Since 2008 Verizon has been releasing Data Breach Investigations Report (DBIR) that has provided the world of Infosec valuable insights and detailed analysis of the evolving threat landscape from various viewpoints (industrial segments, geography specifics etc).
Report Highlights
Stolen credentials remain the biggest concern and the reason for 86% breaches over the web. Reports also states that most targeted assets were the servers rather than individual applications or devices.
From VDBIR 2023
On the Rise
In Summary VDBIR 2023 mentions that 50% of total breaches were due to credential fraud, 10% Phishing & rest due to exploitation of vulnerabilities.
Report also mentions ransomware attacks becoming ubiquitous & 50% increase in Social Engineering attacks.
From VDBIR 2023
Report also has a monthly summary of incidents from 2022, including the incidents involving leaked passwords from Okta and MFA factors from Twilio.
August Summary from VDBIR 2023
PureID #BreachSupport
As the industry is still closely studying the breach report VDBIR-2023, we are working on our latest initiative – Breach Support, through which we intend to help businesses quickly recover from the incidents by removing passwords and adopting Zero Trust Access control with zero impact on business. More details on Breach Support will be shared soon, stay tuned.
Please Note – All the above images are taken as -is from VDBIR 2023, & the last one from PureID Team
The temperature in May 2023 is high not just due to global warming but also due to the Security Breach at numerous reputed organisations.
Many companies experienced or disclosed data breach in last 10 days. Prominent breaches that has surprised the industry are the ones coming from Discord, a Microsoft Company & Capita, the UK based service gaint.
The other organisations of signifance include Toyota, PharMerica, ScanSource etc.
Organisations named in recent security breach incidents
The Incidents
All of the above companies are yet to disclose the root cause of the breach, but as it always happens compromised user credentials is the most likely reason of the breach.
As the organisations are still carrying out the investigations and getting their PR sorted, it will be interesting to which popular security solutions will be named/blamed for its failure, just like the breach at Okta was blamed for the breach at Twilio, and the failure of DUO Security and Thycotic was blamed for the breach at Uber last year.
If you are interested to study more about these breaches, we have provided the links to the resources below
The leaked data from the above organisations is posted in the dark web and is available for sale. Large portion of stolen data is available for free. Tory Hunt, collects data from such sources and makes it available for individuals to learn haveibeenpwned.
ABC News network has recently lauched a visual summary of the potential scale of the leaked information out there about indivisuals, using the haveibeenpwned service.
Breach Happens
#BreachHappens!!! Its unavoidable. PureID is working to provide immediate relief to organisations who are breached or in middle of security incident, stay tuned to know more.
Have you ever received a phone call from a seemingly legitimate vendor, who knew all your personal and financial information, and then requested an advance payment or financial assistance from you? If you have, you know how terrifying this situation can be. It only takes one small mistake to send your finances into disarray.
But you are not alone in this struggle. Jaramiah Fowler, a cybersecurity expert, helped avoid this nightmare scenario by his vigilance. Fowler discovered a database containing a million consumers’ personal and financial information, including names, email addresses, postal addresses, phone numbers, payment purposes, sums paid, due dates, and tax ID numbers. The database had invoices from people and companies who paid for their goods and services using an app.This database belonged to NorthOne Bank, a FinTech company used by over 320,000 American businesses
About NorthOne
NorthOne is a popular FinTech company that offers integration options with various services, including but not limited to Airbnb, Cash App, Lyft, PayPal, Quickbooks, Shopify, Square, Stripe, Uber, Venmo, and Wave. It is worth noting that NorthOne is not a full service bank. Banking services to NorthOne Bank are provided by The Bancorp Bank.
The Incident
The findings were first reported on January 19th, 2023 and the database remained unsecured until January 31st, 2023. It is unclear how long these records were exposed or who else may have had access to the database. It should also be noted that Bancorp Bank is not at fault or responsible for this breach.
The database allowed anyone with an internet connection and the database’s URL to see or download the .PDF documents. There were basic security controls preventing a full indexing of all documents. There were over a million files in the database that were marked as “production”. In a random sampling of 1,000 invoices, Jeremiah observed invoice amounts ranging from as low as $60 to over $10,000 for various services. These included home repairs, pet services, food and beverage, and even medical care.
