back to article King's College London internal memo cops to account 'compromise' as uni resets passwords

King's College London has suffered an IT worry but this time not of its own making – yesterday it warned staff and students that some accounts have been "compromised" due to an apparent brute-force attack on password systems. The Register has been informed that the raid, which has been ongoing for several days, originates in …

  1. MiguelC Silver badge

    The mind boggles

    How is brute forcing Office 365 passwords even possible, doesn't Microsoft use any mitigation system against it?

    1. Anonymous Coward
      Anonymous Coward

      Re: The mind boggles

      Of course there are mitigations against it. However Office365 supports a variety of older protocols as well as their own proprietary ones. As these get turned off on an account by account basis, it will cause small groups of users to suffer connection problems IF they happen to have set things up using the old way.

      It's part of the everyday life of an IT admin now that your systems are going to be under attack from somewhere.

    2. hmv

      Re: The mind boggles

      I dare say they do, but those brute forcing accounts don't hammer the same account from the same source address endlessly; the attacks are distributed across multiple source addresses and target multiple accounts.

      If you have say 30,000 accounts to protect you will have predictable usernames, and at least 5% will pick really dumb passwords (easily guessable).

      1. Dr Dan Holdsworth
        Pirate

        Re: The mind boggles

        Far, far back in the mists of time, Aberystwyth university had a fairly simple technique for ensuring passwords were up to par. All they did was run Satan against the departmental password file (I did say this was a long time ago!) and any account thus compromised was immediately locked without warning.

        Users affected by this would then have to do the shuffle of shame over to the helpdesk to reset their passwords, and be patronised by whichever foolhardy twerp pulled the short straw of telling the head of department of wherever that he'd just have to think of a longer name for his cat.

        This all worked remarkably well.

      2. phuzz Silver badge

        Re: The mind boggles

        "at least 5% will pick really dumb passwords"

        They will, but that's partly the admin's fault too. Office365 allows custom password complexity policies, along with a couple of sensible default options.

        1. veti Silver badge

          Re: The mind boggles

          Meaning that you can infallibly break into any account by looking underneath the owner's keyboard...

          1. Pascal Monett Silver badge

            A bit hard to do from China, though.

            1. TRT Silver badge

              "A bit hard to do from China, though."

              "What's this webcam on the underside of my keyboard for again? Seems like an odd feature."

            2. Version 1.0 Silver badge

              A bit hard to do from China, though. ... you've never heard of office cleaners? But seriously, all you need to do is have the folks cleaning the office put a little extra hardware into a few computers USB ports and then head home - the job is done.

        2. steviebuk Silver badge

          Re: The mind boggles

          But it hates spaces being at the beginning of a password. AD likes it, syncs that to azure ad which then breaks the users office 365 login as fucking office 365 doesn't like the leading space.

          Fing annoying trying to work that one out, although didn't take long but, against best practice, I had to ask the user their password to find out that was the issue.

        3. hmv

          Re: The mind boggles

          Complexity requirements aren't infallible - the classic (outdated) example is "Password1" which meets the default complexity requirements of AD quite a while ago, but is definitely a weak password.

          1. Tom -1

            Re: The mind boggles

            > Complexity requirements aren't infallible - the classic (outdated) example is "Password1" which

            > meets the default complexity requirements of AD quite a while ago, but is definitely a weak

            > password.

            Not at all surprising. A bit more than thirty years ago I looked at security on a departmental server, using a well-known poular password brute force cracker algorithm, and found that most passwords were hopelessly insecure: there was a good batch of 4 or 5 character passwords using only alphabetic and numeric characters which were or course trivially breakable even then, and at the other extreme there were two occurrences of "qbttxpse2" which were the securest passwords (apart from mine) on the system.

            Currently I use mostly 32 character passwords with alphabetic (including characters with marks like àèìòùáéíóúý«âêîôûçïñ» and the rest of the usual West European marked characters, and their capitalised versions, not just lower case) and numerics and some special symbols such as !"£$%^&*',./..,|\ except where the thing I'm connecting to won't allow some of those or won't allow cpasswords that long - but since I'm lazy, for some sites which now allow 24 characcters I'm still only using 16 because i can't be bothered to change them. Of course I don't remember all these, I have a password safe (with an access key of about 200 characters that I can remember) which is easier that remembering 50 of so of the individual passwords. Or course none of this is adequately secure, so for many connections I'm using two factor authentication as well.

      3. Version 1.0 Silver badge

        Re: The mind boggles

        All you have to do is harvest the usernames from a few of the recent breaches or start up social media interactions with employees and students - maybe sell them a few "cheap" phones...

    3. This post has been deleted by its author

  2. Blockchain commentard

    How do the students read the (presumably) emailed memo if they can't access their emails?

    1. Anonymous Coward
      Anonymous Coward

      The message was posted on the website and other communications channels. i.e. you presumed wrong.

  3. Doctor Syntax Silver badge

    "use the KCL standard operating environment and not some comedy homebrew setup"

    After all, the KCL standard operating environment worked so much better at safeguarding data than comedy homebrew setups such as users backing up their data onto their own media.

    1. Korev Silver badge
      1. Anonymous Coward
        Anonymous Coward

        Which would make sense except the important research data was in the folder BACKUP, not NO_BACKUP. In the case referred to, if you followed the rules, you lost. If you put your working data set onto the postdoc-built comedy home-brew setup, your heart only skipped the one beat and you could breathe a sigh of relief.

        It might seem hard for some of us to comprehend that it wasn't the user's fault, and that the backup didn't backup, and that the backup of the backup also didn't backup... but that's what happened!

