Key Takeaways: Using a Blacklist of Stolen Passwords [Webinar]

More than 90 billion passwords are being used across the web today, and it’s expected to be nearer 300 billion by 2020. With that in mind, the topics of password best practices and the threats around stolen credentials, remain top challenges for many global organizations.

Security Boulevard recently hosted a webinar with Shape and cyber security expert Justin Richer, co-author of the new NIST (National Institute of Standards and Technology) Digital Identity Guidelines. The webinar looks at how password protection and password attack prevention have evolved.

Watch the full webinar here

Key Takeaways


Traditional P@$$wOrd Guidelines Don’t Solve the Problem

Justin Richer discusses how passwords were originally invented as a way to gain entry. But today they have evolved into a way to authenticate who you are. Companies rely on a username-password combination to give them confidence you are who you say you are. So once passwords are stolen, companies have less and less confidence you are the person you claim to be.

To make it difficult for criminals to steal your identity companies have implemented complex password requirements. Unfortunately, this conventional wisdom around password management, such as enforced rotation every six months, using at least six characters, upper and lowercase characters, numbers and symbols, have made passwords hard to remember.

Additionally, for non-English languages, not all these rules can be applied regarding uppercase and lowercase. They also don’t always adapt to the world of mobile devices where it’s hard to type using touch screens, and the emerging technology of voice recognition personal assistants.

In the end, users reuse passwords that are easy to remember and pick bad passwords due to password fatigue. As a result, traditional password guidelines don’t help companies gain confidence—they are actually compounding the problem.

The Real Culprit – Password Reuse

In reality the problem companies are fighting is password reuse. Once one account has been compromised, the attackers have access to multiple accounts that use the same username and password. Fraudsters may use these accounts themselves, but often they bundle up the stolen credentials and sell the passwords on the dark web.

New NIST guidelines serve to help companies reduce password fatigue and reuse, while also providing suggestions for testing new passwords against a database of stolen credentials—a breach corpus. When the two are implemented together, fraudsters will have a much harder time taking advantage of stolen credentials through account takeover and automated fraud.

New Passwords and Using Blacklists

Revision 3 of the NIST password guidelines overview – Digital identity guidelines – has dramatically updated recommendations on how to use passwords properly:

https://pages.nist.gov/800-63-3/sp800-63b/appA_memorized.html

The main tenets are:

    • Don’t rely on passwords alone. Use multi-factor authentication steps to verify the user is who they claim to be.
    • Drop the complexity requirements, they make passwords hard to remember and aren’t as effective as once thought.
    • Allow all different types of characters.
    • End the upper limit on size. Length can be an important key to avoid theft.
    • Rotate when something seems suspect. Don’t rotate because of an arbitrary timeout, like every six months.
    • Disallow common passwords.
    • Check new passwords against a blacklist of stolen passwords

 

The most important step is to check new passwords against a blacklist. These cover a range of passwords, including those known to have been already compromised, and those used in any major presentation. Checking against a blacklist is new territory—a lot of organizations don’t even know where to start.

Creating a Blacklist

An ideal blacklist should have all stolen passwords—not just the ones discovered on the dark web. Unfortunately creating a list of all stolen passwords is difficult. Recently companies have been relying on lists of stolen credentials from the dark web, but these are often too little, too late as it’s not possible to know how long these stolen passwords have been in circulation. For example, Yahoo was breached in 2013, but didn’t realize until 2016. Due to the economics of attackers, there is almost always a big lag between when data is breached and when it’s exploited.

Blackfish and the Breach Corpus

At Shape we created Blackfish to proactively invalidate user and employee credentials as soon as they are compromised from a data breach. It notifies organizations in near real-time, even before the breach is reported or discovered. How does it do this?

Blackfish technology is built upon the Shape Security global customer network which includes many of the largest companies in the industries most targeted by cybercriminals including banking, retail, airlines, hotels and government agencies. By protecting the highest profile target companies, the Blackfish network sees attacks using stolen credentials first, and is able to invalidate the credentials early in the fraud kill chain. This provides a breakthrough solution in solving the zero-day vulnerability gap between the time a breach occurs and its discovery.

Using machine learning, as soon as a credential is identified as compromised on one site, Blackfish instantly and autonomously protects all other customers in its collective defense network. As a result, Blackfish is the most comprehensive blacklist in the industry today.

Don’t Rely on Dark Web Research

Dark web research provides too little information, too late. Today major online organizations can take a much more proactive approach to credential stuffing. By using Blackfish businesses can immediately defend themselves from attack while reducing the operational risk to the organization. Over time these stolen credentials become less valuable to attackers because they just don’t work, and in turn credential stuffing attacks and fraud are reduced.