This is how the data appeared in the compromised dataset. You can clearly see “Powered by NorthOne” in the footer of the image.
How Customers can be targeted ?
The data in the unprotected PDFs contains Tax Identification Number (TIN) along with other personal details of the customers. This TIN can be exploited to file fraudulent federal tax returns and claim refunds from the Internal Revenue Service (IRS).
Someone can misuse the data by using the Employee Identification Number (EID) to apply for loans. Another challenge could be to prove that the application was not authorised.
In order to acquire customers’ trust, a con artist may also pose as a legitimate financial organisation and cite transaction receipts. Consumers’ personal information can be used by other parties to influence them and reveal sensitive information.
What went wrong?
It seems that NorthOne had a database with no protection on. You can learn how to safeguard your database, code repositories, and code infrastructure with PureAUTH‘s Just-in-Time Access Provisioning. You can learn more in our blog titled Know Your Code Infrastructure.
Lastpass reported a security breach a month ago, which is the 8th security incident in the last 11 years. This incident was followed by a recent disclosure by a Google researcher. Many popular password managers like Dashlane, Bitwarden, and Safari can be phished.
There are many lessons that we all need to learn from these recurring incidents. This post stands to uncover few points that we have seen have not been discussed by the info-sec community.
The Catch-22 – Phish or no Phish?
LastPass warned its users of a likelihood of Phishing attacks, Credential Stuffing, or other brute force attacks on accounts associated with their LastPass vault.
Password Managers getting phished is an alarming situation
This statement goes against what all the password managers like LastPass claim . “Use of password manager protects users from phishing attacks“.
In their blog post, Lastpass reported that customer’s personal information like email, phone number, address, IP address have been compromised. Still, LastPass is not talking about is the additional information they collect from their users on their mobile app.
The screenshots below show the permissions that Lastpass app takes on a user’s phone.
Permission take by LastPass app on an Android device
These permissions enable the application provider like LastPass to collect more information about the user than required.
User Information collected by LastPass app
In the event of a breach, the severity and privacy impact will be catastrophic if such additional information collected from the user’s phone is involved.
The Passwords
Furthermore, LastPass has reported that customer’s vault containing clear text data, such as website url, and encrypted data of username and password were also obtained by the threat actors.
Lastpass emphasised on the use of master key, and how a threat actor can not decrypt the password vault even if they have the encrypted data, as the master key, which is a master password set by the user and is not stored on lastpass network.
While 1Password, a rival firm of Lastpass, claims through their blog that passwords of LastPass can be cracked in $100. They also talk about their superior method of using secret key and Password Authenticated Key Agreement systems, which makes their systems safer.
With the device specific keys mentioned by 1Password, syncing of the passwords across multiple devices becomes a risky affair. It requires password to be decrypted on another device and the user’s chosen master password along with the secret key from the earlier device. This problem cannot be solved without exposing the secret key or the user’s passwords in transit.
Conclusion
After a series of events involving Password Management products, enterprise must seriously think about how safe their user’s data and passwords really are.
Not to forget, server doesn’t care if the password is coming from a password vault or from an adversary, the server will authenticate as long as it can match the string. So no matter, how and where you store passwords, as long as there as passwords, Enterprises are always at risk.
For a better security, Enterprise must plan to remove passwords from their applications, servers and #GoPasswordless
In January, 2023 Gen Digital, a firm previously popular as Symantec and NortonLifeLock , found itself targeted by a significant Credential Stuffing attack. The attack resulted in the compromise of thousands of user accounts.
Just weeks prior to this incident, LastPass, a prominent competitor of Gen Digital in the password manager market, fell victim to a breach. This breach followed a prior cyberattack against LastPass in August. According to LastPass, the hackers leveraged technical data pilfered during the August cyberattack to gain unauthorized access to its cloud storage system.
It’s worth noting the irony here – the very software designed to fortify defences against cyber attacks found itself in the crosshairs of one. To draw a parallel, it’s akin to a scenario where the police station itself becomes the target of a burglary.
