If that seems like a familiar situation to you, that’s because everyone who has ever worked in IT can tell horror stories about how C-Level executives are regularly exempted from security policy. However, DHS Secretary, Jeh Johnson, was exempted from this ban because he liked to check his personal email from the office. Organizations don’t track passwords or audit them users are allowed privileged access without restrictions two-factor authentication is only sparingly enabled in some cases (assuming it’s enabled at all) and security policies are selectively applied.įor example, the Department of Homeland Security banned personal webmail for security reasons. But singling them out, as if they’re something unique, would be a mistake. In hindsight, the organizations that were compromised due to the LinkedIn list made plenty of mistakes that proactive measures would have fixed. Humans have developed some bad habits when it comes to passwords and access, and corporate policies that limit complexity and require easily guessed formats, further enable these bad habits. Weak password policies and recycled credentials are a serious problem.Īt the same time, this problem is one that isn’t easily fixed. On Tuesday, Carbonite reset all of their customer’s passwords after detecting login attempts using recycled credentials. Last week, LogMeIn proactively reset accounts where it was determined a customer was recycling their LinkedIn password. GoToMyPC isn’t the only service provider that’s been targeted recently.Įarlier this month, Team Viewer users reported system compromises, and at least some of them admitted to reusing passwords. Again, this is because the compromised organizations didn’t use such features. Two-factor authentication wasn’t a factor in any of the breach examples shared with Salted Hash. For example, if there was a mismatch with the network ID, altering it slightly to match public email addresses often worked (e.g. Sadly, in many of the examples shared with Salted Hash, there was a direct relation between the compromised organization and the leaked LinkedIn account data set – so the username and password on LinkedIn was the exact combination needed to access the corporate network.īut even when there wasn’t a direct relation, the information available from the LinkedIn list allowed some basic guesses that resulted in successful compromises. The point, Barak added, was to ensure that the exposure of a user’s password wouldn’t be enough compromise their account. There’s more work to be done, as the attacker has to identify services and systems exposed to the public, but this isn’t an impossible task. Thus, the attacker now has a list of possible targets, a good idea of how network IDs are generated, and some base passwords to start with. There’s a method to the madness:Īn attacker who has the LinkedIn list knows a person’s name, their work history, and their password. What is clear, is that some of the organizations caught-up in this situation are large ones and the only reason they’re in this mess is due to recycled credentials. It isn’t clear if the active cases are all related, or if there is more than one attacker or group conducting the raids. These are straight brute force attacks with a high degree of success, largely because the leaked LinkedIn records have allowed the attacker to reuse credentials directly, or enumerate them slightly, in order to gain access. Citrix called the incident a “very sophisticated password attack,” but that isn’t the reality of the situation, there’s nothing sophisticated going on.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |