Key Takeaways: Using a Blacklist of Stolen Passwords [Webinar]

More than 90 billion passwords are being used across the web today, and it’s expected to be nearer 300 billion by 2020. With that in mind, the topics of password best practices and the threats around stolen credentials, remain top challenges for many global organizations.

Security Boulevard recently hosted a webinar with Shape and cyber security expert Justin Richer, co-author of the new NIST (National Institute of Standards and Technology) Digital Identity Guidelines. The webinar looks at how password protection and password attack prevention have evolved.

Watch the full webinar here

Key Takeaways


Traditional P@$$wOrd Guidelines Don’t Solve the Problem

Justin Richer discusses how passwords were originally invented as a way to gain entry. But today they have evolved into a way to authenticate who you are. Companies rely on a username-password combination to give them confidence you are who you say you are. So once passwords are stolen, companies have less and less confidence you are the person you claim to be.

To make it difficult for criminals to steal your identity companies have implemented complex password requirements. Unfortunately, this conventional wisdom around password management, such as enforced rotation every six months, using at least six characters, upper and lowercase characters, numbers and symbols, have made passwords hard to remember.

Additionally, for non-English languages, not all these rules can be applied regarding uppercase and lowercase. They also don’t always adapt to the world of mobile devices where it’s hard to type using touch screens, and the emerging technology of voice recognition personal assistants.

In the end, users reuse passwords that are easy to remember and pick bad passwords due to password fatigue. As a result, traditional password guidelines don’t help companies gain confidence—they are actually compounding the problem.

The Real Culprit – Password Reuse

In reality the problem companies are fighting is password reuse. Once one account has been compromised, the attackers have access to multiple accounts that use the same username and password. Fraudsters may use these accounts themselves, but often they bundle up the stolen credentials and sell the passwords on the dark web.

New NIST guidelines serve to help companies reduce password fatigue and reuse, while also providing suggestions for testing new passwords against a database of stolen credentials—a breach corpus. When the two are implemented together, fraudsters will have a much harder time taking advantage of stolen credentials through account takeover and automated fraud.

New Passwords and Using Blacklists

Revision 3 of the NIST password guidelines overview – Digital identity guidelines – has dramatically updated recommendations on how to use passwords properly:

https://pages.nist.gov/800-63-3/sp800-63b/appA_memorized.html

The main tenets are:

    • Don’t rely on passwords alone. Use multi-factor authentication steps to verify the user is who they claim to be.
    • Drop the complexity requirements, they make passwords hard to remember and aren’t as effective as once thought.
    • Allow all different types of characters.
    • End the upper limit on size. Length can be an important key to avoid theft.
    • Rotate when something seems suspect. Don’t rotate because of an arbitrary timeout, like every six months.
    • Disallow common passwords.
    • Check new passwords against a blacklist of stolen passwords

The most important step is to check new passwords against a blacklist. These cover a range of passwords, including those known to have been already compromised, and those used in any major presentation. Checking against a blacklist is new territory—a lot of organizations don’t even know where to start.

Creating a Blacklist

An ideal blacklist should have all stolen passwords—not just the ones discovered on the dark web. Unfortunately creating a list of all stolen passwords is difficult. Recently companies have been relying on lists of stolen credentials from the dark web, but these are often too little, too late as it’s not possible to know how long these stolen passwords have been in circulation. For example, Yahoo was breached in 2013, but didn’t realize until 2016. Due to the economics of attackers, there is almost always a big lag between when data is breached and when it’s exploited.

Blackfish and the Breach Corpus

At Shape we created Blackfish to proactively invalidate user and employee credentials as soon as they are compromised from a data breach. It notifies organizations in near real-time, even before the breach is reported or discovered. How does it do this?

Blackfish technology is built upon the Shape Security global customer network which includes many of the largest companies in the industries most targeted by cybercriminals including banking, retail, airlines, hotels and government agencies. By protecting the highest profile target companies, the Blackfish network sees attacks using stolen credentials first, and is able to invalidate the credentials early in the fraud kill chain. This provides a breakthrough solution in solving the zero-day vulnerability gap between the time a breach occurs and its discovery.

