Protecting login credentials, which often take the form of username and password pairs, isn’t glamorous. The designers and administrators of systems and applications have been trying to do this for a very long time. Unfortunately, we still do a poor job safeguarding access and maintaining logon credentials, as is evidenced by the successes attackers have demonstrated in the recent months.
The Role of Logon Credentials in Data Breaches
Consider this brief sampling of security incidents, where compromising logon credentials provided attackers with keys to the victim’s digital kingdom:
- The attack on Lockheed Martin is believed to have involved the compromise of the SecurID-based authentication mechanism that the company used to control access to its network.
- An attacker gained access to the store of password hashes of the popular Bitcoin exchange Mt. Gox, and succeeded at cracking at least some of the passwords.
- The PBS website breach involved compromising credentials of administrative users; the stolen password hashes were publicly released. In a later incident, the attack group published over 60,000 logon credentials from various compromises.
- The breach of Sony PlayStation Network’s website involved a weakness in the password reset page, which reportedly allowed resetting a password by knowing only the user’s date of birth and email address.
In targeted attacks, compromising logon credentials is often part of the "lateral movement" phase. In this case, the attacker that obtained initial access attempts to obtain and crack password hashes or to exploit a trust relationship to gain access to other systems. While attackers might rely on exploits and malware to gain initial foothold into the environment, subsequent actions involve going after and making use of logon credentials.
Gaining Access to Logon Credentials
Attackers might compromise logon credentials by remotely guessing user passwords. This is effective for getting into web applications through the login or password reset screens. Remote password-guessing has also been responsible for numerous attacks at the system level through SSH brute-forcing.
Web application breaches often involve SQL injection, which allows the attacker to bypass the application’s security restrictions to obtain access to the underlying database. This can allow the intruder to retrieve usernames and passwords (or password hashes) that are stored in the database.
Intruders who have gained local access to the environment can often retrieve password hashes, which they can crack offline to obtain the underlying passwords, some of which belong to administrative accounts. In some cases, such as in a pass-the-hash attack, the hashes themselves are sufficient. Interestingly, incident responders may leave hashes and access tokens behind (PDF) for attackers to harvest.
Attackers might also obtain logon credentials from compromised email accounts and from data breaches of the targeted company’s partners or service providers.
Will Protecting Logon Credentials Become a Hot Topic?
The industry is remembering the need for and challenges of protecting logon credentials. The mechanics of the recent breaches might breathe new life into identity and access management projects that have stagnated over the years, and might also cause companies to revisit the tactical measures they have implemented to restrict user account access. Moreover, this might reignite the discussion regarding detecting malicious misuse of user accounts and minimizing the effect that such activities have on security of the environment.
Related:
- Attackers Are Attracted to Email Like Flies to Honey
- Protect Processes from Spyware With Windows Integrity Levels
- 8 Strategic and Tactical Tips for Detecting a Website Compromise