[BreachExchange] LinkedIn data breach blamed for multiple secondary compromises

[Audrey McNeil]

http://www.csoonline.com/article/3086942/security/linkedin-data-breach-blamed-for-multiple-secondary-compromises.html

The LinkedIn compromise has been linked to a number of confirmed incidents
where data exfiltration has taken place. It's possible these incidents are
only the tip of the iceberg though, as many of the organizations
compromised are service providers with access to customer networks.

On June 18, Citrix posted an alert warning of an incident that forced the
company to reset all of their customer's passwords. A day later, Citrix
updated the alert and explained the problem.

"Citrix can confirm the recent incident was a password re-use attack, where
attackers used usernames and passwords leaked from other websites to access
the accounts of GoToMyPC users," the company wrote.

How to respond to ransomware threats

Multiple industry sources have shared additional details with Salted Hash,
some confirming upwards of thirty instances where an organization has been
compromised and sensitive information exfiltrated by the attackers.

However, this number is likely a low estimate, as the compromised
organizations are service providers with access to customer networks.

Those who spoke to Salted Hash on the condition of anonymity are still
working active cases to determine the full extent of the problems, but the
fear is that the customers of the breached service providers have been
compromised as well.

The organizations that have been targeted operate in the manufacturing
industry, retail industry, and a number of other verticals.

The common thread in each case is the LinkedIn list, generic password
policies, a lack of two-factor authentication, and remote access software
from services such as GoToMyPC, LogMeIn, and TeamViewer.

Citrix called the incident a "very sophisticated password attack," but that
isn't the reality of the situation, there's nothing sophisticated going on.

These are straight brute force attacks with a high degree of success,
largely because the leaked LinkedIn records have allowed the attacker to
reuse credentials directly, or enumerate them slightly, in order to gain
access.

It isn't clear if the active cases are all related, or if there is more
than one attacker or group conducting the raids. What is clear, is that
some of the organizations caught-up in this situation are large ones and
the only reason they're in this mess is due to recycled credentials.

There's a method to the madness:

An attacker who has the LinkedIn list knows a person's name, their work
history, and their password. Thus, the attacker now has a list of possible
targets, a good idea of how network IDs are generated, and some base
passwords to start with. There's more work to be done, as the attacker has
to identify services and systems exposed to the public, but this isn't an
impossible task.

"Typically there would be two types of threat actors that would consume
these stolen credential sets," explained Israel Barak, CISO of Cybereason.

The first are the actors that will use the credential set to conduct broad,
non-targeted attacks where they would attempt to gain access to social
media and financial services using the leaked credentials. The second set
of actors take their time and target individuals, or organizations they’re
associated with, in order to gain access to sensitive information and
systems.

Don't blame the victim, but...

Many organizations alter the default Active Directory policies slightly,
but this still leaves them with passwords containing 7-12 characters, which
are comprised one uppercase letter, one number, and one special character,
plus a 90-day expiration window.

Yet, most of the passwords used today are based on patterns and guessable
logic. The workforce is trained to create weak passwords from the start,
because organizations implement password policies that result in easily
guessed or cracked credentials.

"Typically organizations set a password complexity and selection policy
that requires users to choose passwords comprising of multiple character
sets, have some sort of minimal length, and some restrictions as it relates
to expiration and reuse. Essentially this really doesn't solve anything, as
it relates to the problem of an average person not wanting to remember too
many passwords, which leads to password sharing across multiple services,"
Barak said.

"I think the most robust way to approach this particular issue is to employ
multi-factor authentication on sensitive services, and I think this is
especially true for services that are internet accessible, such as Outlook
Web Access, VPN portal, your ERP systems, or similar sensitive services."

The point, Barak added, was to ensure that the exposure of a user's
password wouldn't be enough compromise their account.

Sadly, in many of the examples shared with Salted Hash, there was a direct
relation between the compromised organization and the leaked LinkedIn
account data set – so the username and password on LinkedIn was the exact
combination needed to access the corporate network.

But even when there wasn't a direct relation, the information available
from the LinkedIn list allowed some basic guesses that resulted in
successful compromises. For example, if there was a mismatch with the
network ID, altering it slightly to match public email addresses often
worked (e.g. jsmith vs. john.smith).

Two-factor authentication wasn't a factor in any of the breach examples
shared with Salted Hash. Again, this is because the compromised
organizations didn't use such features.

GoToMyPC isn't the only service provider that's been targeted recently.

Earlier this month, Team Viewer users reported system compromises, and at
least some of them admitted to reusing passwords. Last week, LogMeIn
proactively reset accounts where it was determined a customer was recycling
their LinkedIn password. On Tuesday, Carbonite reset all of their
customer's passwords after detecting login attempts using recycled
credentials.

So what's the underlying problem?

Weak password policies and recycled credentials are a serious problem.

At the same time, this problem is one that isn't easily fixed. Humans have
developed some bad habits when it comes to passwords and access, and
corporate policies that limit complexity and require easily guessed
formats, further enable these bad habits.

In hindsight, the organizations that were compromised due to the LinkedIn
list made plenty of mistakes that proactive measures would have fixed. But
singling them out, as if they're something unique, would be a mistake.

Organizations don't track passwords or audit them; users are allowed
privileged access without restrictions; two-factor authentication is only
sparingly enabled in some cases (assuming it's enabled at all); and
security policies are selectively applied.

For example, the Department of Homeland Security banned personal webmail
for security reasons. However, DHS Secretary, Jeh Johnson, was exempted
from this ban because he liked to check his personal email from the office.

If that seems like a familiar situation to you, that's because everyone who
has ever worked in IT can tell horror stories about how C-Level executives
are regularly exempted from security policy.

This is why preventing recycled or easily guessed passwords is such a
problem. How can you manage passwords and how they're developed or used,
when just getting everyone on the same page policy-wise is challenge enough?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160623/f22f48a1/attachment.html>