What Cyber Threats and Trends Might We See in 2019?

‘Tis the season to get out the crystal ball and play at being the cyber equivalent of “Mystic Meg” (no that’s not me in the picture).

For 2018 I predicted a number of things that were spot on, these included the following:

  • The change from mass ransomware campaigns to more targeted ones asking for higher ransom payments.
  • The move from ransomware to cryptomining/cryptojacking as the primary monetisation payload/method.
  • GDPR being used for extortion/blackmail attempts.
  • Organisations still not focussing on the basics and best practice for their industry/vertical and wondering why they suffered security breaches/incidents.

So what will 2019 bring, according to OMG?

  • More targeted extortion attempts; Ransomware, GDPR, DDoS, etc. All with higher ransom being demanded.
  • Organisations will still be mainly focussed on the latest, must have “shiny toys/technologies” rather than dealing with the basics and best practice for their industry/vertical.
  • A mainstream move towards two or multi-factor authentication, as password theft is increasingly seen as the main way that bad guys and girls get in; other than social engineering (phishing) or via the supply-chain/business-partner. This move will be required due to massive Credential Stuffing attacks in 2018 fuelled by the many data breaches where user ids and passwords were stolen.
  • More supply-chain breaches as a method to gain access to the intended victim organisation.
  • Cloud service breaches and/or take-downs and mis-use by the Bad Guys n Girls.
  • The skills-gap and staff shortage will increase, again. And those of us in the industry will be in demand and frequently head-hunted or just pestered by desperate recruiters that don’t read your LinkedIn profile and still approach you with roles that you are not interested in or have the skills/background for.
  • More Business Email Compromise attacks (aka Fake CEO/CFO, etc.); these will rake in far more money in 2019
  • Artificial Intelligence and Machine Learning will continue be touted as “The” solution to deal with cyber threats and breaches; they are useful but generally too prone to false positives (detect things that are not an issue) and more worryingly false negatives (don’t detect what they should do).
  • The Internet of Things will start to “grow-up” as manufactures start to bake in security and offer it as a differentiator to competing products/services.
  • However, despite this we will continue to see IoT devices/infrastructure used as an attack platform and I suspect that we will start to see volumetric DDoS attacks exceed 2Tbps (largest so far was 1.35Tbps against Github in 2018). 
  • We may well see some critical infrastructure attacks (outside of Ukraine) that are successful, and that cause major outages and/or physical damage/loss of life.
  • Too many organisation thinking that using a single Cloud provider will give them a fully resilient infrastructure; it won’t. Just like having multiple data-centers, you need multiple Cloud providers (this should be part of your Business Continuity and Disaster Recovery Plan), no single-points of failure!
  • GDPR will finally start to bite (hard) and organisations that should have already been following industry best practice for data/privacy will finally do something about it (well, most of them)!
  • Blockchain will be finally recognised as not being the solution to everything!
  • Increase in use of Sextortion, Bomb and other extortion/blackmail emails/calls, despite the fact that most Sextortion campaigns did not net piles of bitcoin as those behind them expected.
  • More social-media scams mainly focussed around crypto-currency giveaways; like the many Elon Musk themed ones we saw in 2018.
  • People will still mainly fail to learn from history; we will see yet more old techniques/technologies dusted off and re-used by the Bad Guys n Girls, for victims that weren’t around (or paying attention) the last time it was successfully used…

Don’t have nightmares, remember that 80-90% of all security breaches/incident I have dealt with could have been avoided by just following best practice and doing the basics… This includes taking (and testing) backups, educating (and testing) your staff, patching your systems, applications and writing secure code, good Identity and Access Management, and so on…

Helping the Hackers – Password Re-Use is Widespread!

Some interesting, but not surprising findings from F-Secure:

They found that many users were re-using passwords even though they knew the risk of doing so, and I quote:

“59% reuse passwords across multiple accounts, even though 91% say they understand the risks of doing so.”

You can read the full article from F-Secure here: https://blog.f-secure.com/how-to-keep-your-passwords-from-being-an-attackers-key-to-your-account/

Please, please do not make a hackers job easier by using the same password on multiple sites; if you must use the same password at least enable 2FA (Two Factor Authentication)/MFA (Multi-Factor Authentication)* on the sites where you do this, as this will make it harder for the hackers to compromise (take-over) your account(s).

The problem is, if you use the same password on multiple sites, it allows the bad guys and girls to carry out what is known as “Credential Stuffing” attacks….once they have found a valid set of credentials for one site that you use, they will try the same ones on other sites…

It is better if you use not only 2FA/MFA, but also a Password Manager to store and create strong unique passwords for you (belt and braces, folks!)

You can even enable 2FA/MFA on the Password Manager, so if that is stolen, the bad guys and girls can’t gain access to that either… Belt, Braces and Super-glue 😉

* One factor authentication, is something you know (user id and password), Two or Multi-Factor authentication, is something you know, and something you have or are (such as a one-time password/key/token, biometrics, smart card, hardware or software token, certificate, etc.) Unless the Bad Guys and Girls can gain access to the second factor, they can’t sign in as you…

Question of the Day: Are Passwords the New Exploit?

