

          I remember the days when a DMZ was fancy for big business. Now I need one at home.

          Also, if the SSH server gets compromised, I can whip it offline, rewind it to a clean snapshot, change the password and set it going again. Yay for VMs.

    2. Pen-y-gors Silver badge

      Re: What's wrong with Anthrax Candy?

      Not sure about logins via login screen, but the amusing one is looking at system logs and the insane number of people robots trying to login to a Wordpress admin panel. Bit strange as I don't run Wordpress (obvs).

      That's closely followed by the vast number of attempts at a SQL injection.

      One would think that ISPs could come up with some tools/scripts to identify and block these scum - they are wasting a lot of bandwidth to no real purpose.

    3. Anonymous Coward
      Anonymous Coward

      Re: What's wrong with Anthrax Candy?

      99% in the logs I've seen on systems around 'ere

  2. John Smith 19 Gold badge
    Unhappy

    " secure coding.., timely patching, proper device configuration, and prudent password management, "

    As they would for the 7 decades.

    It's not the "Acts of $Deity" that depress me.

    It's the mind numbing banality of the bulk of this s**t.

    As it no doubt will be when we enter the 8th decade of computing.

    <sigh>

    1. Mark 85 Silver badge

      Re: " secure coding.., timely patching, proper device configuration, and prudent password...."

      Let's also add..."User stupidity is beyond belief." because "password" is still the number one login password. <sigh>

      1. John Smith 19 Gold badge
        Unhappy

        Let's..add..."User stupidity is beyond belief." because "password" is still the #1 login password.

        And people know it is as well.

        I'm guessing the usual user justification is roughly

        a) It's no big deal, IT can handle any breaches.

        b) I don't handle any important data so why would anyone bother.

        c) I don't have many privileges so why would anyone bother.

        Note how H&S is handled. H&S is everyone's responsibility, and Managers are additionally responsible for the H&S of the staff they supervise. I'd suggests infosec should be viewed in the same way, starting with the CEO.

  3. Phil O'Sophical Silver badge

    a new trend of enterprise systems being targeted, not only to steal their data, but to steal their computing resources,

    And which can only get worse as "the cloud" becomes more dominant, especially as people lose poorly-secured mobile devices with apps pre-configured with all their login credentials.

    1. Sir Runcible Spoon

      If someone were to code a crypto miner that only used max 10% cpu (or an unused core for example) do you think it would fly under the radar for longer?

    2. BebopWeBop Silver badge

      From our own experience, pa55word and passw0rd seem pretty popular (by the frequency of attempts to break in). Shame that even if they did get a password 2 other layers of security including 2FA would kick in if they ever got past this :-)

      1. Sir Runcible Spoon
        Headmaster

        *passed.

        Sorry, I couldn't not respond to that. :)

        1. Alister Silver badge
          Headmaster

          Sorry, Sir Spoon, but I think "past" is correct in that sentence, see here:

          https://blog.oxforddictionaries.com/2015/01/07/passed-past/

          1. Sir Runcible Spoon
            Facepalm

            Fuck. Now I look like a right twat, thanks :)

            I'll leave my original comment up as an object lesson to myself to check my facts before jumping on a horse :)

            1. Alister Silver badge

              Sorry mate.

              I admit I wasn't at all sure until I looked it up.

  4. Anonymous Coward
    Anonymous Coward

    'As to how to protect yourself or your company'

    How about extra Security options in Account-Settings. Let users set Geo-IP restrictions and boost Login-retry wait time. Not foolproof, but still better???

    1. Anonymous Coward
      Anonymous Coward

      Re: 'As to how to protect yourself or your company'

      That's great, except most users are also the cause of problems.

      No 2FA, too much hassel, changing passwords, I'll forget them, lock my phone and miss that important selfie etc.

      1. Sir Runcible Spoon

        Re: 'As to how to protect yourself or your company'

        I now have 5 2fa code generators about my person. It's starting to get a bit unwieldy :)

  5. Anonymous Coward
    Anonymous Coward

    Email address as username

    At our place, we don't use email addresses as usernames.

    The vast majority (like 99%) of malicious login attempts still do try to use email addresses. The other few are things like "root", "admin", "support", ... equally invalid in this instance.

    Therefore, by not using an email address as a username, we thwart most of these attempts right off the bat. Naturally, we still insist on decent passwords and have rate limiting and various other schemes in place.

    1. Voland's right hand Silver badge

      Re: Email address as username

      Concur.

      Having a username != officially visible email is a mandatory first line of defence.

      1. John Smith 19 Gold badge
        Unhappy

        Having a username != officially visible email is a mandatory first line of defence.

        Sadly, it is not.

  6. Alister Silver badge

    As others have said I'm surprised that the quoted figure is only 43%, but then their data collection only accounts for an unrepresentative sample of the problem.

    Anyone who administers internet facing servers of any kind, be they web, email or whatever, knows that a high proportion of each day's logs will be taken up with automated login attempts of one sort or another.

  7. oldcoder

    On the good news side - It said "43% attempts"...

    Which means they failed.

    On the bad news side - 57% were successful, and you don't know how many of those were malicious.

  8. Anonymous Coward
    Anonymous Coward

    Strong passwords

    If your passwords are strong they won't guess them.

    But one major UK official site I had to register with yesterday had rules that were incompatible with the strong passwords Safari was generating for me. Something to do with hyphens I think. So I had no choice but to set it to "password".

    1. defiler

      Re: Strong passwords

      So I had no choice but to set it to "password".

      That was silly. You're supposed to set it to "strong_password". Much more secure.

      1. BebopWeBop Silver badge
        Happy

        Re: Strong passwords

        It wouldn't accept the _

        1. Peter2 Silver badge

          Re: Strong passwords

          And if it's the same one I suffered with some while ago, it also limited you to something like 8 characters.

  9. Chairman of the Bored Silver badge

    Quick suggestion to take it easy on your logs...

    ...change your default SSL port to something like 223. You've obviously disabled root login over ssh, require key-based credentials, etc already.

    Obviously this does not increase security in any real sense against a human attacker as nmap will see your new port... But in my case avoiding port 22 eliminates about 90pct of the robocall activity I've got to wade through in my logs.

    Any crap activity I've got on new ports is from a person or bot that actually bothered to map my net, and that tells me something I should know right up front. Key here is to improve your signal to noise

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021