Credential Stuffing
Credential stuffing refers to the use of credentials such as username, email id and personal information from previous security breaches. These credentials are fed to other login systems to gain access to other websites. Unlike other cyber attacks, Credential Stuffing does not require brute force. Instead it uses a simple web solution to stuff thousands of stolen credentials into login systems. Credential stuffing is one of the oldest tricks in the book. It’s very easy to fall victim if one uses the same or similar credentials on multiple sites.
I recently explored the website “Have I been pwned” and was shocked to see one of my personal email ids compromised in a previous attack. Going through their listing on breached websites made me realise how unsafe our credentials and information are, and how easily one can gain access to it.
Impact of the Incident
In an internal investigation in December 2022, NortanLifeLock detected “unusually large volume” of login attempts. They found that a malicious actor was using a list of credentials obtained from illegal marketplaces on “dark web”.
Nortan commented that 925,000 people were targeted in a credential-stuffing attack. It is probable that the data does contain names, phone numbers and addresses of users. The attackers might also have access to Norton Password Manager users’ private vault data. This vault contains stored passwords for other online accounts. The firm is not commenting on how much customer data actually got a negative impact because of the attack.
Nortan relaeased a warning to it’s users after failing to reject the mass login attempt. They indicated that they “strongly believe that an unauthorised third party knows and has utilised your username and password for your account.” They also suggested the users to use 2 step authentication systems and provided free credit monitoring services to affected users.
Amplification Effect
The Password managers are a hot target because they provide adversaries with an amplified power to gain access to multiple accounts by compromising one password manager account.
As they say putting all the eggs in one basket is a bad strategy. Keeping all passwords in one manager will have a huge impact if compromised.
Passwords are not assets; they represent security vulnerabilities. Rather than locking them away in a vault, consider going passwordless. #GoPasswordless
While password management companies are fighting with each other, the bottom line of major incidents in 2022 is – Passwords are the biggest risk even if you are storing them with Lastpass or any other password manager.
As industry is adopting Zero Trust Architecture, the time is right to #GoPasswordless. In this first blog of the year, we at PureID present 3 strongest points to make your organisation password free in this brand new year 2023.
Best Protection from Phishing & Social Engineering
We have seen Uber getting breached due to MFA bypass and social engineering attacks. Stored credentials stolen from Okta & Twilio were exploited by 0ktapus hacking group, triggering serious supply chain attacks with a blast radius extending to 130+ organisations.
In another incident, credentials phished from DropBox resulted in unauthorised access of 130+ github repositories.
A well designed passwordless authentication solution is a must if you are looking for authentication solution resistant to social engineering & phishing attacks
Zero Trust Access
When you are taking the next flight, you must appreciate the multiple checks that are carried out at the airport as part of Zero Trust Security Model. Not just the traveller’s identity is verified, but each and every piece of luggage you carry is checked for possible risk that can aboard the plane.
When a user authenticates to access an enterprise service or network, the traditional solutions stop at the user’s Identity verification. The risk coming from the connecting user’s device is not verified. In another incident involving Okta again, the customer support executive of Sykes, connected to Okta’s service portals with a compromised device, enabling the Lapsus$ Extortion Group to access and leak some details from Okta’s apps and system.
Most of the MFA, passwordless solutions, FIDO keys fail to provide the user’s device risk posture and hence provide incomplete security. Check how PureAUTH provides ZeroTrust Passwordless Authentication
Convenience meets Security
I couldn’t fix your break, so I made your horn louder – Steven Wright.
That is exactly how the industry approaches the pain of authentication. Since authentication using Passwords + MFA is painful, the applications are designed to provide session cookies that are valid for months. In recent incident with CoudSek, its employee’s Jira account was accessed with stolen session cookies.
With well designed Passwordless solutions, authentication becomes so convenient and smooth that enterprises can enforce shorter sessions and frequent authentication without putting users in any distress. The shorter session span reduces the risk of stolen cookies getting abused.
With the above points and a quick recap of last year’s incidents, we wish you all a safe & secure new year. Looking forward to be your partner in your #ZeroTrustJourney, for which the first step is #GoPasswordless.
With best wishes from PureID family, Happy New Year 2023…
Dropboxdisclosed a security breach on October 14th 2022, resulted due to Phishing Emails. The email was impersonating a third-party service used by its employees. The attack resulted in credential leaks of employees, which enabled the threat actors access to their Github accounts. The hackers stole the content from 130 repositories, consisting information about Dropbox employees, users, and vendors.
