7 Ways Hackers Steal Your Passwords

One way or another, passwords are always in the news. They’re either being stolen in data breaches, or mocked for being too simple; derided as pointless, or lamented for being technologically backward. No matter what opinion any of us have on passwords, though, one thing is indisputable: we’re going to be using them today, tomorrow and for the forseeable future. Unlike touch or facial recognition technologies, passwords are used everywhere because they’re cheap to implement and simple to use. For end users, they are as low-tech as security tech ever gets. Of course, that ubiquity and simplicity is precisely what makes passwords attractive to thieves. In this post, we take a look at how hackers steal our passwords and what we can do to stop them.

1. Credential Stuffing

Risk Level: High

It is estimated that tens of millions of accounts are tested daily by hackers using credential stuffing.

What Is It?

Credential stuffing, also known as list cleaning and breach replay, is a means of testing databases or lists of stolen credentials – i.e., passwords and user names – against multiple accounts to see if there’s a match.

How Does It Work?

Sites with poor security are breached on a regular basis, and thieves actively target dumping user credentials from such sites so that they can sell them on the dark net or underground forums. As many users will use the same password across different sites, criminals have a statistically good chance of finding that user janedoe@somesite.net has used the same password on janedoe@anothersite.com. Tools to automate the testing of a list of stolen credentials across multiple sites allow hackers to quickly breach new accounts even on sites that practice good security and password hygiene.

How Can You Stay Safe?

The key to not becoming a victim of credential stuffing is simple: every password for every site should be unique. Of course, that won’t prevent your password being stolen for one account on a site with poor security, but it does mean that any one compromise of your credentials will not affect you anywhere else on the internet. If you’re gasping at the thought of creating and remembering unique passwords for every site you use, see our Tips section near the end of the post.

2. Phishing

Risk Level: High

Over 70% of all cybercrimes begin with a phishing or spear-phishing attack. Hackers love to use phishing techniques to steal user credentials, either for their own use, or more commonly to sell to criminals on the dark net.

What Is It?

Phishing is a social engineering trick which attempts to trick users into supplying their credentials to what they believe is a genuine request from a legitimate site or vendor.

How Does It Work?

Typically, but not always, phishing occurs through emails that either contain fraudulent links to cloned websites or a malicious attachment. Somewhere along the chain of events that begins with the user taking the bait, the fraudsters will present a fake login form to steal the user’s login name and password. Fraudsters will also use some form of interception between a user and a genuine sign-in page, such as a man-in-the-middle attack to steal credentials.

How Can You Stay Safe?

Use 2-factor or multi-factor authentication. Although researchers have developed tricks to overcome these, in the wild cases are yet to be reported. Caution is your number one defense against phishing. Ignore requests to sign in to services from email links, and always go directly to the vendor’s site in your browser. Check emails that contain attachments carefully. The majority of phishing emails contain misspellings or other errors that are not difficult to find if you take a moment to inspect the message carefully.

A fake Spotify phishing subscription confirmation from the app store

3. Password Spraying

Risk Level: High

It’s been estimated that perhaps 16% of attacks on passwords come from password spraying attacks.

What Is It?

Password spraying is a technique that attempts to use a list of commonly used passwords against a user account name, such as 123456, password123, 1qaz2wsx, letmein, batman and others.

How Does It Work?

Somewhat like credential stuffing, the basic idea behind password spraying it to take a list of user accounts and test them against a list of passwords. The difference is that with credential stuffing, the passwords are all known passwords for particular users. Password spraying is more blunt. The fraudster has a list of usernames, but no idea of the actual password. Instead, each username is tested against a list of the most commonly used passwords. This may be the top 5, 10 or 100, depending on how much time and resources the attacker has. Most sites will detect repeated password attempts from the same IP, so the attacker needs to use multiple IPs to extend the number of passwords they can try before being detected.

How Can You Stay Safe?

Ensure your password is not in the list of top 100 most commonly used passwords.

Top 5 popular passwords by year according to SplashData

4. Keylogging

Risk Level: Medium

Keylogging is often a technique used in targeted attacks, in which the hacker either knows the victim (spouse, colleague, relative) or is particularly interested in the victim (corporate or nation state espionage).

What Is It?

Keyloggers record the strokes you type on the keyboard and can be a particularly effective means of obtaining credentials for things like online bank accounts, crypto wallets and other logins with secure forms.

How Does It Work?

Keylogging is more difficult to pull off than Credential Stuffing, Phishing and Password Spraying because it first requires access to, or compromise of, the victim’s machine with keylogging malware. That said, there are lots of publicly available post-exploitation kits that offer attackers off-the-shelf keyloggers, as well as commercial spyware tools supposedly for parental or employee monitoring.

How Can You Stay Safe?

You need to be running a good security solution that can detect keylogging infections and activity. This is one of the few kinds of password theft techniques where the strength or uniqueness of your password really makes no difference. What counts is how well your endpoint is secured against infection, and whether your security software can also detect malicious activity if the malware finds a way past its protection features.

5. Brute Force

Risk Level: Low

Surprisingly not as prevalent as people tend to think, brute forcing passwords is difficult, time-consuming and expensive for criminals.

What Is It?

It’s the kind of thing that security researchers like to write about, or which you might see in TV shows: a hacker runs an algorithm against an encrypted password and in 3…2…1… the algorithm cracks the password and reveals it in plain text.

How Does It Work?

There are plenty of tools like “Aircrack-ng”, “John The Ripper”, and “DaveGrohl” that attempt to brute force passwords. There’s generally two kinds of cracking available. The first is some form of “dictionary” attack – so called because the attacker just tries every word in the dictionary as the password. Programs like those mentioned above can run through and test an entire dictionary in a matter of seconds. The other type of technique is used when the hacker has (through means of a data breach) acquired the hash of the plain-text password. Since these can’t be reversed, the aim is to hash as many plain-text passwords as possible and try to find a match. Rainbow tables exist which list the hashes of common passphrases to speed up this process.

One of the reasons why password cracking is not as viable a technique as some of the others we’ve mentioned is that encrypted passwords typically use a salt. This is some random data used in the encryption process that ensures no two plain-text passwords will produce the same hash. However, mistakes made by site administrators when using or storing salts and passwords can make it possible for some encrypted passwords to be cracked.

How Can You Stay Safe?

The key to staying safe from brute force attacks is to ensure you use passwords of sufficient length. Anything 16 characters or over should be sufficient given current technology, but ideally future-proof yourself by using a passphrase that is as long as the maximum allowed by the service that you’re signing up to. Avoid using any service that doesn’t let you create a password longer than 8 or 10 characters. Worried about how you’d remember a super long password? See the Tips section below.

6. Local Discovery

Risk Level: Low

Mostly a technique that would only be used in a targeted attack, either by a known acquaintance, relative, colleague or law enforcement.

What Is It?

Local discovery occurs when you write down or use your password somewhere where it can be seen in plain text. The attacker finds the password and uses it, often without your knowledge that the password has been leaked.

How Does It Work?

You’ve seen those movies where the cops go through the bad guy’s trash for clues as to what he’s been up to? Yep, dumpster diving is one valid way of gaining a password through local discovery. Do you have a Post-It note on the monitor, or a diary in the desk drawer with your Paypal credentials? There are more covert means of local discovery though, including sniffing bluetooth communications or finding plain text passwords in logs or urls. Shoulder-surfing is not unknown, too. That can be anything from a colleague surreptitiously hanging around behind your desk when you login, to CCTV in coffee shops and other public areas that could capture video of users as they type their login credentials into a website on their laptops.

How Can You Stay Safe?

There’s no need to be paranoid, but do exercise the proper amount of caution. While the risk is low in general, if you make yourself the low-hanging fruit by leaving easily discoverable records of your password lying around, don’t be surprised if someone takes advantage of that.

7. Extortion

Risk Level: Low

Probably lowest on the risk scale, but not unheard of.

What Is It?

Somebody demands you give them your credentials. No subtefuge involved. The deal is you give up your password or they do something you won’t like.

How Does It Work?

Straightforward blackmail technique that depends on the nature of the relationship between the attacker and the target. Someone may demand your password if they have the means to harm or embarrass you if you don’t comply, such as revealing sensitive information, images or videos about you, or threatening the physical safety of yourself or your loved ones. RAT malware that lets hackers spy on you through a web or video cam can expose you to this kind of extortion.

image of remote access trojan malware

How Can You Stay Safe?

As ransomware victims are finding out on an almost daily basis, there’s no rule book for how to deal with extortion demands. It’s a trade off between the value of what they want versus the value of the harm they could do. Be aware that in some jurisdictions and in certain circumstances, giving in to an extortion demand could make you liable to prosecution under the law.

Do Passwords Matter?

Some think not, but yes they do. Strong passwords will protect your from techniques like password spraying and brute force attacks, while unique passwords will protect your from credential stuffing, ensuring that the damage caused by a leak on one site will not negatively impact you elsewhere.

