[BreachExchange] The Plight of the Password

[Audrey McNeil]

https://www.securitymagazine.com/articles/89203-the-plight-of-the-password

Passwords provide a false sense of security for both users and the
companies who demand them. The password requirement to protect the user
(and ultimately sensitive company data), creates an entirely new frontier,
both from a security perspective and for criminal activity.

Passwords are the simplest go-to for system security and are the weakest
link in the cybersecurity chain. Criminals know passwords are often the
only thing between them and massive amounts of data they can sell for a
profit in the underground. Password breaches lead threat actors to a cache
of information that generates anywhere from a few dollars to thousands per
breach.

Some of the largest public breaches have occurred in the past few years,
revealing security vulnerabilities that exposed billions of pieces of
personal data users assumed were protected behind the veil of their
passwords. The types, shapes and sizes of exposures vary, but most begin
with an oversight or pure naiveté.



The Innocent Exposure

Few companies invite a breach, yet when they happen, most are surprised at
how human error or simply being unaware of a vulnerability put the company
at risk. These are the most common exposures, as companies struggle to stay
in step with criminal hacking techniques. A few notable instances when
innocent mistakes morphed into something much bigger:

Twitter

Twitter recently urged users to immediately change their passwords after
they discovered a glitch that stored unencrypted passwords in an internal
log. Even though it was an innocent mistake, anyone who may have had access
to that log could have, in theory, exploited those passwords. Smartly,
Twitter also recommended users consider changing their password on all
services where they may have reused their Twitter password.

Equifax

Equifax found that an application vulnerability on their website resulted
in nearly 150 million consumer passwords being exposed. While the exposure
began in May, the breach wasn’t discovered until the end of July, giving
criminals plenty of time to sell millions of Social Security numbers, birth
dates, addresses, driver’s license numbers, credit card data and personally
identifiable information.

Uber

Uber found themselves the victim of a hacking attack that impacted 57
million Uber users and 600,000 Uber drivers. Two hackers accessed Uber’s
GitHub account to uncover username and password credentials that never
should have been stored there in the first place. The breach may have cost
Uber $20 billion in valuation during its attempt to sell a stake in the
company.



The Weak Password

Weak passwords can be too short, too simple and/or too obvious. Hackers use
different automated methods to crack passwords, including trying the most
commonly used passwords and brute force attacks that attempt every possible
character combination. These attacks are run at massive scale and speed,
taking one account compromise to land the criminals in a treasure trove of
sensitive corporate data.

Even when they are strong, many people reuse the same password across
multiple accounts. If one of those accounts is hacked, criminals perform
“credential stuffing” to test that password against thousands of popular
websites to rapidly scale the attack for years. Though 91 percent of people
know using the same password for multiple accounts is risky, 59 percent
still do it. Reusing passwords and accessing apps like Dropbox and GitHub
with personal emails is a challenge for most companies.

Facebook

One of the more prolific examples of how password reuse can be used against
someone is with Mark Zuckerberg. In 2016, the Facebook CEO discovered his
Twitter and Pinterest accounts had been hacked. Apparently, Zuckerberg used
the same password for LinkedIn as he did for Twitter and Pinterest. When
LinkedIn was hacked and millions of usernames and passwords sold on the
dark web, LinkedIn users were encouraged to change their account password.
Zuckerberg did so but neglected to change the same password for his other
social media accounts.



The Unaware Employee

Employees introduce the most risk to an organization. They click on
phishing emails, log into bogus sites, use weak passwords, access secure
sites from unsecured devices and unwittingly download viruses and malware.
Most employees are completely unaware of their mistakes.

Anthem

In the Anthem breach, hackers were able to implement a phishing campaign to
compromise multiple C-level executive accounts. Because none of the
executives used additional authentication mechanisms, hackers were able to
easily access the entire data warehouse and remove more than 80 million
customer records – all from only five breached accounts.

8Tracks

The social music streaming company 8Tracks was surprised to learn that an
employee inadvertently leaked the passwords of 18 million user accounts.
The company was able to source the breach to a GitHub repository that did
not require two-factor authentication.



The common denominator in each of these breaches is the password. If
cracked, the password is like an HOV lane for criminals, directing them to
what they really want: personal, profitable information they can sell en
masse. Unfortunately, many consumers and companies believe the password is
protection enough. They are learning that’s a dangerous misconception, and
many proposed technological solutions have their own sets of problems.

There are ways for users to fortify their accounts beyond passwords, yet
few choose to do so because it slows down the login process. Password
managers and two-factor authentication are substantially more secure
methods but nearly 90 percent of Americans still keep track of their online
passwords by either memorizing them or writing them down, and fewer than 30
percent use two-factor authentication.

Many companies encrypt passwords; however, the type of encryption matters.
Even well-designed passwords can be stolen or compromised when service
providers aren’t adequately securing them with the latest technology.
Weaker algorithms, like unsalted md5 and sha1, are commonly used yet easily
deciphered and immediately converted back into the readable passwords that
fuel attacks. The Ashley Madison incident involved 36 million leaked
passwords that were hashed with the bcrypt encryption type, clearly not
strong enough to prevent a breach.

Companies may also attempt to track password exposures, but the process can
be labor intensive, frequent false positives desensitize them to real
threats, and they often miss many of the compromises. Their methods are too
basic to catch the oft-shrouded techniques of the modern cybercriminal,
particularly when the bad actor is internal to the company.

Unless organizations turn to automating their tracking and breach detection
and strengthening their login and authentication through technologies like
biometrics, they will continue to leave themselves, their employees, their
customers and their data at risk.

Bottom line: Companies must fight fire with fire, and as long as passwords
are the cornerstone of cybersecurity, we will continue to be vulnerable.
Refortifying passwords and avoiding data breaches involves adjusting
mentality and behavior as well as modernizing technology and service
provider practices to stay a step ahead of the threat actors.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180706/09f939cc/attachment.html>