James Carroll, OSCP - an information security engineer at Secure Network Technologies was recently features on News Channel 3, commenting on the privacy of Facebook surveys and how a little due diligence can go a long way.
Eric Fiske, OSCP - an information security engineer at Secure Network Technologies was recently featured on News Channel 3, commenting on the security of cloud and home automation devices such as the Amazon Echo and Google Home.
Just this week multiple media outlets reported over 129 million LinkedIn passwords being sold on the darkweb, stemming from a breach that occurred in 2012. Although LinkedIn has implemented automated security precautions, such as blocking login attempts from a suspicious locations, e-mailing PINS, etc. - this breach is still a huge deal. The passwords are very easily accessible in plaintext through various sources that don’t require the dark web (I won’t share them here, if you are curious do a quick google search). Just yesterday, Forbes.com reported that LinkedIn has began resetting users passwords that haven’t been changed since 2012 to help thwart potential account compromises. The problem is that – this is only the tip of the iceberg.
One thing I know and many security professionals know for a fact is that users HATE passwords. Therefore, users will re-use the same password for multiple services. Let’s say your name is Ray Reddington (I do love the blacklist), you were involved in the great LinkedIn data breach of 2012, and your account credentials are now plastered all over the dark web for the pickings. Roman and his hacking buddies have targeted you (or your organization), and the data looks something like this.
Because of LinkedIn’s diligent efforts to protect your security, they have conveniently reset your password, which you have changed by now. Good game, uber hackers!
Not so fast.
The hackers have located Blacklist Enterprises email portal, located at webmail.blacklist.com, which you use the same password for! Sure – you changed your LinkedIn password, but did you change your company email password? Your remote access or VPN password? If I breached your email account, how many changed passwords could I reset? Well, you use that e-mail for you LinkedIn account, banking account, online payment and benefits portal..you get my point.
Now, your account and possibly your corporate network has been owned because of LinkedIn, a classic example of some pwnage-by-proxy! So, what can you as a user do to help prevent this?
- Use complex passwords (or passphrases)
- The more complex, generally the harder to break. If an attacker does compromise a site such as LinkedIn, and your account is protected with a strong password, it will not be cracked, therefore your account is not in immediate danger.
- Use different passwords for each service
- Re-using passwords is something that has plagued and will continue to plague the security industry. By using different passwords for each service, it ensures that if one service is breached (such as LinkedIn), an attacker will not be able to access services such as your webmail with the same username/password combination.
- Really..make that password different
- Using the example above, changing the password to IL0veLiz1 will not cut it, and a motivated attacker will step right through it. Maybe something like Liz1sN0TD3AD!LOL?.
A good resource to bench how secure your password may be can be found at www.howsecureismypassword.net. According to howsecureismypassword, IL0veLiz1 will be cracked in about 4 days, whereas Liz1sN0TD3AD!LOL? Will take about 4 Quadrillion Years (yes, that’s the actual metric).
10 Years Of Human Hacking: How ‘The USB Way’ Evolved
After a decade of clicking without consequence, users still haven't gotten the message about the dangers of rogue USB devices with malware hidden inside.
When my piece "Social Engineering the USB Way" ran in 2006, the intent was to create awareness about endpoint security and how plugging something into your computer could result in severe consequences. As a penetration tester, I hoped those who became victim to the exploit would learn a valuable lesson. Since then, my company has performed hundreds of similar tests, tempting users with USB devices in numerous ways. Needless to say, the results were always interesting.
As users started to become educated about rogue USB drives, we changed the rules by purchasing memory sticks branded with their company name and logo. Sometimes we attached them with a lanyard also printed with the corporate insignia. In some cases, we placed them on the desks of individual users, and in other instances, we physically mailed them to the individual. In all scenarios, users still plugged the devices in and ran whatever exploit we stored on the drive.
When our ability to place devices in the hands of users became a problem we focused on different delivery methods. Rather than trying to drop them on their desks or mail them to users, we shipped bulk packages. In some cases, we sent hundreds of corporate-branded USB memory sticks to targeted departments within a company. We would often place a note in the package, instructing the recipient that these devices were approved by the information technology department and should be distributed to all employees. In almost every instance, they always complied with our request.
One particular test was very interesting. Our client had been monitoring two packages that had been unopened for several weeks. We shipped one parcel to his West Coast operation and another to his office in the east.
Our client’s frustration would soon be replaced by panic. I called him to get the status on the West Coast parcel when he explained that he could not find it. While scouring the building, he entered the commissary to see almost every employee wearing our poisoned USB devices and customized lanyards around their necks. Like a mad man, he started going from person to person, tearing them off.
When I asked about the East Coast package, our client indicated the situation was worse. His East Coast counterpart was watching that package and noticed it had gone missing. They investigated the disappearance, and learned the marketing group had taken our poisoned parcel of USB devices to a well-known industry trade show as free swag for their booth. Fortunately, everything was collected before the attendees of the show were given any of the infected trinkets.
Our social engineering testing began to morph into a physiological experiment. As users clicked on our poisoned thumb drive content, we began displaying a command prompt indicating, “You should not have done that.” Within the prompt, we would also display their IP address, machine name, user name, and our signature logo of a skull-and-cross keyboards. The content displayed would also be sent to the IT department. Our goal was to see if they would call IT in hopes of admitting they had done something that could be a problem for their employer.
Our results were surprising. We learned that users in a variety of company positions rarely ever called IT about our message. We also found they would repeat their actions. In one case, a VP at a major company clicked on our exploit multiple times to display our message, yet he never called IT! When the opportunity prevailed, we asked users why they didn’t alert IT. Only one answer seemed to be genuine. The user responded by saying, “As long as the machine seemed to be functioning fine, why should I bother calling IT?"
Our user’s honest comment was frightening, but made sense. Why get a tongue-lashing by IT for not following policy if everything was OK? Clicking without consequence clearly has been learned by users. Although with a plague of CryptoLocker malware becoming more and more prevalent, I suspect this behavior will be changing quickly. Unfortunately, the poor IT guys will be forced to deal with the burden of restoring users machines from backups, or converting dollars to Bitcoin to meets the capture demands.
Secure Network Technologies, Inc