It has been a very rough month for the information security community. It feels like we've been on the losing end of a championship fight against Floyd Mayweather.
The body shots started with Equifax (https://investor.equifax.com/news-and-events/news/2017/09-07-2017-213000628) and continued with attacks on the US Government (https://www.sec.gov/news/press-release/2017-170). The assault included a couple of combination shots as Equifax expanded the scope of their breach by adding millions of additional impacted accounts and as reports emerged that this was not the first breach for Equifax in 2017.
Then came a left hook when Yahoo(https://help.yahoo.com/kb/account/SLN28451.html?impressions=true ) updated users that the previously described breach impacting only ~ 1 billion users in fact impacted all ~3 billion Yahoo accounts. It should be noted that Yahoo suffered several breaches, but this week's announcement is not a fresh breach. Rather, Yahoo's investigation has concluded that the previous breaches were larger than previously suspected and they are disclosing those details.
Yahoo's disclosures have explained that the billions of user passwords were hashed with MD5 and apparently were not salted, making it much easier and less expensive for an adversary to recover in plain text.
Why it Matters: Account Takeover Attacks (ATO)
Based on data collected by Akamai's Cloud Security Intelligence, big data platform, the most common task assigned to botnets on the public internet is Credential Stuffing. Botnets responsible for Credential Stuffing are more than an order of magnitude larger than the botnets, like Mirai (https://www.akamai.com/us/en/about/our-thinking/threat-advisories/akamai-mirai-botnet-threat-advisory.jsp) that power large DNS attacks. Credential Stuffing is the mass-scale automated testing of username/password combinations across multiple websites. When successful matches are discovered, attackers use these logins to take over the account for fraud or resell the confirmed credentials to others to commit fraud.
The engine used for Credential Stuffing attacks is composed of several components. The first is the bot or bot framework driving the account brute force attempts. This could be something as simple as the Sentry MBA tool that is a full service tool or bespoke tools used by more sophisticated attackers. In an attempt to avoid detection, attackers typically employ vast networks of proxy servers to pass along requests to the target. This allows them to keep their average request rate from a given IP to a specific target to an average rate of less than 1 per hour. Akamai's researchers discovered that attackers are using a vulnerability in many IoT devices to amass these networks of proxy servers.(https://blogs.akamai.com/2016/10/when-things-attack.html)
If these tools and botnets are the engines for ATO/Credential Stuffing, then spilled user credentials like we have seen with the Yahoo breaches are the fuel that powers the engine. Three billion user credentials being spilled in this breach certainly provides a huge volume of fuel for the Credential Stuffing engines. It is estimated that more than 50% of users re-utilize the same password across most or all sites they visit. I've spoken to several Security/Fraud teams that have confirmed that they've seen huge batches of @yahoo credentials used in credential stuffing attack campaigns.
Be Proactive: Steps You Can Take to Protect Yourself and Your Data
Suggestions for Consumers/End Users:
Realize that disclosures about breaches are often delayed, potentially for years.
Assume credentials you've used for login on the internet for longer than a few weeks have been compromised and change them.
Akamai recommends regularly rotating passwords and using unique passwords for each site you visit.
Suggestions for Website Owners:
The most frequent attack observed by Akamai's security big data analytics platform emanating from botnets on the internet is Credential Stuffing, the first stage of Account Takeover Attacks.
Spilled credentials like the Yahoo! Breach add fresh fuel for attackers. They'll try these credentials on numerous sites looking to exploit users who've re-used their credentials.
Website admins should exercise best practices when storing user credentials
Salt and hash passwords with strong hashing algorithms
NIST publishes guidelines that are regularly updated (https://pages.nist.gov/800-63-3/sp800-63b.html)
Consider utilizing MFA on login interfaces
Learn More: Exclusively at Akamai EDGE 2017
I'm excited to be moderating a Credential Stuffing panel with Security and Fraud Executives from Visa, Fidelity, Sony, and Nordstrom in Floyd Mayweather's hometown of Las Vegas at the Akamai Edge Wednesday October 11th at 3:40pm (https://edge.akamai.com/ec/us/sessions-training/session-schedule.jsp). We won't talk about the Yahoo breaches specifically during this session. We will hear from top industry experts about the fallout from these breaches, like Yahoo!, where millions or billions of credentials are spilled and discuss how that drives Credential Stuffing/Account Takeover. The expert panel will discuss strategies for defending against Credential Stuffing and discuss how they see these attacks evolving over time.