Using machine learning, as soon as a credential is identified as compromised on one site, Blackfish instantly and autonomously protects all other customers in its collective defense network. As a result, Blackfish is the most comprehensive blacklist in the industry today.

Don’t Rely on Dark Web Research

Dark web research provides too little information, too late. Today major online organizations can take a much more proactive approach to credential stuffing. By using Blackfish businesses can immediately defend themselves from attack while reducing the operational risk to the organization. Over time these stolen credentials become less valuable to attackers because they just don’t work, and in turn credential stuffing attacks and fraud are reduced.

Watch the full webinar here

Imitation Game – The New Frontline of Security at QCon San Francisco

This week over 1400 software developers are gathering in San Francisco for QCon to share the latest innovations in the developers’ community. The conference highlights best practices in a wide range of emerging technology trends such as microservices, design thinking, and next generation security.

Below are three sessions that will inspire your thinking in next-gen web security and technology.

Wednesday Keynote: The Imitation Game – The New Frontline of Security, 9:00 am, Grand Ballroom, Shuman Ghosemajumder
As one of the four keynote speakers, Shuman Ghosemajumder, Shape’s VP of product management, will discuss the next wave of security challenges: telling the difference between humans and bots. From Blade Runner to Ex Machina, robots in sci-fi have become increasingly sophisticated and hard to distinguish from humans. How about in real life? How are bots taking advantage of user interfaces designed for humans? In his keynote on Wednesday, Shuman will explain how a complex bot ecosystem is now being used to breach applications thought to be secure.

Wednesday Track: The Dark Side of Security, 10:10 am, Bayview A/B, Nwokedi Idika
As Sun Tzu noted in The Art of War, “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” To win the battle against rising cyber criminals, you must know your enemy. How do they think? What do they do before and after the compromise? How do they monetize? In this track, Dr. Nwokedi Idika, Senior Research Scientist at Shape, will guide you on a journey into the minds of the cyber criminals.

Wednesday Track: Javascript Everywhere, 10:10 am, Pacific LMNO, Jarrod Overson
JavaScript usage has been expanding past the browser for years. It’s now used in server applications at companies like Paypal and Walmart, native apps like Slack and Atom, mobile apps like Untappd, and even compilers for game engines like Unreal and Unity. Come to this track led by Jarrod Overson, Director of Software Engineering at Shape and JavaScript super fan, to learn why and how JavaScript is used everywhere.

Want more QCon inspirations? Follow #ShapeSecurity and #QConSF on twitter now.

Rising Attack Vector: Credential Stuffing

Credential stuffing is a growing threat to the web community. As more companies are offering their goods and services online, customers practicing bad password hygiene are in danger of having their account stolen whenever a website is breached.

Read more about the rise of credential stuffing below.

Credential stuffing is taking lists of breached credentials from one website and testing them against another. According to the most recent Verizon Data Breach report, it’s one the fastest rising attack vectors.

The list of major companies that have fallen to this attack is impressive: Sony ‘11, Yahoo ‘12, Dropbox ‘12, and JPMC ‘14.

Credential stuffing is a general concept, but the outcome of successfully taking over user accounts results in more specific attack in various industries: stealing hotel reward points, pilfering airline frequent flier miles, and committing gift card fraud, to name just a few.

The Definition of Credential Stuffing

Credential stuffing is the automated testing of breached username/password pairs in order to fraudulently gain access to user accounts. This attack involves checking large numbers of spilled credentials against various websites to uncover credentials that are valid on a target website. Attackers then hijack those accounts and commit various types of fraud.