The Incident
Phishing campaign initiated by adversary targeted multiple Dropbox Employees. The emails were crafted to mimic communication from CircleCI , which is a Continuous Integration and Delivery Platform. The phishing link redirected users to a landing page where they were asked to enter their GitHub username and password.
CICircle Login page
On a fake GitHub page, the employees were requested their Hardware Authentication Keys to provide an OTP for 2 step authentication. Adversaries used these credentials to access some less secure repositories of Dropbox, containing some API keys, and customised tools.
Github Login Page
The adversaries are not traced yet, as they used VPNs to hide their tracks.
The incident details shared by Dropbox
The Impact
Dropbox breach is a direct result of phishing, which was not contained by 2FA or MFA solutions the firm normally has in place.
Furthermore, the laws of the United States allow authorities to have access to user data under Patriot Act and such, hence the firm can also store user information. In the past, there have been multiple instances at Dropbox where user data was compromised. However, in this particular case, the company is claiming that no core app code was compromised. For more details, visit here.
Previous Incidents
Dropbox is not the sole victim of brand impersonation phishing attacks. Earlier, other organisations such as Sony Pictures, BenefitMall, and JP Morgan Chase have fallen victim to the same. Furthermore US Power grid and John Podesta are also highly notable examples of Phishing Attacks.
IBM’s 2021 Cost of a Data Breach Report found phishing to be the second most expensive attack vector to contend with, costing organisations an average of $4.65 million. Phishing using brand impersonation is becoming quite popular as well. LinkedIn is used for this purpose 52% of the time, while DHL, Google, Microsoft and FedEx also hold a considerable proportion of it. You can find more about the stats here.
Mitigation
Millions of phishing emails are sent daily. Many spam mails slips through spam filters and when that happens, you must be able to rely on your employees to stay vigilant and act responsibly. That is the reason why many companies opt for Employee Awareness Training Plans.
When training campaigns cannot keep pace with the new trends, and URL-checking anti-phishing measures is proving to be far more intrusive. The best option right now is to switch to Password-less Systems with Zero Knowledge Encryption.
With PureAuth Password-less authentication, you can effectively mitigate the risk of having your password compromised by phishing and a number of other methods.
Feel free to explore further blogs by us related to Phishing and Github . Stay safe. #Gopasswordless
PureID’s passwordless authentication platform PureAUTH, is a cloud based Single Sign On (SSO) solution. PureAUTH uses certificates (digital signatures) provided by an organisation, to uniquely identify its users, in a secure way.
PureAUTH can be used as a secure, cryptography or certificate based alternative to Passwords and Two Factor (2FA) or Multi Factor Authentication (MFA) solutions, as prescribed by various standards.
Traditionally, applications authenticate users using passwords. For additional security along with passwords, 2FA or MFA are also sent to application on the same channel. This authentication method is found to be vulnerable to phishing and other man in the middle attacks. An adversary can trick users to share passwords and 2FA/MFA token, on a phishing page and use it to impersonate user, and gain unauthorised access to the application.
Traditional systems use same channel for authentication & application access
PureAUTH provides a secure alternative to passwords and 2FA /MFA based authentication. Organisation’s user is provided with an AuthVR5 authenticator app which holds cryptographic keys, certificates (digital signatures), seeds (for generating Pseudo Random token), which are unique for every user.
AuthVR5 sends out of the channel authentication request, directly to the PureAUTH server which consists of user’s certificate and one time token which is bound to the user’s session with the application.
PureAUTH uses out of channel authentication with non reusable token & certificate
Since the authentication request is sent out of the channel, the data in the request cannot be obtained by phishing, neither it can be used for any other session apart from the one it was generated for.
NOTE :
The authorisation & session management remains unaffected by introduction of PureAUTH. The user authentication security is enhanced by PureAUTH with the use of certificates (digital signatures), extensive logging, and risk assessment of user’s device, from which the application is being accessed.
Standards around User Authentication & Access Control
PureAUTH provides the required controls and complies with recommendations of various Industry and Regulatory standards, for user authentication and access control. Few widely used standards that PureAUTH complies with are as follows –
ISO/IEC 27001 is the world’s best-known and widely exercised standard for Information Security Management Systems (ISMS). The annexure A, section 9 of ISO/IEC 27001, is all about access control procedures. The aim of Annex A.9 is to safeguard access to information and ensure that employees can only view information that’s relevant to their work.
