Published: November 20th, 2020
Welcome to Cyber Security today, the Week In Review edition. I’m Howard Solomon, contributing reporter on cybersecurity for IT World Canada.
To hear the podcast click on the arrow below:
With me as guest analyst is Terry Cutler, CEO of Cyology Labs in Montreal. But first, a roundup of what happened in the last seven days:
Outdoor retailer The North Face is notifying some customers that their accounts were recently accessed by a crook who had stolen their email address and North Face passwords. They got the credentials by hacking an unnamed service provider partner of North Face through a credential stuffing attack. That’s using stolen usernames and passwords from other data breaches to log into a site until one works. I’ll be talking in a few minutes with Terry about credential stuffing, why firms are still victimized by this type of attack and what they should do about it.
One of the reasons credential stuffing attacks work is that people use weak passwords on many accounts. This week security vendor NordPass showed how bad the situation is with a report on the most commonly used — and therefore the worst — passwords. Topping the list is ‘123456.” Second is 123456789.” Third is “picture1.” Fourth is the word “password.”
Look, a poor password is OK for a sports or hobby forum where you don’t enter personal information or buy things. But it’s reckless to use a poor password for a company, email, bank or social media login. Even worse is using the same password for several these sensitive applications.
The Canadian government proposed overhauling its private sector privacy legislation with a new law. If passed individuals would gain the right to demand companies delete personal data on them they hold. For their part companies would have to explain what data they capture and how it will be used in plain language. And if they don’t adequately protect personal data they run the risk of fines in the millions of dollars.
Someone at a Texas-based application hosting provider called Cloud Clusters left a sensitive database open to the internet that anyone could have accessed. It held more than 63 million records including unencrypted usernames and passwords for accounts on the Magento e-commerce and WordPress publishing platforms.
The Chicago Tribune reports that someone was able to hack the websites of a suburban school district and post hate messages, while the email of another school district was compromised allowing the attacker to email hate messages to students. Police are investigating.
Finally, Zoom is offering a free service to better protect users of its videoconferencing service. It now scans the Internet and open social media postings for links and passwords to upcoming conferencing meetings. These links shouldn’t be out in the open where anyone can log in and interrupt meetings. Meeting hosts are warned these links aren’t private anymore so they can decide to reschedule or change passwords.
With me this week for a look at one of these stories is Terry Cutler, CEO of Cyology Labs in Montreal.
There was news that outdoor recreation retailer The North Face was hit with a credentials stuffing attack that allowed a hacker to get into its computer system. And the attack was on a partner of the company that supplied a service and held the passwords. We don’t know, who but some retailers contract providers for a range of things — for example, an e-commerce provider to perform the online checkout service. It seems there’s two issues here: Supplier security and a password attack. So first, what is credentials stuffing?
“Basically credential stuffing is when people are re-using the same password for multiple sites. And what happens is one site gets breached and the passwords end up on the dark web and cybercriminals are able to buy lists of these compromised passwords. And they’re able to reuse that against the company. If their passwords are the same as their social media site or whatever it is, they’re going to get access to all of these accounts … And in the case of a third party, well, they can get into it. And if they’re able to gain access to the internal network, they might run a scan to see if there’s any vulnerable systems that they can escalate their privilege to maybe a higher level, and then compromise them and then get access to all of their clients, not just one.”
So the reason why it’s called stuffing is because there’s this automated script that keeps firing usernames and passwords, into a login frame until the attacker gets lucky?
“Correct. What’s happening is that most companies are not noticing their logs that this account has been trying to sign in 1,100 times and it’s failing.
Why wouldn’t a company have a rule, you know — you get three tries and then you get knocked out.
“A lot of times when I run audits [of customers] they fail in that department. Most of the time, they have account lockout disabled. That feature means that if I failed five or 10 times, that accounts should lock. But for convenience they activate that functionality, which means I can try that password a million times against your account, and it’s never going to lock.”
Credential stuffing attacks have been going on for decades. Why are they still successful?
“I think the biggest problem is because people are still reusing the same password for all their sites, for all their business, their home computer, their home, social media. They need to enable advanced functionality called two-step verification. This is the missing piece that most people are not doing right now because of the whole convenience aspect. Users are just lighting up their call center with a problem saying, ‘I don’t like this. I have to type in my username and password in the text message that comes to my phone,’ or ‘I have to load up the app to get my code.’ It’s too much of a problem for them. But they have to understand that security is not about convenience, right? So this way [with two-factor authentication] if somebody did get hold of their password and, and they’re able to get access to their account they wouldn’t be able to get in.”
To hear the full podcast, click on the arrow at the top of this story.