The Anatomy of Credential Stuffing Attack

  1. The attacker acquires spilled usernames and passwords from a website breach or password dump site.
  2. The attacker uses an account checker to test the stolen credentials against many websites (for instance, social media sites or online marketplaces).
  3. Successful logins (usually 0.1-1% of the total login attempts) allow the attacker to take over the account matching the stolen credentials.
  4. The attacker drains stolen accounts of stored value, credit card numbers, and other personally identifiable information
  5. The attacker may also use account information going forward for other nefarious purposes (for example, to send spam or create further transactions)

How is Credential Stuffing Different from Existing Threats?

We’ve classified credential stuffing as a renewed form of attack because the primary vector for account takeover has changed from the breaching of databases to automated web injection.

According to our analysis, credential stuffing is now the most popular method used by attackers to achieve account takeover. This is particularly dangerous to both consumers and enterprises because of the ripple effects of these breaches.

Credential Stuffing was the Attack Vector Used in the Sony, Yahoo, Dropbox and JPMC Breaches

Below are excerpts taken from publications analyzing these large-scale breaches. There is evidence to support that these breaches were connected by credential stuffing.

  • Sony, 2011 breach: “I wish to highlight that two-thirds of users whose data were in both the Sony data set and the Gawker breach earlier this year used the same password for each system.” Source: Agile Bits
  • Yahoo, 2012 breach: “What do Sony and Yahoo! have in common? Passwords!”. Source: Troy Hunt
  • Dropbox, 2012 breach: “The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log into sites across the internet, including Dropbox”. Source: Dropbox
  • JPMC, 2014 breach: “[The breached data] contained some of the combinations of passwords and email addresses used by race participants who had registered on the Corporate Challenge website, an online platform for a series of annual charitable races that JPMorgan sponsors in major cities and that is run by an outside vendor. The races are open to bank employees and employees of other corporations”. Source: NY Times

Anatomy of the 2011 credential stuffing attack on Sony. Credentials from smaller sites are leaked and injected into Sony’s login pages to test for credential reuse. The attacker gained access to any Sony accounts which used the same credentials as were leaked from the smaller sites.

Using botnets, Sony credentials were tested on Sony’s login page. According to Wired, this resulted in 93,000 breached accounts. In other words, the credential stuffing attack that led to the Sony breach was made possible by prior breaches of smaller sites.

This connected chain of events from Sony to Yahoo to Dropbox excludes JPMC. The JPMC breach came from a separate and unrelated source. We know that the JPMC breach was caused by attackers targeting an unrelated third-party athletic race/run site for credentials to use against JPMC.

What Can SysAdmins Do to Prevent Attackers from Hijacking User Accounts by Credential Stuffing?

The answer requires an understanding of the technical mechanism by which credential stuffing works.

Like account checkers, credential stuffing works by using the static form elements of the login page as an implicit API. The attacker references various form element names (email and password) in order to interact with the target webpage. Since most websites accept such traffic as normal (having no means to distinguish between intended and malicious use), the attacker can automate the attack by using scripts and account checkers to easily run through millions of tests per unit time. Using a large-scale distributed botnet and a huge number of IP addresses allows the attacker avoid rate and volume limits which might otherwise prevent such a large number of login attempts. Thus, it is trivial even for unsophisticated attackers to launch attacks of this nature and scale against some of the largest websites in the world.

To defend websites against such activity, which we call “unwanted automation,” Shape Security uses an approach that is familiar to attackers: we dynamically change the underlying code of the site each time a page is viewed to defeat the types of scripts used in credential stuffing attacks. Just as malware authors have long used polymorphic code to evade antivirus products by constantly presenting different signatures, Shape’s solution creates a moving target which frustrates potential attackers attempting to automate easy credential testing on the website using scripts. The effort an attacker must invest to successfully automate login attempts on a given website without changing the front-end use experience.

Of course, savvy readers will point out numerous ways these measures can be circumvented. While, it is beyond the scope of this article (but perhaps the subject of future pieces) to consider such attacks (DOM, GUI, and others), Shape is keenly focused on comprehensively defeating them and has solutions at each of those levels.

Contact us to learn how Shape Security can protect your site.