Credential stuffing has been around for years. But the signs are that 2019 might well be a stand out year, as the black hats start to monetise the huge volumes of breached identity data flooding the dark web. While historically many firms’ response has been to blame customers for poor log-in security, this approach is not going to wash going forward. To protect the brand and bottom line, they need to be more proactive.
I spoke to some experts for an upcoming Infosecurity Magazine feature to better assess the scale of the challenge, and what can be done to tackle it.
At its heart, credential stuffing is a pretty straightforward attack. Take large volumes of username/password data from dark web troves, many of which are now arranged in easy-to-use “combo lists”, and feed them into bot-powered automated programmes designed to try and unlock other accounts. Because users share passwords across multiple sites, the hackers will usually succeed: which is bad for consumers and possibly enterprises, if those accounts are corporate ones.
“I’ve seen password reuse on corporate accounts many times and it’s a standard operation to check our password leak database during the reconnaissance phase in every red team engagement,” SANS Institute certified instructor, Matthias Fuchs, explained to me. “Still, many organisations allow outside access to some corporate services like webmail. If they don’t use MFA there, the accounts are at equal risk as on private platforms. After all it’s just another website to try the creds on.”
Experts were agreed that credential stuffing will only grow as we head through the year.
“The sheer volume of credential stuffing attacks since the start of 2019 is alarming. The success of recent attacks against consumer services — TurboTax and Dunkin’ Donuts, to name a couple — is just continuing proof that protecting data instead of protecting identities and people is a failing security model,” Ping Identity CCIO, Richard Bird, told me.
“Unfortunately, organisations are not taking even the most basic steps necessary to thwart these types of attacks, so it’s likely that they will continue to proliferate. Companies must come to the table with better security solutions for their customers. Leveraging available technologies like MFA, device fingerprinting and artificial intelligence to detect anomalous behaviours are just a few steps that can be taken to protect customers and their data.”
Shape Security director of engineering, Jarrod Overson, claimed that credential stuffing would increase “at the rate that bandwidth and hardware allows.”
“Credential stuffing, like all attacks, involves a cost/value justification for the attacker and, right now, it costs virtually nothing to execute an attack that can take over thousands to millions of accounts,” he told me. “Without automated defences in place then an attacker’s best interest is to execute an attack as rapidly as possible to get results before the company recognises and puts in countermeasures. Even with protections in place, Shape recorded its biggest attack ever in January with nearly three billion attacks against one customer in one week against one user flow (the login).”
The bad news is that the black hats continue to evolve their tactics.
“Attackers are getting more creative in how they use personal information to either reset accounts, gain trust or establish online access to accounts. I think one big issue is that attackers are getting smarter in how they use the information and how they monetise stolen information,” SANS dean of research, Johannes Ullrich, told me.
“In the past, there used to be some obvious ways to monetise stolen information, like credit card theft. But the value of this information has been steadily decreasing because first of all, there is already more information out there then can be used, and entities like banks are getting better at blocking access. But attackers are slowly discovering the social component of this. They are now better able to identify trust relationships and to use leaked data to authenticate and take advantage of these trust relationships.”
Overson and his team are seeing the same patterns as cyber-criminals look to ape human behaviour in new ways.
“These advanced attacks involve the exploitation of mobile applications, browser extensions, or third-party scripts to drive the behaviour of an application even after a user has logged in,” he said. “We’re calling the trend towards attacks that simulate human behaviour ‘Imitation Attacks’ — this is an umbrella term that encompasses all illegitimate transactions made seemingly on behalf of a real user. This includes advanced phishing attacks, credential stuffing, password spraying, and other attacks that exploit the inherent functionality of an application.”
The big question for CISOs is how to stop it. Credential stuffing could lead to compromise of enterprise accounts, enabling multi-staged info-stealing raids or BEC attacks. It could also have a devastating knock-on effect on customer confidence and brand loyalty if consumer accounts are hijacked en masse.
For Overson, the answer is rapid response, but countermeasures which should also be removed when the attack subsides. He also recommends a “variable” response, which will make it harder for hackers to predict what defensive tactics the white hats are going to use next.
“There is no silver bullet against automated attackers, because the actors behind the attacks are human adversaries who will always attempt to retool around defences. The paths attackers are taking are the same paths that our users are taking and too much security-related friction in critical user experience flows leads to loss of revenue and business,” he warned.
“Mitigation requires fast-moving collaboration across teams along with security vendors to roll out targeted countermeasures for specific attackers while leaving average users unaffected. As attackers start to retool with more artificial intelligence and machine learning then rapid, limited, variable feedback becomes even more important.”
Here’s an interesting new idea from Microsoft – a radical solution to the problem of buggy code.
The new paper, posed by Redmondian Andrew Begel and a group of Zurich university boffins, suggests managers monitor programmers via EEG, EDA and eye-tracking sensors. These will alert them when the individual is struggling and therefore likely to introduce flawed code.
Now, it sounds like a pretty good idea in theory, and in practice has apparently performed pretty well. But one security expert I spoke to had some major misgivings.
Imperva co-founder and CTO Amichai Shulman argued that it might stray outside the boundaries of what could be construed “reasonable”.
“I think constantly monitoring the psychological status and the physical conditions of programmers, seems tremendously intrusive and probably strays way off from what I consider to be ‘reasonable means’,” he told me.
