The danger of breached passwords

Breached passwords fuel attacks that leverage stolen credentials to gain unauthorized access. such as credential stuffing. Credential stuffing describes a method when hackers use automated bots to stuff those credentials into various login pages across multiple sites to access accounts. Many tools that require no knowledge of programming skills are readily available online, encouraging anyone that is looking to make a quick buck to credential stuff.

Credential stuffing has a 1-3 percent success rate due to password reuse and infrequent changes of passwords. That is why even older credential lists still record relative success. LinkedIn‘s notable 2012 breach led to many secondary compromises even years to come, such as the Dropbox hack. A Dropbox employee reused a password compromised in the LinkedIn breach, allowing the hackers to gain unauthorize access to Dropbox’s corporate network.

Password reuse is a serious problem that plagues most organizations. According to this recent survey of 1353 respondents, 31% use the same password for streaming sites as they do for other ‘more sensitive’ accounts, such as online banking. It is likely that your own corporate network has users reusing these breached passwords from personal-use sites.

Not only can breached passwords lead to endless secondary breaches, it can also result in the following consequences, according to Ponemon Institute’s The Cost of Credential Stuffing Report:

• Application downtime from large spikes in login traffic
• Costs to remediate compromised accounts
• Lower customer satisfaction
• Fraud-related financial losses
• Lost business due to customers switching to competitors
• Damaged brand equity from news stories or social media

To put it in financial terms, the average cost of a breach caused by compromised credentials is $4.77 million – that is $1 million more than other forms of attack.

Top tips to keep breached passwords out

People will continue to use weak and breached passwords such as “123456,” “qwerty” or, “Giants,” and reuse them across corporate and personal websites. Credential attacks will plague organizations that don’t take basic steps to counter them. It is clear that we cannot rely on users to make wise password selections, it is time for IT departments to intervene. Here are a few tips to protect your organization against bad passwords.

Provide ongoing cybersecurity user training

Even the best technologies can’t protect your data if your employees continue to engage in insecure practices. To help employees practice safer password habits, schedule on-going training to educate employees on the latest security threats and what they could do to prevent security attacks. Security-conscious employees are better at recognizing threats and taking responsibility in defending threats. The training should be completed by all new employees, and followed-up with periodic training on an annual basis. Moreover, if your organization is bound to compliance standards, the training should be designed with those requirements in mind. The topics should help users identify potential threats, such as phishing, and social engineering, as well as the steps to take when something seems suspicious.

Audit user passwords regularly

Unfortunately, the built-in Active Directory policies don’t stop users from making poor password choices so it is best to regularly audit existing passwords to check for vulnerabilities. Specops Password Auditor (Free Tool) detects security weaknesses specifically related to password settings. By scanning your Active Directory, the tool collects and displays multiple interactive reports containing user and password policy information, such as accounts using passwords leaked from major breaches, accounts with expiring/expired passwords, stale admin accounts and more.

Block common and breached passwords

When a leak occurs, many other ecosystems become endangered due to the tendency of password reuse. Once a reused breached password is identified in your Active Directory, it is important to block them immediately. The Breached Password Protection service included in this Active Directory Password Filter checks your user passwords against a continuously updated list of over 2 billion leaked passwords and blocks any passwords found in the list. Some of the breaches included in the Breached Password Protection are:

• MySpace (359 million)
• LinkedIn (164 million)
• Dubsmash (162 million)
• MyFitnessPal (143 million)
• MyHeritage (92 million)
• Dropbox (68 million)
• ShareThis (41 million)
• HauteLook (28 million)
• Animoto (22 million)
• 500px (15 million)
• Whitepages (11 million)
• Armor Games (11 million)
• Fotolog (10 million)
• BookMate (3.8 million)
• Adult Friend Finder (3.8 million)

The tool also provides feedback to end-users as to why they can no longer use the password, making it easy for organizations keep out vulnerable passwords without sacrificing usability. Click here to request a 30-day free trial.

The post Create Strong Passwords for Your Employees With This Tool appeared first on eWEEK.

