The Always Relevant Password Saga

Steal_password

Passwords, they’re pretty much a headache for everyone involved. It’s a pain to come up with strong passwords and even harder to remember them, and it’s challenging for companies to enforce password rules for their employees and users in a way that protects the organization.

According to a new survey by SaliPoint, one in five employees would be willing to sell their email passwords, and 44% of them said they’d do it for less than $1,000.

But whether they’re stolen or given away, passwords present a challenge for everyone involved. There are many ways that passwords can be used to cause damage. In this post we’ll look at two:

  • Insider attacks that use compromised credentials to steal data or cause damage in the corporate network
  • Industrial hackers that use stolen credentials to purchase goods, services, or money stolen over time

Compromised Credentials and Insider Attacks

We saw in the survey referenced above that one in five employees would be willing to sell their email passwords for under $1,000, and an earlier survey by SaliPoint showed that some employees were willing to let them go for as little as $150.

Earlier this year, hackers were offering Apple employees in Ireland up to €20,000 pounds for their credentials.

But hackers don’t necessarily need to pay for credentials. In Kevin Mitnick’s book Ghost in the Wires, he showed how time after time, with familiarity with an organization’s language, some research into key employees, and a lot of nerve, he easily convinced others he was an authorized agent of their company and got them to give him almost anything he wanted, even, sometimes, their passwords.

While Paul Simon said there are “50 ways to leave your lover,” there are many more ways to get ahold of someone’s password. Whether people are giving them away, selling them, or losing them through phishing campaigns or whale attacks, passwords are easily compromised.

And once a hacker gets ahold of your employee’s password, it’s pretty hard to detect if it’s being used for malicious purposes before the damage is done. Early detection is the key to preventing significant damage. It was revealed that hackers stalked a Bangladeshi bank’s computer systems for only two weeks before stealing more than $101 million, and would have gotten away with a $1 billion if it wasn’t for a hacker’s typo! So it’s clear that detecting compromised insider credentials is key to preventing the cost of damage involved in these attacks.

Today there are tools to help detect compromised and malicious insider attacks. Imperva CounterBreach was designed exactly for this purpose. You can read more about CounterBreach and insider threats in this blogpost.

Industrial Hacking – the Blight of Online Business

Getting ahold of a password or two may be fun for some and profitable for others, but stolen passwords can be used to extract large sums from companies . Industrial hacking has led to a whole new scale of credential and commercial theft and abuse.

Hold Security claimed it  “identified a Russian cyber gang that it believes stole 1.2 billion username and password combinations and more than 500 million email addresses.”

In 2010, RockYou, a company that makes software for social networking sites was hacked resulting in the theft of 30 million passwords.

Imperva conducted an analysis on the passwords contained in a data dump from the RockYou breach. The analysis found that the most popular password was 123456, which was used by 1% or 300,000 accounts contained in that dump. This was little better than 12345, supposedly the most common password years earlier. Furthermore, users reuse passwords across multiple websites.

With each new breach, we see larger and larger data dumps, or the content of these breaches being shared by the hackers with the world.These stolen credentials can be used in a variety of attacks.

For example, hackers can run brute force attacks which target a stolen list of encrypted credentials and run them against a large number of passwords trying to gain access to an account.

Alternatively, hackers can run tools to decrypt passwords by comparing hashes of common and simple passwords used with popular ciphers. With passwords like 123456 decrypting becomes easy, and with such a large number of users using inherently weak passwords, well, you get the point.

Long lists of usernames and credentials don’t even have to match to be turned into cash. Dictionary attacks use automated bots to feed a single username and then run through a list of common passwords until they succeed. And when we see that so many users have passwords that are easy to guess, we can see the potential risk.

As is the case when hackers target bank and retail accounts, when they find a match, they charge as much as possible and can even transfer money from bank accounts. Over time, these types of attacks can drain organizations of a large amount of money.

Imperva offers various tools including Bot Mitigation and Account Takeover Protection to prevent these types of attacks. This recent blogpost describes the different mechanisms needed to best identify and block these types of attacks.

Passwords are an integral part of life in the 21st century, and they’re not going away anytime soon.  Even with two-factor authentication and other security mechanisms to strengthen password use, it’s clear that organizations need to find a solution that can manage the inherent risk, and soon.

And while users can search for the perfect (or safe) password and employees can use good password etiquette to avoid having their accounts hijacked or stolen—enterprises have a bigger concern. Enterprises need to implement mechanisms to detect and prevent the use of stolen or otherwise compromised user credentials, both on their front end commercial websites and inside their enterprise network.