{"id":14889,"date":"2019-03-21T08:10:04","date_gmt":"2019-03-21T16:10:04","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/03\/21\/news-8638\/"},"modified":"2019-03-21T08:10:04","modified_gmt":"2019-03-21T16:10:04","slug":"news-8638","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/03\/21\/news-8638\/","title":{"rendered":"Are hackers gonna hack anymore? Not if we keep reusing passwords"},"content":{"rendered":"

Credit to Author: Kacy Zurkus| Date: Thu, 21 Mar 2019 15:00:00 +0000<\/strong><\/p>\n

Enterprises have a password problem, and it\u2019s one that is making the work of hackers a lot easier. From credential stuffing to brute force and password spraying attacks, modern hackers don\u2019t have to do much hacking in order to compromise internal corporate networks. Instead, they log in using weak, stolen, or otherwise compromised credentials.<\/p>\n

Take the recent case of Citrix as an example. The FBI informed Citrix that a nation-state actor had likely gained access to the company\u2019s internal network, news that came only months after Citrix forced a password reset because it had suffered a credential-stuffing attack.<\/p>\n

\u201cWhile not confirmed, the FBI has advised that the hackers likely used a tactic known as password spraying, a technique that exploits weak passwords. Once they gained a foothold with limited access, they worked to circumvent additional layers of security,\u201d Citrix wrote in a March 6th blog post<\/a>.<\/p>\n

Passwords problems abound<\/h3>\n

While a recent data privacy survey<\/a> conducted by Malwarebytes found that an overwhelming majority (96 percent) of the 4,000 cross-generational respondents said online privacy is crucial, nearly a third (29 percent) admitted to reusing passwords across multiple accounts.<\/p>\n

Survey after survey shows that passwords are the bane of enterprise security. In a recent survey<\/a> conducted by Centrify, 52 percent of respondents said their organizations do not have a password vault, and one in five still aren\u2019t using MFA for administrative privileged access.<\/p>\n

\u201cThat\u2019s too easy for a modern hacker,\u201d said Torsten George, Cybersecurity Evangelist at Centrify. \u201cOrganizations can significantly harden their security posture by adopting a Zero Trust Privilege approach to secure the modern threatscape and granting least privilege access based on verifying who is requesting access, the context of the request, and the risk of the access environment.\u201d<\/p>\n

How hackers attack without hacking<\/h3>\n

The problem with password reuse is that in order for an attacker to gain a foothold into your network, malicious actors don\u2019t have to use advanced tactics. \u201cIn many cases, first stage attacks are simple vectors such as password spraying and credential stuffing and could be avoided with proper password hygiene,\u201d according to Daniel Smith, head of threat research at Radware.<\/p>\n

When cybercriminals are conducting password spraying attacks, they typically scan an organization\u2019s infrastructure for externally-facing applications and network services, such as webmail, SSO, and VPN gateways.<\/p>\n

Because these interfaces typically have strict timeout features, malicious actors will opt for password spraying over brute force attacks, which allows them to avoid being timed out or trigger an alert to administrators.<\/p>\n

\u201cPassword spraying is a technique that involves using a limited set of passwords like Unidesk1, test, C1trix32 or nsroot that are discovered during the recon phase and used in attempted logins for known usernames,\u201d Smith said. \u201cOnce the user is compromised, the actors will then employ advanced techniques to deploy and spread malware to gain persistence in the network.\u201d<\/p>\n

Cybercriminals have also been targeting cloud-based accounts by leveraging Internet Message Access Protocol (IMAP) for password-spray attacks, according to Proofpoint. One tricky hitch with IMAP is that two-factor authentication inherently can\u2019t work, so it is automatically bypassed when authenticating, said Justin Jett, director of audit and compliance for Plixer.<\/p>\n

\u201cBecause password-spraying attacks don\u2019t generate an alarm or lock out a user account, a hacker can continually attempt logging in until they succeed. Once they succeed, they may try to use the credentials they found for other purposes,\u201d Jett said.<\/p>\n

Tightening up password security<\/h3>\n

The reality is that guessing passwords is easier for hackers than it is for them to go up against technology. If we\u2019re being honest, there is a strong chance that an attacker is already in your network, given the widespread problem of password reuse. Because passwords are used to authenticate users, any conversation about augmenting password security has to look at the bigger picture of authentication strategies.<\/p>\n

On the one hand, it\u2019s true that password length and complexity are critical to creating strong passwords, but making each password unique has its challenges. Password managers<\/a> have proven to address the problem of remembering credentials for multiple accounts, and these tools are indeed an important piece of an overall password security strategy.<\/p>\n

\u201cThe pervasiveness of password stuffing, brute force and other similar attacks shows that password length is no longer a deterrent,\u201d said Fausto Oliveira, principal security architect at Acceptto.<\/p>\n

Instead, Oliveira said enabling continuous authentication on privileged employee, client, and consumer accounts is one preemptive approach that can stop an attacker from gaining access to sensitive information\u2014even if they breach the system with a brute force attack.<\/p>\n

\u201cIt is not about a simple 123456, obvious P@55word password versus a complicated passphrase, but recognizing that all of your passwords are compromised. This includes those passwords you have not yet created, you just don\u2019t know it yet.\u201d<\/p>\n

Passwords continue to be a problem because their creation and maintenance is largely the responsibility of the user. There\u2019s no technology to change human behavior, which only exacerbates the issues of password reuse and overall poor password hygiene.<\/p>\n

Organizations that want to tighten up their password security need to look seriously at more viable solutions than trusting users, which may include eliminating passwords altogether.<\/p>\n

The post Are hackers gonna hack anymore? Not if we keep reusing passwords<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n

https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Kacy Zurkus| Date: Thu, 21 Mar 2019 15:00:00 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
A look at the not-so-hacking hacker techniques attackers are using to compromise user accounts via weak passwords and gain access to enterprise networks.<\/p>\n

Categories: <\/p>\n