Annexure A 9.4.2 Secure log-on Procedures
From Annexure A.9, we are focusing on section A 9.4.2, according to which
Access to systems and applications must be controlled by a secure log-on procedure to prove the identity of the user. This can go beyond the typical password approach into multi-factor authentication, biometrics, smart cards, and other means of encryption based on the risk being considered.
Secure log on should be designed so it cannot be easily circumvented and that any authentication information is transmitted and stored encrypted to prevent interception and misuse.
How PureAUTH helps with Annexure A 9.4.2
In this section we answer a few relevant questions that are part of ISO 27001 Standard’s questionnaire form, that can help our customers applying for similar standards.
ISO 27001/2 STANDARDS
Why it is needed
How PureAUTH helps
Do you adopt multi factor authentication (MFA) for secure user access?
Makes access controls more robust and enhances their effectiveness to verify a user’s identity.
Yes, PureAUTH is an authentication solution that uses multiple factors like cryptographic signatures & device fingerprints to securely identify user
Do you give all users unique login credentials?
Ensures that nobody can log on to the system without uniquely identifiable credentials.
Yes, the certificate or digital signatures are unique for every user and device fingerprint is unique for every device
Do you enforce the secure use of passwords and verify a person is the one claimed?
Strengthens unique network login credentials with context-aware access restrictions and user reminders which help verify that a person seeking access to the network and the information within is genuinely who they say they are.
Not Applicable for PureAUTH, as it is a passwordless authentication solution that uses cryptographic keys, certificates (digital signatures) to identify user
Do you restrict users from sharing logins?
Prevents concurrent logins with the same set of user credentials — helping to eradicate dangerous password sharing practices.
Yes, PureAUTH uses digital signatures embedded & paired to user’s personal device secured by further layer of device based authentication. This makes sharing of signatures with other user and using it from another device impossible.
Do you restrict network access on a job-role basis?
Enables the administrator to set granular access rights to different types of employees to ensure that they can only access the information they need to do their job.
Yes, PureAUTH supports policy based regulation of user access that considers user’s role, device risk and sensitivity of the application being accessed
Do you review network access for employees who change roles in the organisation?
Enables administrators to easily change access rights (permanently or temporarily) for individual users groups of users or organisational units.
Not Applicable, Authorisation is managed outside of the scope of PureAUTH
Do workstations automatically log users off the network following a period of inactivity?
Automatically logs off a session after a specific length of idle time to prevent unauthorised users accessing information from unattended workstations. What’s more UserLock can set authorised time frames for certain users’ access and force workstations to log off outside these hours.
Yes, PureAUTH supports Single Log Out (SLO) and respects the session timeouts enforced by respective applications
Why Choose PureAUTH
PureAUTH passwordless authentication solution is not only compliant with all leading (and upcoming) industry and regulatory standards, but is also the most secure authentication and access management platform. Some of its advantages over traditional Passwords & Multi Factor Authentication solutions are as follows
Risks
PureAUTH
Passwords + MFA
Phishing
Unaffected by Phishing
Vulnerable to Phishing attacks
Social Engineering
Unaffected by social engineering or insider attacks
Vulnerable to Social Engineering
Account Sharing
Not possible, compliant
Account sharing is possible
Admin/Tech Support
Completely self serviceable. No admin assistance or tech-support needed
Dependency on Admin, tech support for resetting of passwords and MFA device
Conclusion & further support
Just like Passwords and Two-factor or Multi Factor authentication systems, PureAUTH Passwordless authentication solution can be used to ensure secure access to the most sensitive information systems, applications, and programs like Engineering & Dev-Ops resources, security systems, VPNs, PAM solutions, SaaS services, cloud consoles, communication suites, CRM solutions etc.
For further information on compliance & certification, you can visit https://trust.pureid.io
The Security team of Jenkins announced 34 zero-day vulnerabilities in 24 of its plugins, which has rocked the world. The vulnerabilities range from XSS, stored-XSS, to passwords and token disclosures. The list of vulnerable plugins and overview of their impact can be found in this Bleeping Security article.