But what about when the breach was not due to a hack?  Various organizations whose customers experienced account compromises in 2019, in fact were not hacked. In the same Verizon report, it was found that 29% of breaches involved the use of stolen credentials. With billions of stolen credentials (usernames and passwords) available online from previous breaches, a high volume of attacks results from automated credential stuffing.

Anytime a massive aggregated leaked password list is made available online, credential stuffing attacks spike. Armed with stolen credentials from mega-breaches, attackers make log-in attempts to access digital services with anonymous bot networks that make traffic look like its originating from different IP addresses and browsers – to fly under the radar.

Credential stuffing is an emerging threat that doesn’t just stop with online services. With the majority of organizations adopting SaaS services to increase productivity and utilizing single sign-on to federate login, no matter where a breach starts it can end up in the corporate network. And once in, attackers work laterally until they can find something to make the effort worthwhile – personal data, financials etc.

Let’s take a look at a few examples of these types of attacks and how attackers exploited compromised accounts upon take over.

Disney+

Shortly after Disney launched the service in November 2019, Disney+ customers were having issues logging into their accounts. Many took to social channels suspecting that Disney+ had been compromised. Ultimately it was uncovered that the service was not hacked but rather, attackers exploited the fact that users reuse credentials to take over accounts using a credential stuffing attack.

By leveraging stolen credentials, attackers were able to gain access to users’ Disney+ accounts. They did not stop there, post gaining access they changed account usernames and passwords effectively locking account owners out. The news went public when attackers started offering Disney+ accounts either for free or for a price tag of $3-$11 per account online.

Dunkin Donuts

February 2019 marked the second credential stuffing attack affecting Dunkin Donuts rewards customers. Attackers used leaked credentials to gain entry to thousands of DD Perks accounts. DD Perks is a loyalty program allowing repeat customers to earn points in order to get free merchandise or discounts. By gaining access to these accounts, attackers obtained loyalty points in addition to the users’ first and last names, emails, 16-digit DD perks account numbers and QR codes.

According to various news outlets the attackers were not after the personal information. Their intent focused on selling the accounts themselves on the Dark Web so buyers can go on to use the stored value. Even so, New York state is suing Dunkin Donuts for failing to disclose the breach and providing appropriate safeguards since it suffered a similar breach in 2015 where thousands of dollars on customers stored value cards were stolen and over 19000 accounts were breached.

Citrix

In March 2019, Citrix announced that it had been breached. Attackers gained access to 6 terabytes of data via a password spraying attack. Similar to credential stuffing, password spraying also exploits stolen credentials but instead of trying a large number of credentials against a single account, it tries a single commonly used password against many.

The attack went undetected for six months during which attackers stole business documents and other files from a shared network drive used to store both current and historical documents. The attackers also targeted a drive associated with a web-based tool (ShareFile) used by Citrix’s consulting practice. This tool used federated single sign-on, which the attackers exploited.

Lessons Learned

Credential stuffing and password spraying attacks are experiencing a high-level of success and organizations are being held accountable. Playing the victim card will not side-step responsibility. In fact, the Federal Trade Commission (FTC) set a mandate for this with TaxSlayer an online tax preparation service that suffered a credential stuffing attack back in 2015.  The FTC cited failure to adhere to the Privacy Rule and the Safeguards Rule of the Gramm–Leach–Bliley Act (GLBA) by failing to conduct a risk assessment that would have identified reasonable and foreseeable internal and external security risks.

Essentially, the FTC is stating that credential stuffing attacks are foreseeable and organizations without the appropriate security measures will be held responsible. Safeguards against these types of attacks exist. Essentially organizations need to start with removing weak passwords by setting a secure password policy that eliminates low hanging fruit such as the use of easily guessable passwords or the use of leaked passwords. Note that implementing a static password blacklist will not protect you indefinitely.

Given that attackers don’t sit still once they’ve taken over an account it is also important to ensure that only the appropriate users are the ones accessing accounts and resetting passwords especially Active Directory self-service password resets.  This is an essential consideration when utilizing federated single sign-on. As such turn on multi-factor authentication to protect online service access and password resets.

Learn how Specops uReset can protect Windows self-service password resets, account unlocks and password changes here.

The post Leaked Password + Password Reset = Account Takeover. appeared first on eWEEK.