Today, breaches continue unabated at the same alarming rate to which we’ve grown accustomed. More than 2 billion records were exposed in 2016 alone and that’s only counting those we know about. The real figure will rise far higher.
The rate of these data leaks is so frequent that it is hard to track how exposed you are. Can any credentials in these breaches be used against your company? How can you find out? Why should you even check?
Two issues are at play here. The first is password reuse. This issue is as old as the internet and won’t go away for some time. Humans were never wired to remember long random alphanumeric strings liberally sprinkled with special characters, so most passwords that people use end up being words with a few numbers at the end. Add to this the sheer volume of login and password combinations we are asked for on a day-to-day basis, it's no wonder many people have resorted to password-reuse: the act of using the same password everywhere, whether it’s on a Gmail or Facebook account, or even shopping sites and forums, often used with company email addresses.
The second issue is the surge in cloud usage and the presence of "shadow IT" within companies. Shadow IT typically refers to using tools and software within an organization without its explicit approval. Think Dropbox, Google Docs and many other cloud apps that people use because they are just more convenient than what a company has to offer. On top of this, there are legitimate cloud apps that people now use in the enterprise space. Office365, Salesforce, AWS, and any other software as a service or infrastructure as a service offering falls into this category.
Now back to breached data. Hackers are people, too, and most avoid hard work. If hackers want to go after a company, they come at them sideways, from the point of least resistance.
So let’s say I want to attack Acme Corp., our fictional company. I’ll first scour public data leaks for anything that contains @acme.com. With luck, in these leaks, I’ll find passwords, either in cleartext or hashed. If they are hashed, free tools like "John the ripper" can quickly discover weak passwords.
Then I’ll start using my credentials on cloud apps companies use. Outlook web access and Office365 are the prime targets here because they are typically exposed to the entire internet and often can be accessed without multi-factor authentication. After that I’ll try the shadow IT culprits, like Dropbox and Google docs. If I wanted to go further I could attempt using the credentials against their personal email address - which nowadays only requires a bit of digging on social media to discover. To save time I could punch their private email into various sites that deal in the disclosure of leaked information such as haveibeenpwned.com or leakedsource.com, and it will tell me instantly if that email address has been involved in any other breaches. From there, I could get the data directly from the source, or just pay a small fee for the raw data.
Once I have these, I could try the process again on the sites that didn’t work in the first place. Chances are, password re-use is in play here as well.
Note the above doesn’t take any technical skill and only requires simple online searches. Once you infiltrate corporate email, then information becomes exponentially easier to come by and other vectors of attack open up, the most obvious being phishing and malware.
So how do you protect against something like this?
There are a few options depending on your resources. The first is to monitor the information leakage. You can actively monitor sites like pastebin.com where public leaks appear for company e-mails or keywords relating to your company. It has a free keyword alert feature which you can use. Other tools exist like @Dumpmon, which is a twitter bot account that automatically produces updates when it has detected any leaked data. This approach has a few downsides, namely that you have to check all the alerts yourself to decide whether it has value or is just another false-positive. In addition, many sites that deal in leaked data exist on the dark web, some of which are carefully vetted forums that are difficult to join.
The alternative approach is to pay someone to do it for you, and there are a few companies that specialize in monitoring data leaks for company information: Inforarmor, Hacked-DB and Leakedsource are a few that operate in this space. Keep in mind no one can guarantee 100-percent coverage but these companies provide alerts the second they detect something relevant. They can also monitor metadata, such as public-IP address, or company keywords that may appear on leaked-data, even if it doesn’t involve login-password combinations.
What do I look for and what do I do when it happens?
Just focus on your e-mail domain, (eg. @acme.com) since this is a sure sign that a credential is involved. Once it leaks, the first step is to find out if that user still has active accounts in your company. If he or she does, you can either check if their company password matches their leaked password (tools like l0phtcrack are ideal for this) or simply just force a password change if you’re not sure. For senior executives, aim to monitor their personal emails too, as many use them for business. Don’t try to cover the personal emails of all your employees, instead run awareness campaigns to push them to use free sites (haveibeenpwned.com is a good one) so that they are aware of their own exposure.
Remember, other people’s breaches sometimes have your data, so always take a look.
photo credit: Christoph Scholz Hacker - Hacking - Lupe von Nullen und Einsen - Password - LUPE - blau via photopin (license)
If you want to comment on this post, you need to login.