Jenkins 0 Days and its Impact
The various Jenikns’ plugins have varying impacts. Based on what plugin your organisation is using, it may see varying degrees of risk to its Jenkins setup and can result into compromise of its supply chain.
Here we are listing few common vulnerabilities and their impacts
Applying patches is the best and recommended way to fix vulnerabilities. In this incident, Jenkins is yet to provide fixes for many of the vulnerabilities and still remains a potentially risky, zero-day candidate.
Shodan project lists more than 150,000 sites running vulnerable Jenkins.
In absence of patches, disabling the vulnerabile plugins is the best option from the security side, but disastrous if it affects the organisation’s engineering processes.
In such cases we always recommend strong Passwordless authentication. Absence of credentials make most of the attacks irrelevant even in the presence of vulnerable plugins.
Better prepare for 0 Day attacks
You cannot stop 0-day attacks and cannot predict them coming. What helps is sticking to security basics and best practices. Other proactive things an organisation can do is to adopt Passwordless Authentication for its entire Software Engineering infrastructure.
Passwordless solutions like PureAUTH also contain the impact of session takeovers arising from token theft with the use of XSS, by enforcing convenient but regular logins.
Making your Software Engineering Infrastructure passwordless can contain the impact of 95% of such 0-day vulnerabilities without any security configuration change.
A critical vulnerability in Citrix’s Application Delivery Management (ADM) technology was reported & patched this week.
Tracked with CVE-2022-27511, Citrix reported that, if left unattended, exploitation of the vulnerability could enable remote attackers to reset admin passwords. (reference: Citrix ADM vulnerability)
Overview
Citrix ADM is a virtual appliance, that gives centralized management solution. It simplifies operations by providing administrators with enterprise-wide visibility and automating management jobs that are getting ran across multiple instances.
Citrix ADM is known to ship with a built-in admin account nsroot, with default credentials nsroot (reflecting its legay of NetScaler).
As a best practice, admins change the default passwords to restrict unauthorised access.
Citrix has documented various means to restore default admin password by resetting ADM node.
With the exploitation of CVE-2022-2751 vulnerability, an adversary can force Citrix-ADM to restore the nsroot account’s default credentials as a recovery measure from a system corruption, on the very next reboot.
The Problem
Right from network gears, management consoles, virtual appliances we have seen all systems being shipped with a root account with default credentials.
We have also witnessed that system restore option resoters the default credentials even if admins change them for security reasons.
This has been an industry standard practices from ages. With more options for authentication and evolving threat landscape its time industry should also evolve and change the way factory-default-restores support more secure (or hard to exploit) options.
Here are a few learnings from suh incidents that we can draw & work for better securing our systems.
Lession 1 : Restrict Remote Access by Default
By default remote access to admin accounts of devices/appliances should be restricted. Since restoration of default credentials at any time will make system vulnerable to unauthorised access.
Disabling the remote access as part of default setting triggered with restoration of default passwords can restrict the possibility of exploitation by a remote / external threat actor to a great extent.
This we can see very commonly in Ubuntu, a debian based system.
Extracts from /etc/ssh/sshd_config file from a Ubuntu 22.4
Lesson 2 : Federate Authentication
Its always better to maintain credentials at a centralised location. This consolidates and optimise the efforts to securely manage and protect them. This also reduces or eliminates the need for restoring the default credentials of devices.
Down side of this being the centralised credential store becomes a single point of failure for all your systems and appliances in your network. This leads to our third and final learning.
Lesson 3 : Eliminate Passwords
Moving away from password based authentication drastically reduces the attack surface of any enterprise. You can choose PKI / certificate based authentication for better security.
Adopting passwordless authentication goes long way in protecting your systems from unseen future vulnerabilities which might be triggered due to use of passwords or default credentials.
PureAUTH Identity and Trust Platform
Citrix ADM incident CVE-2022-27511 is an another example of the risks associated with passwords. Eliminating passwords using a true passwordless solution like PureAUTH protects organisations from future, unforeseen vulnerabilities.
To learn more, about how PureAUTH is used by various organisations to secure access to their assets and Build Trust in all relevant user actions, schedule a demo with us.
