Friday, August 11, 2017

ProTip: Avoid "Credential Stuffing" Attacks

The other day I was thinking about how easy it would be to compromise a large amount of user accounts all over the internet that were associated with data breaches.  After that random thought a few days later, ironically, I read this article (published a little over a week ago):
http://www.bankinfosecurity.com/hacker-group-31337-dumps-data-stolen-from-mandiant-analyst-a-10160

The cyber security industry refers to this as "credential stuffing." With this type of attack, a hacker essentially takes your credentials and re-uses them in an attempt to gain access to other sites that you have an account with.  I've always known it was a possibility, but I had never really thought of the technical requirements to pull it off.  When I did stop to think about it, it literally took me less than a minute to conclude that Stevie Wonder could probably do this with a spoon.  Which leads me to why I'm doing this quick write-up.

I'm going to try to keep this as close to layman's terms as possible for understand-ability.  So, if you feel like you need to chime in with the mathematics on password entropy, don't.  Piss up a rope instead.

This is for my homies out there.

The Skinny


By default, humans hate managing passwords.  You have your personal accounts, work accounts and all of them have annoying password policies.  There have been a few cases where I've literally wanted to find the security engineer of the website and punch him/her in the face.  With that said, there's a tendency for us to use the same passwords across multiple sites.  Doing so definitely makes your life easier, but in the likely event of a data breach, you've exposed yourself to being e-fondled by dudes who are better at the internet than you are.  Typically, what happens when a data breach occurs and your account is compromised, that information is either dumped on sites like PasteBin or sold on the black market for bad guys to do with the data as they choose.  Sometimes, the passwords are in clear text, sometimes they need to be cracked, which isn't the toughest feat nowadays.  Now, a few words on the implications over time.

Even if you change the password associated with your user account after finding out that site was compromised, you're not in the clear.  Before I continue, stop and think about how many different sites you use the same username (most often your e-mail address) and password...

Yup, thought so.

So, you changed your password after the breach.  You're good to go, right? Wrong.  The issue is: it's pretty trivial to take that compromised username and password combination, feed it into a script and spray it at a long list of websites.  This is essentially a "bot" that takes the username and password you had during the time of the breach and tries to log in to a long list of websites.  These attacks aren't very complicated either.  Literally, a middle schooler with some programming expertise could pull it off to some degree.  Yes, there are mitigating controls out there such as multi-factor authentication, but not all sites use them.

Think about it: In the LinkedIn breach alone, it was reported that somewhere around 6.5 million accounts were leaked.  If I took those 6.5 million credentials and sprayed them at a list of 100 popular websites, how many log in attempts would be successful?  Yeah, it's hard to quantify, but the number sure wouldn't be anything close to zero.  For the hacker, it's essentially a lotto, but with much better odds than a scratch off.

Tips and Things to Consider

  • Don't get complacent and use the same password for every site you have an account with.  If you absolutely have to be lazy, at least use a subset of passwords so a hacker doesn't have credentials for all of your accounts if one site is breached.
  • Password length is generally a better rule-of-thumb.  When feasible, use length and complexity, but again, if you insist on being lazy, lengthy passwords are better than short complex ones. Example: "My Anaconda don't want none unless you got buns, hun!" is less likely to get cracked that "pIcKl3s!!"
  • Just because the username and password associated with a breached website doesn't mean much to you, keep in mind that for a hacker, it could be used as a stepping stone to gather intelligence on you, which could subsequently assist them in compromising your other accounts that do have value to you; e.g., you have a profile that has your biography information in it.  Hackers can use this to guess passwords for other sites, or answer security questions.
  • Don't get stuck with "favorite" passwords.  Just because a significant amount of time has passed since a breach occurred that you were a victim to, doesn't mean it's safe to use at some later time.  Hackers know this, and will wait for some arbitrary amount of time before re-attempting a login with those credentials.
  • Go to https://haveibeenpwned.com/ and see if you've been apart of any breach.  The site maintains a list of accounts that have been associated with past breaches.  If you're on that list (which you probably are) that should be enough to convince you that you should rotate passwords over time.
  • There are password managers out there that you can use to help manage all of your passwords, but keep in mind they're targets for hackers and the implications are pretty obvious if it's compromised. 
Stay safe out there.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)