Watch the full webinar here

Introducing Unminify

Shape Security is proud to announce the release of Unminify, our new open source tool for the automatic cleanup and deobfuscation of JavaScript.

Example

Given

function validate(i){var _=["no","ok"];return log(i),isValid(i)?_[1]:_[0]}

Unminify produces

function validate(i) {
  log(i);
  if (isValid(i)) {
    return 'ok';
  } else {
    return 'no';
  }
}

Installation and usage

Unminify is a node.js module and is available on npm. It can be installed globally with npm install -g unminifyand then executed as unminify file.js, or executed without installation as npmx unminify file.js. It is also suitable for use as a library. For more, see the readme.

Unminify supports several levels of transformation, depending on how carefully the original semantics of the program need to be tracked. Some transformations can alter some or all behavior of the program under some circumstances; these are disabled by default.

Background

JavaScript differs from most programming languages in that it has no portable compiled form: the language which humans write is the same as the language which browsers download and execute.

In modern JavaScript development, however, there is still usually at least one compilation step. Experienced JavaScript developers are probably familiar with tools like UglifyJS, which are designed to transform JavaScript source files to minimize the amount of space they take while retaining their functionality, allowing humans to write code they can read without sending extraneous information like comments and whitespace to browsers. In addition, UglifyJS transforms the underlying structure (the abstract syntax tree, or AST) of the source code: for example, it rewrites if (a) { b(); c(); } to the equivalent a&&(b(),c()) anywhere such a construct occurs in the source. Code which has been processed by such tools is generally signicantly less readable; however, this is not necessarily a goal of UglifyJS and similar minifiers.

In other cases, the explicit goal is to obfuscate code (i.e., to render it difficult for humans and/or machines to analyze). In practice, most tools for this are not significantly more advanced than UglifyJS. Such tools generally operate by transforming the source code in one or more passes, each time applying a specific technique intended to obscure the program’s behavior. A careful human can effectively undo these by hand, given time propotional to the size of the program.

Simple examples

Suppose our original program is as follows:

function validate(input) {
  log(input);
  if (isValid(input)) {
    return 'ok';
  } else {
    return 'no';
  }
}

UglifyJS will turn this into

function validate(i){return log(i),isValid(i)?"ok":"no"}

and an obfuscation tool might further rewrite this to

function validate(i){var _=["no","ok"];return log(i),isValid(i)?_[1]:_[0]}

State of the art

There are well established tools like Prettier for formatting JavaScript source by the addition of whitespace and other non-semantic syntax which improves readability. These undo half of what a tool like UglifyJS does, but because they are intended for use by developers on their own code rather than for analysis of code produced elsewhere, they do not transform the underyling structure. Running Prettier on the above example gives

function validate(i) {
  var _ = ["no", "ok"];
  return log(i), isValid(i) ? _[1] : _[0];
}

Other tools like JSTillery and JSNice do offer some amount of transformation of the structure of the code. However, in practice they tend to be quite limited. In our example above, JSTillery produces

function validate(i)
    /*Scope Closed:false | writes:false*/
    {
        return log(i), isValid(i) ? 'ok' : 'no';
    }

and JSNice produces

function validate(i) {
  var _ = ["no", "ok"];
  return log(i), isValid(i) ? _[1] : _[0];
}

Unminify

Unminify is our contribution to this space. It can undo most of the transformations applied by UglifyJS and by simple obfuscation tools. On our example above, given the right options it will fully restore the original program except for the name of the local variable input, which is not recoverable:

function validate(i) {
  log(i);
  if (isValid(i)) {
    return 'ok';
  } else {
    return 'no';
  }
}

Unminify is built on top of our open source Shift family of tools for the analysis and transformation of JavaScript.

Operation

The basic operation of Unminify consists of parsing the code to an AST, applying a series of transformations to that AST iteratively until no further changes are possible, and then generating JavaScript source from the final AST. These transformations are merely functions which consume a Shift AST and produce a Shift AST.
This processes is handled well by the Shift family, which makes it simple to write and, crucially, reason about analysis and transformation passes on JavaScript source. There is very little magic under the hood.

Unminify has support for adding additional transformation passes to its pipeline. These can be passed with the --additional-transform transform.js flag, where transform.js is a file exporting a transformation function. If you develop a transformation which is generally useful, we encourage you to contribute it!

