With CyberSecurity Awareness Month in full swing and every vendor in the market pitching their particular solutions, I thought it might be fun to buck the trend and get back to some good old-fashioned vendor-agnostic ways of improving your cybersecurity posture.
Operational Security, or “OPSEC”, has been a concept in military circles for as long as military circles have existed. The thought that an adversary could collect and weaponise your own information against you has kept many defenders up at night, and the exploitation of poor OPSEC has led to many a defeat.
In the context of modern business, OPSEC can be thought of as any practices, habits, rules and rituals performed on a day-to-day basis with the intent to make an attacker’s life more difficult. These could range from high-level policies around corporate vulnerability management to a policy forbidding staff from putting passwords on POST-IT notes under keyboards (we’ve all seen it).
For the purposes of this article, I’d like to take a medium-depth dive into the concept of OPSEC as it pertains to credentials. We’ll explore how credentials are created, stored, stolen and abused and, more importantly, the little things that you, the user, can do to frustrate attackers in their efforts to abuse them.
Before going any further, we should establish who is responsible for good OPSEC. No surprises here; the answer is “you”.
One of the hallmarks of organisations with poor OPSEC is the assumption that somebody else is taking care of things. This type of organisation tends to push responsibility (and culpability) up the food chain until it reaches a plateau where, unable to move any higher, it starts moving laterally, usually between department heads. Don’t be this type of organisation.
Bringing it back to credentials and a more concrete example of how putting your faith in systems administrators to manage your credentials securely is probably a bad idea; take a second to head over to Troy Hunt’s excellent-if-terrifying website, haveibeenpwned.com. Enter your personal email address. Go on, I’ll wait.
Sufficiently horrified? Thought so. Some of your credentials are almost certainly already in the public domain; worse, if you’ve reused these credentials on other sites or services, it’s probably safe to say that they’ll eventually be compromised too.
Those websites, databases and services were run by professional systems administrators, often with dedicated cybersecurity staff at hand. If your list of breaches is anything like mine, we can deduce a few common themes about how credentials are stored in the real world.
Firstly, despite most modern databases having decent implementations of hashing functions and encryption algorithms, systems administrators often either don’t use them, or misuse them in such a way as to make it trivial for an attacker to extract unencrypted passwords.
Secondly, simple misconfigurations (or permissions given out of frustration) regularly expose these poorly encrypted databases of credentials to the internet at large.
Thirdly, many systems administrators interpret the request to delete an account as a request to disable or suspect an account. These are not the same thing.
These three points highlight just how easy it is for your credentials to fall into the wrong hands through no fault of your own, but understanding and acknowledging them also hints at a few things that you, the user, can do to make things somewhat more difficult for potential attackers.
Credentials and Crime
Before we get into making yourself a difficult mark for cybercriminals, we’ll need to look at how they go about their business. Dispelling a few commonly held myths should help frame the conversation.
Myth number one: “It’s just teenagers in hoodies.”
Cybercrime today is a multi-billion dollar industry. Criminal organisations have offices, helpdesks, holiday schedules and even the dreaded “middle management”. While the stereotype of the “hacker in a hoodie” does still exist, they primarily serve to feed credentials upstream to more traditional criminal organisations. These organisations bring resources, infrastructure and an increased risk appetite. A teenager with your bank details would be taking a significant personal risk by emptying your account. A global syndicate with a network of intermediate bank accounts in poorly regulated jurisdictions, less so. Criminal gangs pay good money for credentials; a complete set of bank details, including debit cards, could sell for as high as $250. Amazon accounts retail for around $30, eBay for approximately $20 and passports are $18 a piece. Given these prices, the breach of a relatively modest online store with only a few thousand users could mean a massive payday for the seller.
Myth number two: “No real criminal would be interested in me personally.”
In a sense, this is true, but unfortunately, not in a good way. Gone are the days when a cybercriminal would spend hours or even days trying to get into somebody’s accounts. Today accounts are found, stolen, sold, traded and compromised at industrial levels. While it’s true that a modern attacker may never see your name on their screen, rest assured that your details are somewhere on a very long list. Eventually, the automated tools criminals employ to validate stolen credentials will get to your name.
Myth number three: “Having my credentials stolen is just an inconvenience.”
