We talk about it a lot - passwords are the weak backbone of current cyber security.
We thought we would look at an attack that ocurred in the UK EdTech sector. It gives us all reason to double our efforts to reduce our reliance on passwords as the sole factor for account security.
Every single security awareness training you will ever have will teach you to pick strong passwords, you answered all the questions in the security quiz correctly, but you never actually changed one key habit – maybe because you think it is difficult? It's likely you never revisited all those sites, where you used the same password, and set a unique password everywhere. And of course, one reason you didn’t do that is - you can’t even remember where you used that password!
It happens to everyone but brace yourself, you are about to read a heart stopping account of a real attack that exploited those re-used passwords the users had forgotten about.
The Attack
In recent weeks one of the bigger online services in the EdTech industry started noticing a very steep uplift in suspicious behaviour; an unusual amount of accounts being accessed from all over the world, most resulting in nothing, but many of them resulting in successful logins.
Shortly after, the company started to receive higher numbers of support requests from users, who were suddenly no longer able to log into their accounts with their long-held passwords.
It soon became clear that this was a so-called credential-stuffing attack.
The attackers had pulled databases from the dark web containing email addresses and decrypted passwords from breaches that happened years ago and affected various unrelated online services.
The attackers could then assume that a certain proportion of those harvested credentials would work against accounts accessing the software provided by our EdTech supplier. The attackers set up tooling that started running through their data set and attempt a login with each one of the credentials they had. All they had to do was sit back, wait, and see what stuck.
By doing this they were validating their – presumably very large list of credentials - in order to reduce it down to a much smaller set of credentials that represented valid user accounts on our supplier’s platform.
How can such an attack work?
Well, we already said it above, if someone has their credentials breached anywhere (e.g. CAM4 (2020), Yahoo (2014,2017), AdultFriendFinder (2016), LinkedIN (2012), Adobe (2013), ebay (2014) to name just a few of the larger ones) and does not change their password immediately everywhere they have used it, they are putting all those accounts at risk of breach.
It is also worth mentioning, that these types of attacks are exceedingly cheap to run for the attacker. Credentials lists and the necessary tooling are readily available.
It is important to point out that this type of attack is not the same as password guessing. Password guessing (aka “brute force attack”) involves trying out thousands of passwords against one known login name. Because most cloud systems implement defences to slow such attacks down, this is not normally an effective route that is available to attackers.
A "credential stuffing" attack is far more effective because the attackers have one or at most a few sets of username/password combinations available to them that they know a user has used somewhere in the past.
They will still have a relatively high failure rate with their attacks, but the difference is stark. If they have five sets of credentials for one login name, those five are the only ones they are going to try before they move on to the next victim.
A "brute force" attack involves trying thousands of password guesses against every single victim. This costs the attacker far more in time and resource, and because it will likely trigger a lot of account lockouts, it will alert both the account holders and the service provider.
It is also worth taking the perspective of the attacker for a moment. Once they have their credentials list, they can very easily “try out” those credentials against any number of online services, just to validate their list. With any confirmed accounts, they can then log into them at their leisure and see what they can find out.
Now let's imagine they managed to break into your email account. At once, they can start sending emails as you, as well as receive your emails (or even sneakily set an email forward to themselves). From reading your old emails, they can easily find out all accounts you are using, and reset your passwords wherever they like: social media, utility companies, professional accounts, you name it. You will be exposed to what is called “identity theft”. As an example, by assuming your identity, the attackers could order a credit card and load you with a lot of debt.
What can be done?
From the service provider perspective
The providers of cloud services clearly have a role to play. It is up to them to put mitigations in place, that make it much harder for attackers to launch this type of attack. Examples of such preventative measures can include:
- Providing multi-factor-authentication (MFA, 2FA etc). You could argue that nothing in cyber security ever counts as safe but once a user has set up multi-factor-authentication as a form of strong authentication, they will be protected at least from any 'casual' attacks.
Multi-factor authentication is often seen as cumbersome, which is why organisations are increasingly pushing an agenda to implement SingleSignOn with their cloud providers, so that users only need to strongly authenticate with their MS Office suite once when they start work, ensuring all the other systems that users need to log into then no longer require any further authentication dialogue.
A combination of multi-factor-authentication and single-sign-on is both convenient for the users and provides a high degree of security for individuals and the organisations they work for.
It is up to cloud service providers to offer these security techniques to their customers and users. Too often we see these basic protection mechanisms either not offered at all, or only offered at a surcharge. We hope that the current drive for cyber security, as crystallised in such security frameworks as Cyber Essentials and the DfE’s cyber security standard will help EdTech suppliers’ decision making.
- Provide account compromise protection (aka: stoplists on steroids). Increasingly providers are enforcing a system, whereby users are plainly refused to use any of the billions of passwords that have been leaked in the past. We endorse this move. It certainly leads to users creating better passwords for themselves.
From the user perspective
This is all about good practice and “password hygiene”. Password hygiene has one aim: reduce your attack surface. Make it hard for any criminal:
- First and foremost: Watch who you are giving out your passwords to. Avoid clicking arbitrary links in emails, and certainly make doubly sure you are on the right website, before you enter your account details.
- Never share account credentials with anybody. Shared credentials are very hard to manage securely. So, don’t do it, EVER!
- Set up MFA wherever possible. Better still, if you can, then set up SingleSignOn with your productivity suite. Your IT department will help with that if need be. Just make sure that your authentication procedures with the productivity suite itself is robust: complex passwords and a second factor, such as a one-time token.
- Use a unique password for every-single-site-you-use. NEVER use the same password anywhere else. Yes, you will end up with a lot of different passwords that you need to either memorise or store safely but it's worth it. We recommend the use of password managers. Alternatively, by using SingleSignOn, you can cut down on the number of passwords that you need to remember.
- Follow minimum complexity rules for your passwords. Especially, for your important accounts: Your productivity suite, personal email, bank, utility companies, .. please always use very strong passwords. Again, password managers help with this, they will generate passwords for you, and you won’t need to remember any of your passwords at all.
Complex passwords have a minimum of 10 characters, made up of all 4 character classes (upper case letter, lower case letter, numbers and special character).
- Check if your passwords have been compromised. There are various services for this, most prominently, Troy Hunt’s excellent https://haveibeenpwned.com/, who have been helping drive awareness and account protection for many years. You can also subscribe to that service for free, and have it inform you if any of your passwords fall.
And remember: Think about yourself and the security of your digital identity as part of an ecosystem of security, or a link in a chain of security.
Breaching one user account is not just bad for that one individual. It may give the attacker a foothold from which to widen their attacks out and eventually compromise the entire organisation.
If you follow the above rules, chances are you won’t fall victim to cyber criminals in the first place. But if you do, then the damage and stress will be far easier to contain.