Password theft – One of the easiest exploits for a cyber-criminal may be the one of the worst for the victim. The recent SolarWinds disaster (yes it is a disaster, not just hyperbola) began when a Russian cyber-ops group discovered the password to the SolarWinds update server was “protected” by the password SolarWinds123. This password is easily guessable and a terrible choice for a critical system such as an update server. With access to this update server, the Russian military was able to send malicious updates to thousands of SolarWinds subscribers that allowed them remote access of the SolarWinds controller systems. This got them deeper access into networks that used SolarWinds, including networks of our government and military. I think it is safe to assume that this is a world-wide cyber espionage and cyber-war attack not limited to just the Unites States.
So how do the bad guys get your passwords? There are several methods:
Guessing – Humans are predictable, and passwords are more easily guessable than you might think. A criminal could try password from a recent Top 25 or Top 100 password list. Or popular password formats using a Capital letter, a string of lower case letters, a number, and a symbol. The most popular number is 1. The most popular symbol is ! Another combination used in business environments where passwords are changed often is MonthYearSymbol of the last password change, such as December2020!
Phishing – Pick any issue of my Friday Phish Fry for examples of how clicking a link in a phishing email can take you to a fake login screen where the bad guys capture your password when you use it to “login” to their fake replica web page. This Wells Fargo exploit is my current favorite example. In addition to getting your log in credentials, they also collected a trove of personally identifiable information (PII) and a credit card number. The final step deposited the victim on the genuine Wells Fargo login page.
Keylogging – Another easy method using phishing emails is to send an attachment that has embedded malware. Opening the attachment (a PDF file, video, game, or music file) will install the malware. A keylogger is a type of malware that captures your keystrokes, everything you type including web addresses you visited and the user name and password combinations you used to log in. This is an easy way to capture ALL your frequently used passwords, not just one, as in the Well Fargo example. This includes email accounts (impersonation exploits and BEC), banking and financial accounts (money transfer), and e-commerce sites (shopping with your credit card).
Database Breaches – This happens when a website where you have an account is breached by an attacker and the password database is stolen. Then the passwords are cracked using high powered computers and brute force password cracking software freely available on the Internet. Not exactly your fault, but still your responsibility to change the affected password. How can you know where this has happened to you? Web site breaches where your email address (think user ID) has been stolen can be found using Troy Hunt’s Have I Been Pwned website.
Rainbow Tables – Once these stolen passwords have been cracked they are organized into a spreadsheet or searchable database called a Rainbow Table. These are sold on the dark web, and some places on the regular web, and makes finding your password match quick and easy.
Social Engineering – If you want something, just ask for it. Another easy way to get a password is by asking a series of questions, each one a little more specific, until you have all the information you need. This type of exploit happens over the phone or even in person. The caller might say they are “from IT” or from your Internet Service Provider, or “Microsoft Support.” The following YouTube video shows just how easy it is to walk up to a total stranger on the street and get them to reveal their passwords.
As we move into a new year, try to do a better job of securing your passwords, Your two best protective options are:
- Use two-factor authentication. This prevents someone with a stolen password from logging into any account secured with 2FA.
- Use a password manager to securely store your passwords, the answers to “secret questions” and to create site unique, long, random passwords of 20 characters.
- Thanksgiving Turkey Award – Worst Passwords of 2020
- Wells Fargo exploit
- Troy Hunt’s Have I Been Pwned website
About the Author:I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com