Why You should have Better Password Policies

We do a lot of work with ISPs and Telcos and we get it.. you don’t want to make changes that might affect your customers. However, if you don’t make some simple changes to account and password policies, not only are you doing your customers a disservice, you also might end up increasing your support costs when having to deal with spam outbreaks (or worse, when dealing with the abuse of your customers’ email accounts..).

Example Case of BotNet Activity

Here is a sample of a very large BotNet being used to do dictionary and brute force attacks against your servers right now. The IP(s) involved are primarily from China, Brazil, and Vietnam (you do know that you can block authentication by country right? Oh, of course, you’re worried about customers potentially complaining while they are traveling..). (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR)

In this case, the “BotNet” operators have probably hacked the common Internet routers that ISP customers are using. Judging by this one Brazilian ISP, the “Ubiquiti’s AirOS” routers are commonly hacked, and it is not hard to see that a quick ‘google’ search will reveal a history of compromises.

AirOS RouterWhen analyzing the patterns we can quickly see that this is likely the case. It’s surprising that this Brazilian ISP hasn’t noticed all the extra bandwidth consumption, or that their customers aren’t complaining about slow speeds (and compromises).

So what is this Bot doing right now? Attacking your customers. It is attempting to do two things. First, dictionary attacks are done to see if ‘info@‘ exists at your domain. They can build up an email database that can be sold to other spammers. Second, it tries to authenticate using common/weak passwords as well as passwords found from other sources. Did you know it has been reported that 70% of people admit to using the same password at multiple sites?  So when one of THOSE places are hacked (which we hear about all the time), it potentially puts other accounts at risk.

The attacks are against Port 587 (Submission Port of SMTP), usually using Plain Text Login methods if they are able to (script kiddies like the easy way..). Now, you can’t effectively block IP(s) that constantly change without the risk of eventually blocking your own customers, but you CAN do things that will reduce the attacks.

Password Policy Considerations

Below are simple and easy steps that every ISP should implement (though it is surprising just how many haven’t gotten around to it yet). Most of it revolves around password policies. Remember, your customers’ accounts could be compromised already and you just don’t know it yet, but one day those accounts will be utilized…

First of all, ENFORCE using TLS/SSL for all email connections.  Again, we get it.. you don’t want everyone calling you, and some old email clients might not work any more, but it’s time.. If you can’t force it globally, at least start doing it on a domain by domain basis. Worried about calls from customers that they cannot configure their email clients? Aside from also offering webmail for those who don’t have a decent email client, you could…

Set up AUTO DISCOVER mechanisms, this will reduce the work load. That way, the customer only has to put in their email address and the email client will automatically figure out your safer configurations. While we do wish that a common method of Auto Discover would be agreed upon by all vendors (you might need to implement a couple of methods yourself, and it MIGHT seem complicated), it is well worth the reward.

Lastly, of course, enforce STRONG passwords. Don’t give your customers a choice.

While there is a lot of talk about ‘two factor’ authentication, just doing the three things above will get you the biggest bang for your buck.

For kicks and giggles.. we’ve included a random sampling of IP(s) being used in this form of attack. (TW) (RU) (OM) (ES) (CN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (RU) (CN) (CN) (AZ) (KH) (CN) (CN) (CN) (BR) (BR) (BR) (DE) (AL) (CN) (CN) (CN) (TH) (CN) (GB) (US) (CA) (GB) (RU) (CZ) (NO) (FR) (RO) (RO) (GB) (BY) (ES) (KZ) (DE) (DE) (IR) (RU) (UA) (VN) (CN) (CN) (PK) (TH) (CN) (CN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (CN) (CN) (TW) (TW) (LA) (VN) (VN) (VN) (VN) (VN) (CN) (VN) (VN) (VN) (VN) (VN) (VN) (HK) (TH) (CN) (NP) (CN) (CN) (CN) (CN) (CN) (CN) (CN) (CN) (CN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (VN) (CN) (CN) (CN) (CN) (CN) (CN) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (CN) (AR) (AR) (CN) (CN) (CN) (SE) (JP) (IN) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (VN) (VN) (VN) (CN) (CN) (US) (CN) (CN) (CN) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BY) (BR) (BR) (BR) (BR) (BR) (BR) (CN) (CN) (CN) (JP) (BR) (EC) (EC) (CN) (CN) (IN) (IN) (IN) (IN) (CN) (CN) (JM) (TH) (UA) (AL) (FR) (EC) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (EC) (EC) (EC) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (FR) (DE) (BR) (BR) (BR) (BR) (MX) (BR) (BR) (BR) (BR) (EC) (SV) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (ZM) (EG) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (BR) (LA) (LA) (ID) (TW) (CN) (TW) (IN) (CN) (KR) (CN) (CN) (CN) (KR) (CN) (CN) (VN) (CN) (CN)


This entry was posted in Informative and tagged , , , . Bookmark the permalink.

Leave a Reply