Introducing Blackfish, a system to help eliminate the use of stolen passwords

Today we’re releasing Blackfish, a system that proactively protects companies from credential stuffing before an attack takes place. Normally, credential stuffing starts with a data breach at one major company (“Initial Victim”), and continues when a criminal then uses the stolen data (usernames and passwords) against dozens or even hundreds of different companies (“Downstream Victims”). Usually, many months or years pass before the Initial Victim realizes and discloses the initial data breach, and in that time, criminals are able to successfully attack huge numbers of Downstream Victims. Later, once the Initial Victim does disclose the breach, the Downstream Victims start matching the username/password pairs from the Initial Victim against their own user databases, and resetting any passwords that match. The whole process can take years and results in hundreds of millions of dollars worth of fraud and brand damage.

Blackfish changes all that. From the very first moment a criminal attempts to use stolen usernames and passwords, Blackfish begins monitoring and protecting matching accounts at other companies. So, while under normal circumstances a criminal can get hundreds of chances to monetize the stolen usernames and passwords, with Blackfish in place, criminals get far fewer chances.

You may be wondering how Blackfish can accomplish all this. Explaining that requires a little background on Shape Security.

We founded Shape six years ago to answer a simple question: is a visitor to a web or mobile app an actual human being? This simple question proved to be an important one. As we perfected our ability to answer it, we started eliminating enormous amounts of fraudulent traffic from the largest web and mobile apps in the world — often 90% or more of the login traffic from a Fortune 100 web application.

Today, we are the primary line of defense for many of the largest organizations around the world. Our customers include: three of the top four banks, three of the top five airlines, two of the top three hotel chains, and numerous other leading companies and government agencies.

We secure all of those large organizations in a centralized way, directly delivering the security outcome of eliminating fraudulent traffic. That centralized security capability is also the heart of Blackfish, and allows Blackfish to see stolen usernames and passwords in use far before anyone else ever knows about them (including the Initial Victim).

Think about it: if you were a criminal and managed to steal all the usernames and passwords from a major corporation, where would you try them out? If you’re like most criminals, the answer is that you’d try them on the largest banks, airlines, hotels, and retail sites in the world. That’s what happens in practice, and when it does, that’s also when Blackfish sees the very first such attack, and sets about protecting all username/password pairs that happen to match on other large websites.

Blackfish does all this before the original data breach is reported or even detected by the Initial Victim company.

The problem with looking for credentials on the dark web

You can scour the dark web to find user credentials, but one of the greatest dangers companies face today is the long window of time between when breaches occur on third-party websites like Yahoo, and when those breaches are discovered and announced. Instead of hoping that stolen passwords will appear in the dark web in time to be useful, Blackfish autonomously detects credential stuffing attacks on the largest, most targeted websites in the world, identifies newly stolen credentials, and nullifies them globally. That stolen data becomes useless to cybercriminals.

How does it work?

Shape has grown into one of the largest processors of login traffic on the entire web. We have built machine learning and deep learning systems to autonomously identify credential stuffing attacks in real-time. These systems now generate an important byproduct: direct knowledge of stolen usernames and passwords when criminals are first starting to exploit them against major web and mobile apps. What this means is that we see the stolen assets months or years before they appear on the dark web.

Blackfish’s knowledge base of compromised credentials is built with maximum security in mind. To ensure that its knowledge base is secured, Blackfish does not store any credential information but instead leverages Bloom filters to create probabilistic data structures to perform its operations. As a result, the compromised credentials themselves are not stored anywhere and Blackfish can use the information about compromises to improve security while maintaining full data privacy.

What good is a stolen password if you can never use it?

For better or for worse, memorized secrets (a.k.a. “passwords”) are the most widely used authentication mechanism online. As such, having access to millions of stolen passwords (over 3.3 billion were reported stolen in 2016 alone) allows cybercriminals to easily take over users’ accounts on any major website. They do this with credential stuffing attacks, which take stolen passwords from website A and try them on website B to see which accounts the same email addresses and passwords will unlock. Cybercriminals can do this reliably with a typical 1-2% success rate, allowing them to seize the value in bank accounts, gift card accounts, airline loyalty programs, and other accounts, which they can then monetize for a predictable ROI.

Since credential stuffing attacks are responsible for more than 99.9% of account takeover attempts, if we identify the stolen credentials that are used in these attacks, and invalidate them across other websites, we change the economics for cybercriminals significantly. If their 1-2% success rate now drops by two orders of magnitude or more, their “business” no longer functions. At that point, the cybercriminal has no choice but to try to obtain new stolen passwords. If those new passwords are similarly detected and invalidated, it will become clear to the criminals that the economics of their scheme have been broken. We think that over time, Blackfish will end credential stuffing for everyone.

We are all very excited at Shape to announce this system and our vision to make credential stuffing attacks a thing of the past. You can learn more on our website and contact us when your company is ready to try Blackfish.