        1. Korev Silver badge
          Joke

          That is very true, have an upvote. I probably should have put the joke alert symbol up.

          Better late than never I guess -->

  4. Anonymous Coward
    Anonymous Coward

    Multi factor authentication

    Can be forced for all users in Office 365. It shouldn't be a user selectable option, because it means work for the user and they just won't do it.

    1. Anonymous Coward
      Anonymous Coward

      Re: Multi factor authentication

      A good suggestion, with some flaws.

      Assuming you turn on Modern auth for Mail, you severely reduce the amount of mail clients that support it. GMAIL: Nope. Any mac prior to 10.12. Nope. iOS 10. Nope. Virtually every mail client known to man on Android: hella nope. Just outlook.Nine supports Modern auth but enterprise version only.

      1. phuzz Silver badge
        Gimp

        Re: Multi factor authentication

        To be fair, what MS call "Modern Auth" is just a standards compliant implementation of OAuth2, which was first published in 2012, and is used by loads of providers (including GMail).

        If they'd stuck with some out of date protocol they'd have been slated for being insecure. If they mandated OAuth2 then people would complain about backwards compatibility with old software. Instead they allowed the email admins the choice, and get criticised for being both insecure and incompatible.

        1. Anonymous Coward
          Anonymous Coward

          Re: Multi factor authentication

          That explains a lot.

          We just got new email rules from our corporate overlords. Email will now only work in Outlook, on company issued laptops (the heaviest shitiest of Dell's business models).

          The result - our software team ignore corporate email and use Whatsapp among ourselves.

          One day they are going to work out we never replay to email - but since 99% of emails are informing us of changes to the HR management structure of the widget group in the Azerbaijan subsidiary we can live without them

          1. veti Silver badge

            Re: Multi factor authentication

            Sounds reasonable. Email passed its best-before date shortly after Gmail was launched, it's virtually unusable now for work purposes.

          2. Korev Silver badge

            Re: Multi factor authentication

            Some of our devs have become so Slack-addicted that they now pretty much ignore email...

  5. Phil W

    Dumb passwords

    It would be interesting to know how many people now have correcthorsebatterystaple as their password, having read that particular xkcd and decided that that would be a really secure password to use.

  6. MiguelC Silver badge

    Last time I checked haveibeenpwned, it was used in 144 pwned accounts

  7. Anonymous Coward
    Facepalm

    So, how much do you want to bet that the brute force attack involved the following passwords....

    "Passw0rd"

    "12345"

    "MyOffice"

    "KingsCollege"

    1. Anonymous Coward
      Anonymous Coward

      Re: So, how much do you want to bet that the brute force attack involved the following passwords....

      You forgot -

      Pa55word

      P@55word

      To cover complexity requirements...

      1. Version 1.0 Silver badge

        Re: So, how much do you want to bet that the brute force attack involved the following passwords....

        You just demonstrated that password complexity requirements do nothing - except to create passwords that are easy to forget. "Password" has been pawned over 3 million times, Pa55word about 14,000 times, P@55word about 2,000 times, but Dorwssap has never been pawned even once.

  8. The Quiet One

    Not Shocked....

    My Wife works at a University and still has the same, short, AD password she was issued on Day 1 - Never asked to change at first logon and no ageing out of passwords. My AD account at SCHOOL in the 90's had to be changed every 90 days FFS.....

    1. Yet Another Anonymous coward Silver badge

      Re: Not Shocked....

      Regularly changing them isn't necessarily a good idea

      If somebody steals them you can brute force them in minutes/hours on a GPU - it's not like they are going to work away at your password for months and so a 90day change will defeat them.

      Requiring regular changes and no reuse generally means either post-it notes or Password101,102 etc

      1. Korev Silver badge
        Terminator

        Re: Not Shocked....

        Requiring regular changes and no reuse generally means either post-it notes or Password101,102 etc

        Out of interest, are there attacks against sequential passwords? By this I mean, if password101 get compromised, do the miscreants try password102 as well?

        1. Yet Another Anonymous coward Silver badge

          Re: Not Shocked....

          They are miscreants so are probably the sort of unsporting blighters that would ...

        2. robidy

          Re: Not Shocked....

          Yes, that's standard.

          You get their passwords from a compromised site dump, check the password policy and increment as appropriate, plus any other leaked passwords from "the dark web".

          Cyber Essentials doesn't require regular password changes for this reason.

          Even GCHQ advise against regular password changes as they build false assurance.

          Best defence is GOOD user education then MFA (avoid SMS as these can be diverted), after that again, GOOD user education, then a robust password policy, then sub 10 and ideally sub 5 failed attempts before account lockout.

          Depending on the value of the account you may want the lockout to need sysadmin level human intervention.

  9. Xenobyte

    Just block it

    Why not simply block connections from China?

    This is pretty trivial and shouldn't affect people using VPN to access their accounts.

    1. Anonymous Coward
      Anonymous Coward

      Re: Just block it

      yep, that's another option that's available in the Office 365 Azure ADAC Security / Compliance Centre

    2. hmv

      Re: Just block it

      Doesn't work very well when you have legitimate logins coming from China.

      A more sophisticated approach is to look at locations from where the login comes from, and disallow logins that would require an unreasonable travel time (if someone logs in from the UK and within 2 hours an attempt is made from China, the second attempt isn't very likely to be legitimate).

      1. TRT Silver badge

        Re: Just block it

        It can also come from a compromised botnet not located in China, although the code may have been put on that botnet by someone in China. Or Romania. Or from any one or more of a hundred well known nation states with a reputation for dodgy goings on. Heck, I get a dozen injection probes an hour coming from places like Germany, Hungary, France, UK...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon