The Wages of Password Re-use: Your Money or Your Life

When normal computer users fall into the nasty habit of recycling passwords, the result is most often some type of financial loss. When cybercriminals develop the same habit, it can eventually cost them their freedom.

Our passwords can say a lot about us, and much of what they have to say is unflattering. In a world in which all databases — including hacker forums — are eventually compromised and leaked online, it can be tough for cybercriminals to maintain their anonymity if they’re in the habit of re-using the same unusual passwords across multiple accounts associated with different email addresses.

The long-running Breadcrumbs series here tracks how cybercriminals get caught, and it’s mostly through odd connections between their online and offline selves scattered across the Internet. Interestingly, one of the more common connections involves re-using or recycling passwords across multiple accounts.

And yes, hackers get their passwords compromised at the same rate as the rest of us. Which means when a cybercrime forum gets hacked and its user databases posted online, it is often possible to work backwards from some of the more unique passwords for each account and see where else that password was used.

SWATTING THE FLY

Of all the stories I’ve written here over the last 11 years, probably the piece I get asked most to recount is the one about Sergey “Fly” Vovnenko, a Ukrainian man who in 2013 hatched and executed a plan to buy heroin off the dark web, ship it to our house and then spoof a call to the police from one of our neighbors saying we were dealing drugs.

Fly was the administrator of a Russian-language identity theft forum at the time, and as a secret lurker on his forum KrebsOnSecurity watched his plan unfold in real time. As I described in a 2019 story about an interview Fly gave to a Russian publication upon his release from a U.S. prison, his propensity for password re-use ultimately landed him in Italy’s worst prison for more than a year before he was extradited to face charges in America.

Around the same time Fly was taking bitcoin donations for a fund to purchase heroin on my behalf, he was also engaged to be married to a young woman. But Fly apparently did not fully trust his bride-to-be, so he had malware installed on her system that forwarded him copies of all email that she sent and received.

But Fly would make at least two big operational security mistakes in this spying effort: First, he had his fiancée’s messages forwarded to an email account he’d used for plenty of cybercriminal stuff related to his various “Fly” identities.

Mistake number two was the password for his email account was the same as his cybercrime forum admin account. And unbeknownst to him at the time, that forum was hacked, with all email addresses and hashed passwords exposed.

Soon enough, investigators were reading Fly’s email, including the messages forwarded from his wife’s account that had details about their upcoming nuptials, such as shipping addresses for their wedding-related items and the full name of Fly’s fiancée. It didn’t take long to zero in on Fly’s location in Naples.

POOR PASSWORDS AS GOOD OPSEC?

While it may sound unlikely that a guy so enmeshed in the cybercrime space could make such rookie security mistakes, I have found that a great many cybercriminals actually have worse operational security than the average Internet user.

Countless times over the years I’ve encountered huge tranches of valuable, dangerous data — like a botnet control panel or admin credentials for cybercrime forums — that were full of bad passwords, like password1 or 123qweasd (an incredibly common keyboard pattern password).

I suspect this may be because the nature of illicit activity online requires cybercrooks to create vast numbers of single- or brief-use accounts, and as such they tend to re-use credentials across multiple sites, or else pick very poor passwords — even for critical resources.

Regardless of their reasons or lack thereof for choosing poor passwords, it is fascinating that in terms of maintaining one’s operational security it actually benefits cybercriminals to use poor passwords in many situations.

For example, it is often the denizens of the cybercrime underground who pick crappy passwords for their forum accounts who end up doing their future selves a favor when the forum eventually gets hacked and its user database is posted online.

SOME ADVICE FOR EVERYONE

It really stinks that it’s mid-2021 and we’re still so reliant on passwords. But as long as that’s the case, I hope it’s clear that the smartest choice for all Internet users is to pick unique passwords for every site. The major Web browsers will now auto-suggest long, complex and unique passwords when users go to set up a new account somewhere online, and this is obviously the simplest way to achieve that goal.

Password managers are ideal for people who can’t break the habit of re-using passwords, because you only have to remember one (strong) master password to access all of your stored credentials.

If you don’t trust password managers and have trouble remembering complex passwords, consider relying instead on password length, which is a far more important determiner of whether a given password can be cracked by available tools in any timeframe that might be reasonably useful to an attacker.

In that vein, it’s safer and wiser to focus on picking passphrases instead of passwords. Passphrases are collections of multiple (ideally unrelated) words mushed together. Passphrases are not only generally more secure, they also have the added benefit of being easier to remember. Their main limitation is that countless sites still force you to add special characters and place arbitrary limits on password length possibilities.

Finally, there’s absolutely nothing wrong with writing down your passwords, provided a) you do not store them in a file on your computer or taped to your laptop, and b) that your password notebook is stored somewhere relatively secure, i.e. not in your purse or car, but something like a locked drawer or safe.

Further reading: Who’s Behind the GandCrab Ransomware?

XDR Data Retention | Making Sure Your XDR Platform Outlasts Your Adversaries

The very essence of an XDR platform is facilitating detection and response to persistent threats by collecting and analyzing data from different sources, with endpoints being the most dominant points of origin.

Collecting all the correct data, however, is only one part of the equation. Just as important is: how long will your data be available? Put another way, how important is it to be able to go back in time? And, indeed, how far back can you go?

While having a rich data supply is obviously a necessary condition for any effective XDR platform, the platform is only as good as the longevity of its data. Threat actors are patient adversaries, and your XDR platform needs to be able to out-wait your attackers. So, when it comes to data retention, just how long is long enough?

The Need for Data Retention

Here’s a typical statement from a Security Researcher about an incident he handled:

“I was working for a large multinational corporation at the time when we found we had Winnti in our network for over a year. We only found it because of a report that was released by a security vendor at the time, with IOCs.

We only kept logs for three months, and we had no idea when the attack began. Finally, we found VPN  login/location logs that were retained long enough that showed us a user was in the Middle East and logged out at the end of his workweek and that same night logged into the network from Africa.

After this incident, we purchased a SIEM and began planning for data retention. As often happens with SIEM projects, I left before that project was complete, and I’m not sure that even today they have more than a year worth of retention, as that company has 100Ks of end-point, which means A LOT of data.”

This is just one case, but it does hint that security teams often discover how much data retention they need only when they come face-to-face with threats that linger in their environments for long periods. For many of them, it’s a case of hindsight being 20/20.

Also, even large and resourceful corporations often choose not to invest in making sure they have the data they need for as long as they will need it.

The anonymous story above may remind readers of a recent chain of events  around one of the most concerning campaigns of recent years: SUNBURST.  After the attack was found, the related DNS calls published by CloudFlare showed that infections began as  early as April 2020 and took eight months to discover.

If you have data that is only kept for 30 days and were infected at the peak of the SUNBURST storm back in mid-April, how easy would it be to know if you were hit and contained the attack?

It might be tempting to think of these two cases as outliers. Surely, not all attacks are SUNBURST! But when we look at the aggregation done as part of the IBM Security Cost of a Data Breach Report 2020 report, statistics show 280 days average time to identify and contain a data breach. Using IBM’s words:

“Speed of containment can significantly impact breach costs, which can linger for years after the incident.”

Data Retention in the Cybersecurity Industry

Thus far, we’ve demonstrated that Data Retention is essential. But where does that rubber meet the road? Next we will take a look at what vendors in the industry offer. Are they doing the right thing and offering the data retention you need to reduce our risk?

Well, some will, and some… not really.

For example, some EDR vendors start you off with less than ten days of data by default. You can hunt threats, but only if they reside for a week in your systems. SUNBURST? catch it within a week from infection or wait until you are compromised.

Others don’t store all the data.

Upgrade if you want. Not exactly. The furthest you can go back with almost all vendors is 90 days – which as we saw is just not enough. To add insult to injury, it’s also quite commonly cost-prohibitive.

How Does Sentinelone Deal With This Topic?

Data is at the very heart of everything we do as a company. Training our AI models, Dynamic analysis of Storylines, and Singularity XDR, the industry’s leading solution to the problem raised here earlier – all use big-data to solve cybersecurity problems.

That’s why our very first acquisition was Scalyr, a leading big data analysis platform. With Scalyr at the core of our XDR platform, we will be able to absorb terabytes of data, storing them, and most importantly, provide customers with the tool to effectively search and analyze the data to enable the hunting of APTs.

SentinelOne Singularity XDR
See how SentinelOne XDR provides end-to-end enterprise visibility, powerful analytics, and automated response across your complete technology stack.

Our technology and platform enable SentinelOne to offer up to a full year of XDR data retention. Not just the malicious data, not some of the data – but ALL of it. Moreover, accessing the oldest data point is done in exactly the same way as accessing something that happened yesterday.

There are also multiple other parts of our platform that align with our data-centric approach.

One of these is Binary Vault: making executable files, malicious or benign, available in singularity for you to download for further or future analysis.

Conclusion

At the end of the day, in a world that is becoming dominated by AI, cybersecurity becomes more and more reliant on big data.  As security and risk management professionals, it is our duty to make sure we got all the data we need, even if it is not always convenient for the vendor to retain it for us, in an observable format that will help us react faster to the next attack.

If you would like to know more about data retention or any other capabilities that make up the Singularity Platform, contact us or request a free demo.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Dell dumps another big asset, moving Boomi to Francisco Partners and TPG for $4B

It’s widely known that Dell has a debt problem left over from its massive acquisition of EMC in 2016, and it seems to be moving this year to eliminate part of it in multi-billion-dollar chunks. The first step was spinning out VMware as a separate company last month, a move expected to net close to $10 billion.

The second step, long expected, finally dropped last night when the company announced it was selling Boomi to a couple of private equity firms for $4 billion. Francisco Partners is joining forces with TPG to make the deal to buy the integration platform.

Boomi is not unlike MuleSoft, a company that Salesforce purchased in 2018 for $6.5 billion, although a bit longer in the tooth. They both help companies with integration problems by creating connections between disparate systems. With so many pieces in place from various acquisitions over the years, it seems like a highly useful asset for Dell to help pull these pieces together and make them work, but the cash is trumping that need.

Providing integration services is a growing requirement as companies look for ways to make better use of data locked in siloed systems. Boomi could help, and that’s one of the primary reasons for the acquisition, according to Francisco executives.

“The ability to integrate and connect data and workflows across any combination of applications or domains is a critical business capability, and we strongly believe that Boomi is well positioned to help companies of all sizes turn data into their most valuable asset,” Francisco CEO Dipanjan Deb and partner Brian Decker said in a statement.

As you would expect, Boomi’s CEO Chris McNabb put a positive spin on the deal about how his new bosses were going to fuel growth for his company. “By partnering with two tier-one investment firms like Francisco Partners and TPG, we can accelerate our ability for our customers to use data to drive competitive advantage. In this next phase of growth, Boomi will be in a position of strength to further advance our innovation and market trajectory while delivering even more value to our customers,” McNabb said in a statement.

All of this may have some truth to it, but the company goes from being part of a large amorphous corporation to getting absorbed in the machinery of two private equity firms. What happens next is hard to say.

The company was founded in 2000, and sold to Dell in 2010. Today, it has 15,000 customer, but Dell’s debt has been well documented, and when you string together a couple of multi-billion-dollar deals as Dell has recently, pretty soon you’re talking real money. While the company has not stated it will explicitly use the proceeds of this deal to pay off debt as it did with the VMware announcement, it stands to reason that this will be the case.

The deal is expected to close later this year, although it will have to pass the typical regulatory scrutiny prior to that.

Analytics as a service: Why more enterprises should consider outsourcing

With an increasing number of enterprise systems, growing teams, a rising proliferation of the web and multiple digital initiatives, companies of all sizes are creating loads of data every day. This data contains excellent business insights and immense opportunities, but it has become impossible for companies to derive actionable insights from this data consistently due to its sheer volume.

According to Verified Market Research, the analytics-as-a-service (AaaS) market is expected to grow to $101.29 billion by 2026. Organizations that have not started on their analytics journey or are spending scarce data engineer resources to resolve issues with analytics implementations are not identifying actionable data insights. Through AaaS, managed services providers (MSPs) can help organizations get started on their analytics journey immediately without extravagant capital investment.

MSPs can take ownership of the company’s immediate data analytics needs, resolve ongoing challenges and integrate new data sources to manage dashboard visualizations, reporting and predictive modeling — enabling companies to make data-driven decisions every day.

AaaS could come bundled with multiple business-intelligence-related services. Primarily, the service includes (1) services for data warehouses; (2) services for visualizations and reports; and (3) services for predictive analytics, artificial intelligence (AI) and machine learning (ML). When a company partners with an MSP for analytics as a service, organizations are able to tap into business intelligence easily, instantly and at a lower cost of ownership than doing it in-house. This empowers the enterprise to focus on delivering better customer experiences, be unencumbered with decision-making and build data-driven strategies.

Organizations that have not started on their analytics journey or are spending scarce data engineer resources to resolve issues with analytics implementations are not identifying actionable data insights.

In today’s world, where customers value experiences over transactions, AaaS helps businesses dig deeper into their psyche and tap insights to build long-term winning strategies. It also enables enterprises to forecast and predict business trends by looking at their data and allows employees at every level to make informed decisions.