At first blush, having your Facebook account compromised might not seem like a life-changing event, but in many cases, it could be. Suppose you’ve used the same credentials for both Facebook and Gmail. In this case, it’s a matter of time before an attacker confirms this reuse of passwords through a technique called “Credential Stuffing”, in which known credentials for one website are automatically tested against hundreds or thousands of other websites. With your email credentials in hand, it’s a quick search of your inbox to see who you do your banking with, and if you’ve set up your bank account to use email as your multi-factor authentication, you can see where this is going. It’s also worth considering the treasure trove of personal details that social media accounts contain and how they might be used by an attacker to impersonate you to loved ones, online retailers and credit card companies. Account takeover attacks (ATOs) have become “bread and butter” in the cryptocurrency scammer world, ranging from the takeover of verified celebrity “blue check” Twitter accounts to simply impersonating friends and family to promote crypto fraud.
Myth number four: “Website administrators will secure my credentials.”
Modern websites are complicated machines with many technologies, frameworks and programming languages. The opportunity for mistakes or misconfiguration is endless, even for seasoned developers and administrators. When this complexity is combined with tight deadlines, a “Just make it work!” business culture and the fact that for most developers, security is a relatively small part of their job, it’s easy to see how mistakes could happen. These mistakes can, unfortunately, have serious consequences; a quick search on shodan.io lists 4,682,924 MySQL databases currently exposed to the internet. In a number that large, the chance that some of them will have weak, default or easy-to-guess administrative passwords is pretty high – and the malicious scripts that continuously probe them know this. The only question remaining is: How long before a database containing your details gets “popped” and sold on the Darknet.
Myth number five: “My password is difficult to guess.”
I hate to be the bearer of bad news, but your password is probably not as complex as it should be. According to research by Hive Systems, a password of 7 random characters or less is essentially useless.
Part of the problem with the password complexity arms race is that we’re pitting 1970s methods of manufacturing password complexity against 2020s technologies. Passwords of 8 or 9 random characters require a bit of effort, but are still entirely crackable by an enthusiast on current generation over-the-shelf hardware. A middling modern laptop can test hundreds of thousands of passwords per second, and a decent-sized cloud instance, millions (while being far more cost-effective).
Things skew even more to the attacker’s side when you factor in the potential of “Rainbow Tables”. Rainbow tables are pre-computed cryptographic hashes of trillions of random character combinations available for download on your local hacker forums. If a website you frequent uses MD5 hashing to obfuscate user passwords, you can reasonably assume that your credentials were cracked long before you even signed up.
Making it difficult for them.
Now for the good news. Despite it looking like the odds are stacked against you, there are some straightforward and cost-effective ways of subverting the tools and processes of the credential theft industry.
Use a password manager. Password managers make some of the more challenging elements of credentials OPSEC easy. Firstly, they make it possible to have a unique password for every site you frequent through the magic of auto-fill. I can proudly say that I have no idea what my Netflix password is; I only know that it’s over 32 characters long and isn’t used for anything else (limiting the “blast radius” if Netflix gets hacked). That’s not to say that password managers are perfect; they make juicy targets for hackers and have been compromised before. That said, the safety of having ludicrously complex, unique passwords for everything is probably worth it. Just be sure to secure your password manager with a complex password and multi-factor authentication.
Use multi-factor authentication. Once a novelty, multi-factor authentication is slowly becoming the standard, particularly for sites and services that require credit card details. MFA means that even when your credentials are compromised, the criminals attempting to use them won’t be able to do too much damage in your name. Adding “something temporarily displayed on something you are physically close to” into the usual mix of username and password significantly increases the chances of an attacker moving on down the list of names in the hope of finding an easier target. One caveat on using SMS as your second authentication factor – It’s better than nothing, but not the best. Criminals have been known to manipulate telephone company support staff into shipping them duplicate SIM cards (or simply stealing them from post boxes), allowing them to effectively hijack users’ second authentication factors. Where possible, instead, use a mobile application such as Google Authenticator.
Include commas in your passwords. Okay, admittedly this is more of a trolling exercise than actual OPSEC, but it is fun. Quite often, credential dumps are traded in the form of comma-separated value text files (CSVs). A well placed comma in your credentials might just break CSV formatting, ensuring a little extra work and frustration for your would-be attacker. No point making it easy for ‘em, right?
Good Operational Security isn’t any single practice, process or technology. It’s the stacking of multiple small, everyday things that result in something far greater than the sum of their parts. Hopefully this post has provided a bit of insight into how attackers go about their business, and how, just like any legitimate workflow, they can be subject to disruption.
Have a great Cybersecurity awareness month all!