Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

7/27/2020
10:00 AM
Alex Artamonov
Alex Artamonov
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Pandemic Credential Stuffing: Cybersecurity's Ultimate Inside Job

How stolen credentials for services like Zoom and password reuse practices threaten to compromise other accounts and applications.

Like most of us, hackers would prefer to do as little work as possible, and all too often, we serve as their accomplices.

While some of those engaged in cyberattacks still wield virtual hacksaws and decode complex pathways, just about every cyberthief seeks the path of least resistance. Credential stuffing is one of the names that that path goes by.

Credential stuffing takes basic brute-force attacks to another — one might say more efficient — level. It replaces bluntness and random strings not with finesse but with what amounts to inside information. Think of credential stuffing as less like picking a single lock than gaining possession of the master key. In the wake of a breach, any breach, login credentials suddenly become currency, eligible for use on other servers.  

That's problematic enough during normal times. During the COVID-19 pandemic, the challenges have only multiplied. Large-scale phishing campaigns and database dumps are happening at this writing. Risk factors are off the charts, given that more users are working remotely and, unfortunately, are having a tough time spotting phishing emails. That in turn leads to stolen credentials for services like Zoom and, thanks to password reuse, threatens to compromise other accounts and other applications. This also leads to the increasingly pervasive — and threatening — practice of business email compromise (BEC), where a single phished or dumped password can expose a user's full email history and enable the attacker even more access into that user's personal and professional life.

Back in the day, hackers maintained word lists — likely or conceivable passwords — to use against a system or an account. Hitting paydirt was a time-consuming process that paid uncertain dividends. With the profusion of legitimate passwords out and about in the real world — passwords associated with known accounts and usernames from online destinations such as Netflix, Facebook, Dropbox and legions more — credential stuffing effectively means game over for a huge number of users. And that wall that once separated business accounts (say, Wells Fargo) from personal accounts (say, Amazon Prime) has long since been, pardon the expression, breached. Password reuse has morphed into password abuse.

Here, as in so many other realms of cyber life, hackers got there first. They figured out the obvious: Ransacking a heavily trafficked site — a single service that yields access to thousands or millions of accounts — beats playing roulette with more obscure destinations. All of which is an irrefutable argument in favor of deploying unique passwords, at the very least.

There is, in fact, much more that individuals, acting as consumers and members of a given business community, can do. Requiring regular password changes and two-factor authentication can be effective at stopping these types of attacks, two-factor authentication especially.

That said, be aware that continuously compelling users to change passwords and having to remember so many different password combinationsmay have unintended consequences. Users may wind up creating a base password and simply changing the last few characters, which can lead to weak, and easily cracked, passwords. Enter the password manager, a popular solution but one that carries its own risks. A password manager effectively serves as a vault holding a trove of passwords, so take special care when selecting a password management solution. With two-factor authentication, even if the password is weak or leaked, the attacker isn't able to log in without having physical access to the user's phone or another device used to generate an OTP (one-time password). This is why most online services are scrambling to implement two-factor authentication or some other means of protecting potentially compromised accounts, such as artificial intelligence and machine learning.

If two-factor authentication is not possible, at the very least, mandate regular password changes. Doing so will make it more difficult to guess the correct password, given that leaked databases are not always fresh, and different sites will have different password change schedules, which, in turn, may effectively lead to randomized passwords. When using a password manager, it's also a good idea to use its security health-check feature, assuming one is available. Signing up an individual or an organization to an online list such as "have i been pwned" can help minimize risk after a leak from a password dump.It's yet another way to compel hackers to work that much harder to do mischief.

Related Content:

 

 

Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.

Based in the Greater Phoenix area, Alex Artamonov is a systems engineer and cybersecurity specialist now in his 10th year with Infinitely Virtual.  Skilled in VMware ESX, Microsoft Server and desktop operating systems, HP Proliant, and HP blade ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
IoT Vulnerability Disclosure Platform Launched
Dark Reading Staff 10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15270
PUBLISHED: 2020-10-22
Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not pa...
CVE-2018-21266
PUBLISHED: 2020-10-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2018-21267
PUBLISHED: 2020-10-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2020-27673
PUBLISHED: 2020-10-22
An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users can cause a denial of service (host OS hang) via a high rate of events to dom0, aka CID-e99502f76271.
CVE-2020-27674
PUBLISHED: 2020-10-22
An issue was discovered in Xen through 4.14.x allowing x86 PV guest OS users to gain guest OS privileges by modifying kernel memory contents, because invalidation of TLB entries is mishandled during use of an INVLPG-like attack technique.