Pass the Passwords
In our last post, we discussed how credential stuffing attacks are on the rise, with over 193 billion failed login attempts against websites in 2020, as reported by Dark Reading. These types of attacks are possible because of the huge number of data breaches that have occurred, giving hackers access to billions of actual passwords that users have used.
Adding to the ever growing number of personal records that hackers have access to, researchers recently found 23 misconfigured Android apps that may have exposed over 100 million user records, including emails, passwords, locations, photos, and chat messages. In a separate incident, Air India disclosed that attackers breached their systems and exfiltrated 4.5 million records on the airway’s passengers, including names, contact information, passport details, and credit card data. While passwords were not disclosed in this particular incident, Air India is still encouraging users to reset them.
While data breach stories like these make the headlines, it is easy to lose track of how these breaches start adding up. Troy Hunt’s service, haveibeenpwned.com, is an online research tool that collects the data disclosed from data breaches (via legal means) and allows users to query that data to verify whether their personal data, especially their passwords, have been disclosed (and these days, that is almost everyone).
Have I Been Pwned has been operating since 2013 and, as of this writing, has 11,388,405,982 user records in its database. That is nearly 12 billion data records that hackers have exfiltrated from companies and spread on the Internet to use in credential stuffing. In 2017, Have I Been Pwned expanded to allow password lookups. Independent of any identifying username, users can query the leaked credential database to see whether a given string, word, or phrase was used as a password by any account in the database. This allows users to ensure that any new password they create is not already in the hands of attackers and actively being used in credential stuffing attacks (193 billion failed login attempts, remember?).
Finally, the FBI will now contribute passwords that it finds as part of its ongoing investigations as well (without personal identifiers such as usernames), further expanding the usefulness of the password lookup by adding proprietary password data on top of the publicly disclosed breaches.
Hackers go after the weakest link in security and using pre-made lists of verified passwords is much easier than standard brute forcing. Thus, password complexity rules are not a guarantee for password security anymore. After all, what good is a ten character password, with uppercase characters, numbers, and special characters, if hackers already have a hold of it from a previous data breach. Instead, if you are making a new password, first check it against previously disclosed passwords (securely! obviously…). After you have verified your new password is unique, then it makes sense to also ensure it is appropriately complex.
We hope you aren’t tired of hearing about ransomware attacks, because they are still dominating the security news cycles:
The largest ferry service in Massachusetts, The Steamship Authority, reported they had been the victims of a ransomware attack last week, Wednesday, June 2nd. Fortunately, no data exfiltration has been reported at this point, but ticketing and reservation processes are experiencing delays (for those considering the ferry service in the area).
The Japanese electronics company, Fujifilm, reported that they were taking services offline in what appears to be a ransomware attack. Details have not been forthcoming thus far.
In more bad news for the state of Massachusetts, Sturdy Memorial Hospital paid off a ransomware gang at the end of May after being targeted with ransomware in February. Interestingly, the hospital was able to recover their internal services and data but still made the payment in exchange for promises that exfiltrated data, that included Social Security numbers, bank account numbers, credit card numbers, and medical histories, would be destroyed and not further distributed.
JBS, the world’s largest meat supplier, was targeted by a “cybersecurity attack” that later turned out to be ransomware. Operations were shut down for a few days but have now mostly recovered. The FBI is continued to investigate the attack, which they attribute to REvil, a ransomware operation hosted in Russia.
With the slew of ransomware stories in the past several weeks, the federal government is increasingly prioritizing defending against them. Recently, the White House issued a statement to corporations with recommendations on how to protect themselves against ransomware (not to compete or anything, but we also wrote about steps to take in a previous post). In addition, the Department of Justice has elevated the priority of ransomware responses to be on par with terrorism.
In news that might hit closer to home, Amazon has released its new Sidewalk program, a feature that allows Amazon devices to talk to one another independent of their owner’s home WiFi or network. Many among the security community are raising security and privacy concerns with this new program, as it allows Amazon devices from different homes to communicate with each other. Moreover, because Amazon is setting the Sidewalk program as a default setting, many Amazon device owners may be opted into the program without their full awareness or understanding.