“However, I think that even if we review this in the cold eyes of a software professional there are some doubts about the usefulness of this method in general and its application to security vulnerabilities in particular.”
The first doubt he had relates to the tremendous commercial pressure coders are under to release “more functionality in less time”.
“On their way to achieving higher rates of LOC/sec, programmers as well as their employers are willing to sacrifice other attributes of the code such as efficiency, readability and also correctness – assuming that some of these will be corrected later during testing cycles and some will not be critical enough to be ever fixed,” he explained.
“If we introduce a system that constantly holds back on programmers because they are stressed for some reason we will effectively introduce unbearable delays into the project which will of course put more pressure on those who perform the job when schedule becomes tight.”
This is not to mention the fact that programmers should, at times, be “over” challenged to keep them sharp and happy with their roles.
“Additionally, there’s a big question of whether we can have a system like that can make a distinction between making a critical mistake or a minor one, which again impacts its ability to have a positive effect on the software development process in general,” said Shulman.
Then, of course, there’s the issue of what kinds of flaws the system will root out.
“I think that most security related mistakes are introduced inadvertently as a consequence of the programmer not having the faintest idea regarding the potential implication of some implementation decision,” he argued. “This is the case with SQL injection, XSS, RFI and many more vulnerability types.”
So, bottom line: nice idea Microsoft, but it’s probably not going to solve the problem of poor coding anytime soon. Until something genuinely revolutionary comes along we’ll probably have to stick to the usual suspects to reduce risk: security tools, patching, better QA and testing.
Last week I finished off an analysis of the China/cyber espionage stories that have been flying around in recent months, with a surprising conclusion – in many circumstances the country may well be as much a victim of attack as a perpetrator.
We are unlikely to ever find out the extent of state-sponsored cyber attacks on the US and its allies, although thanks to several high profile reports which name and shame Beijing it’s clear that the tip of the iceberg is well and truly showing.
However, we can be more clear about how secure or otherwise China’s IP address space is and make some general observations.
I spoke to several information security experts about this and they were all in agreement that China is a particularly attractive place to launch attacks from, simply because there are so many compromised PCs as well as enough bulletproof hosting firms there to use with impunity.
HKCERT senior consultant, SC Leung, explained to me how compromised computers, of bots, in China are helping cyber criminals from outside the country.
“The zombie computer, or bot, steals the data (using its IP address) and sends it back to the attacker. When tracing the compromise police can only find the bot computer IP address. The attacker can further command the bot to send the data to Dropbox or a third party forum, and then retrieved it directly or indirectly. This long chain of investigation of different servers (probably in different jurisdictions) hampers the investigation.”
It’s also worth mentioning that not all attacks are being carried out by external forces to compromise Chinese IP addresses which are then used as a staging point to attack other countries. China has a massive internal problem with home-grown cyber crims targeting their own – stealing data, IP, bank credentials and even blackmailing by DDoS or other means.
It’s interesting to note that a week or so after I published this story, the FT ran an interesting piece which reached the same conclusions, claiming that the government is failing to provide coherent oversight on information security matters and that the forensics industry is virtually non-existent in China.
Apart from changing these two problems, there needs to be greater user education and awareness to ensure fewer PCs are vulnerable to outside attack, and a crack down on bulletproof hosters.
At the moment, the Party seems to be happy to close down porn sites in high profile raids, willfully censor its citizens and hit out at any US accusations of cyber subterfuge, but not to get its own house in order.
Cleaning up its address space first would would surely improve China’s standing internationally and may even help foster more cross-border co-operation, rather than the relentless mud-slinging of late.
Schneier, if you haven’t come across him, is BT’s chief security technology officer, author, cryptographer extraordinaire and philosopher-cum-infosecurity out-of-the-box-thinker.
Basically, what he says in info-security circles is usually listened to, although his propensity to tackle the subject more from a socio- or even biological perspective than a mere discussion of bits and bytes can make quotable extracts from a conversation with him pretty thin on the ground.
That said, Schneier was on form last night, focusing on the topic of trust and the notion that all systems, be they sociological, biological and so on, need co-operation to work. These systems also feature, inevitably, ‘defectors’, who don’t obey the rules and require security to keep their activities to manageable levels.
All fine and dandy, but what about the future? Does Schneier think we’re all doomed?
Well he certainly believes that the gap between the bad guys profiting from new technologies and the good guys catching up is greater than at any point in the past thanks to the sheer volume of new tech and the huge social change it is spurring, which is somewhat worrying.
However, there is hope that all is not lost. For one, he declared the bad stuff that happens online still a “tiny percentage” of the whole.
“I’m a short term pessimist but a long-term optimist,” he added.
As the older generation dies out things will gradually change too, he explained, as new norms around things like privacy come into play, and even the music industry is eventually be forced to change.
“The internet is the greatest generational gap since rock n roll,” he declared.
“People stealing music now are doing what will be normal in ten years’ time, they just figured it out first. The business model of scarcity doesn’t work.”
In less reassuring news, he argued that the balkanisation of the internet is likely to continue as national governments seek to establish their own controls – particularly appropriate given we were sitting in the Conrad Hong Kong, just a few miles from mainland China and the Great Firewall.
“It turns out the internet does have boundaries,” Schneier concluded. “Governments are enforcing their rules more and more and it makes for a less stable internet but it is the geopolitical future.”