Wednesday’s Black Hat Recap
| Events |
We’re at Black Hat this week sharing in the discussion on the biggest trends and happenings in the cyber security world. So far, it’s been a great show with a lot of activity. Here are a few items of note from the show floor and from some of the great presentations.
Russian Cyber-gangs Amass More than a Billion User Credentials:
The New York Times broke the story right before the show opening that new research shows that Russian cyber gangs, dubbed CyberVor, have amassed about 1.2 billion user credentials from across thousands of websites. This has generated a lot of discussion at the event – from if this is legit, to support for the researcher who refuses to provide the world with details – however, there’s little concern from the security community itself. The main takeaway from people we’ve talked to is that this is just the latest in a series of password dumps that continue to happen with greater frequency – and emphasizes the problems that plague password security.
The reality is that we won’t be able to get rid of passwords until a more secure and user-friendly authentication mechanism is available. Even then, we’ll still have all the legacy systems to contend with that do not support any other authentication method. What CyberVor really tells us is that the immediate problem is with password re-use. If you do the math, the number of credentials stolen divided by the number of sites they were taken from, shows that people continue to re-use passwords across properties.
It will take some time for service providers to employ secure salted hashing schemes that will make it more difficult for attackers to get to the actual passwords. While it’s critical that organizations rollout automated systems to secure the credentials for their sensitive assets, it’s imperative that we also start educating people about the dangers of password re-use and identity theft.
Retail/PoS Breaches Dominate
The sessions looking at PoS attacks have been standing room only – they serve as a microcosm of the problems that plague the industry. As highlighted in our recent survey, PoS attacks have changed security policy more than any other attack except the NSA/insider breach. Attackers are infiltrating these networks either through direct attacks like phishing, or by attacking a third-party vendor’s connection to the target company’s network. However, the real flashpoint occurs once the attackers get inside: which is the theft of insider credentials, giving them the ability to implant malware directly in the pathway of user financial information.
Latest Attacks and Malware are Dependent on Privileged/Insider Credentials
There have been a lot of great sessions focusing on the newest and most virulent forms of malware, the latest phishing schemes, and how attackers can infiltrate corporate systems through connected devices like VoIP phones and copiers.
What’s missing from these conversations is the fact that attackers need privileged and insider credentials to allow these attacks to do damage or move beyond the device itself. Case in point illustrated by Dan Munro on multi-function printers in healthcare organizations. It’s a must read if you think printers are not an important access point to lockdown. Whether its default passwords in connected devices or using insider credentials to install malware, businesses need to focus on the mechanism attackers are using to actually carry out their attacks.
The Best is Yet to Come
Our very own Andrey Dulkin will be giving a session tomorrow on Pass-the-Hash attacks – a must see! He’ll use proprietary research from multiple in-use networks to demonstrate just how prevalent and easy to find hashes are on a network. Of course, he’ll also talk about how you can prevent hackers from finding your hashes before you have a chance to lock them down.