The quick answer is NO, they are not, however as with most things it isn’t quite as simple as that, let me walk you through how things have changed over the last 10+ years and how passwords have NOW become the main exploit technique (other than unpatched systems/application, config/coding errors and end-users). To start we need to go back into cyber history…

Back in Time…

Let’s go back to the 80’s, 90’s and early 00’s and look how passwords were captured and misused:

As an ethical hacker (penetration tester and web application tester), I have over 15 years of experience and “hacks” to call on to cover this.

In the years prior to 2005, most passwords were stolen via Social Engineering (Phishing, etc.) or via hacking a system/application and using that as a pivot point (beach-head) to scour an organisations network for the password file (usually imaginatively called password.txt, password.doc or password.xls, yes really!) or to find other vulnerable or insecure systems (including ones with default or weak credentials).

This file usually would contain either personal passwords for the user of that system, or if I was really lucky it would be the password file for the system administrator, IT manager, help-desk, or other technical resource that had the much sought after “root”, “admin” or other privileged account credentials to allow me to escalate my privileges (upgrade them from user or other restricted account access level).

In the best cases this could then be used to become “Domain Admin”; which means that I would have unrestricted access to ALL systems on the Domain (Microsoft Active Directory)… Once I had that level of access, it was “Game Over”, as I could do anything; access ALL the systems and ALL the data on them!

There were other ways for me to get passwords, the most common other way was to dump the password hashes from Windows or Linux (other UNIX flavours are available) and then “crack” them; this means doing either a so-called “dictionary” (using a list of known words/passwords until a match is found) or “brute-force” (trying every combination of letters, number and other characters until a match is found) attacks, or even using “rainbow tables” (Rainbow Tables are pre-computed password hashes in a database, these are used to simply compare the stolen password hash to those in the tables until a match is found), this is harder to do nowadays as hashes are often protected by techniques such as salting, which means the hash for “P4ssW0rd123” on one system, will not be the same on another server/system/site (as long as the salt is not the same on both).

Back to the Future…

So, what about password misuse since 2005 until today?

Over the last 10+ years we have seen numerous mega-breaches (as well as loads of smaller data breaches), this has meant that over 7 Billion sets of credentials (current best estimate) have now been stolen (user IDs and password combinations).

These data/credential dumps are widely used by cyber criminals (and other hackers) to carry out attacks using “credential stuffing”. You can see if your email address and credentials have been seen in on of these dumps on haveibeenpwnd (run by well respected security researcher Troy Hunt); this site has over 5 Billion sets of credentials that have turned up in data dumps from hacked/compromised sites/servers.

In summary, yes, nowadays passwords are the new exploit and we need to move beyond them,or at least make them less of an exploit…

What’s Credential Stuffing and Why Should I Care?

Credential Stuffing is a type of automated attack which is very similar to a “dictionary attack”; this is where a list (often huge) of passwords are tried one after another until the list runs out, the account gets locked out, or the hacker finds the correct (valid) password for the account.

The way that Credential Stuffing is different is that the hacker has a list of user IDs (often email addressed) and passwords dumped from a breach. They simply run these against each web site that they think you may have an account on.

I hear you say, “so what!”, well the problem is if you use the same userid and password on multiple sites, and that userid and password is compromised (stolen in a hack), the bad guys and girls now have your credentials for other sites where you have re-used the same password!

What Else are the Bad Guys and Girls Doing With Stolen Credentials?

As covered in a previous blog entry on “Sextortion“, stolen credentials (user IDs and passwords) are being used to add credibility to the email extortion scams. We will see this technique used for other scams, again to give “proof” that they have your data/access to your account or system, etc.

How do I Protect Myself?

There are a number of ways to reduce the risk of Credential Stuffing and related attacks (including Phishing and Social Engineering), these include:

  1. Never use the same password on multiple sites (known as password re-use), as you make is easier for the bad guys and girls to take over your accounts.
  2. Use strong, long, unique passwords for each and every site and store these in a Password Safe (and encrypted database), you can find out more about these in one of my other blog postings, here.
  3. Even better enable what is known as 2FA (Two Factor Authentication); sometimes called MFA (Multi-Factor Authentication). I hear you ask “what the hell is that?”Let me explain; when you use a user id and password, that is a single factor (something you know), the second factor, often a token or one-time code, is the second factor (something you have or are).This can include solutions such as Google Authenticator, Authy, Duo, RSA, Yubikey or even biometric controls such as Face Recognition, Fingerprint, Voice, etc.Using 2FA will mean that it doesn’t matter if your user id and password is compromised (as long as the site you are using uses 2FA and you have enabled it, and the site has implemented it properly so that it can’t be bypassed easily).

    Most large sites, including Google, Microsoft, Dropbox, Facebook, etc. all have 2FA support.BUT, don’t use a 2FA that sends you the one-time code via SMS (text message) as this can easily be captured, either via the network or via what it known as “SIM Porting” or “SIM Swapping”. This is becoming a major threat and has cost some victims the contents of their bank accounts, their bitcoin (or other digital currency) wallet contents… Also, Reddit were compromised via SMS based 2FA!

    This extra protection means that even if they have your valid user id and password for that site, they can’t access your account as they don’t have the second factor (only you do)… In theory this makes it impossible for anyone but you to gain access to your account on that site…However, as usual there are still ways (non-trivial) for the Bad Guys and Girls to get you to give them the second factor, but that’s another story!

Stay safe out there, and don’t make the “Bad Guys and Girls” job easier!