Tips For Creating Strong, Unique Passwords

One of the main reasons why Credential Stuffing and Password Spraying are so successful is because people don’t like creating and remembering complex passwords. The good news – which really shouldn’t be news as it’s been true for quite some time – is that password managers will save you the effort. These are readily available and some browsers even have password suggestions built in. Of course, it’s true that these are not foolproof. They typically rely on a master password that, if compromised, exposes all the eggs in your single basket. However, the chances of being a victim of password theft if you use a password manager are significantly lower compared to if you don’t. We suggest the benefits of password managers hugely outweigh the risks, and we highly recommend them as a basic Security 101 practice.

image of a password manager

Conclusion

Passwords aren’t going away any time soon, and there’s even good arguments to suggest that they shouldn’t. While biometric data, facial and fingerprint scanning all have a role in helping secure access to services, the one over-riding beauty of a password is it’s the “something you know” and not the “something you have”. The latter can be taken away from you, in some cases legally, but the former cannot, so long as you ensure that it’s sufficiently complex, unique and secret. Combine that with two-factor or multi-factor authentication and your chances of suffering data loss through password hacking are both extremely low and – importantly – highly limited. If an insecure site does leak your credentials, you can be confident that it won’t affect you beyond that particular service.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Alibaba to help Salesforce localize and sell in China

Salesforce, the 20-year-old leader in customer relationship management (CRM) tools, is making a foray into Asia by working with one of the country’s largest tech firms, Alibaba.

Alibaba will be the exclusive provider of Salesforce to enterprise customers in mainland China, Hong Kong, Macau, and Taiwan, and Salesforce will become the exclusive enterprise CRM software suite sold by Alibaba, the companies announced on Thursday.

The Chinese internet has for years been dominated by consumer-facing services such as Tencent’s WeChat messenger and Alibaba’s Taobao marketplace, but enterprise software is starting to garner strong interest from businesses and investors. Workflow automation startup Laiye, for example, recently closed a $35 million funding round led by Cathay Innovation, a growth-stage fund that believes “enterprise software is about to grow rapidly” in China.

The partners have something to gain from each other. Alibaba does not have a Salesforce equivalent serving the raft of small-and-medium businesses selling through its e-commerce marketplaces or using its cloud computing services, so the alliance with the American cloud behemoth will fill that gap.

On the other hand, Salesforce will gain sales avenues in China through Alibaba, whose cloud infrastructure and data platform will help the American firm “offer localized solutions and better serve its multinational customers,” said Ken Shen, vice president of Alibaba Cloud Intelligence, in a statement.

“More and more of our multinational customers are asking us to support them wherever they do business around the world. That’s why today Salesforce announced a strategic partnership with Alibaba,” said Salesforce in a statement.

Overall, only about 10% of Salesforce revenues in the three months ended April 30 originated from Asia, compared to 20% from Europe and 70% from the Americas.

Besides gaining client acquisition channels, the tie-up also enables Salesforce to store its China-based data at Alibaba Cloud. China requires all overseas companies to work with a domestic firm in processing and storing data sourced from Chinese users.

“The partnership ensures that customers of Salesforce that have operations in the Greater China area will have exclusive access to a locally-hosted version of Salesforce from Alibaba Cloud, who understands local business, culture and regulations,” an Alibaba spokesperson told TechCrunch.

Cloud has been an important growth vertical at Alibaba and nabbing a heavyweight ally will only strengthen its foothold as China’s biggest cloud service provider. Salesforce made some headway in Asia last December when it set up a $100 million fund to invest in Japanese enterprise startups and the latest partnership with Alibaba will see the San Francisco-based firm actually go after customers in Asia.

Revolut tweaks business accounts with new pricing structure

Fintech startup Revolut announced changes to its business accounts this week. The good news is that if you were thinking about trying Revolut for your business needs, it’s now cheaper to get started. But there are some limits.

While Revolut is better known for its regular consumer accounts that let you receive, send and spend money all around the world, the company has been offering launched business accounts for a couple of years.

The main advantage of Revolut for Business is that you can hold multiple currencies. If you work with clients or suppliers in other countries, you can exchange money and send it to your partners directly from Revolut’s interface.

The company also lets you issue prepaid corporate cards and track expenses. Revolut for Business also has an API so you can automate payments and connect with third-party services, such as Xero, Slack and Zapier.

None of this is changing today. Revolut is mostly tweaking the pricing structure.

Previously, you had to pay £25 per month to access the service with a £100,000 top-up limit per month. Bigger companies had to pay more to raise that ceiling.

Now, Revolut is moving a bit more toward a software-as-a-service approach. Instead of making you pay more to receive and hold more money, you pay more as your team gets bigger and you use Revolut for Business more intensively.

The basic plan is free with two team members, five free local transfers per month and 0.4% in foreign exchange fees. If you want to add more team members or initiate more transfers, you pay some small fees.

If you were paying £25 before, you can now top up as much money as you want in your Revolut account, but there are some limits when it comes to team members (10), local transfers (100 per month) and international transfers (10 per month, interbank exchange rate up to £10,000).

Once again, going over the limits doesn’t necessarily mean that you need to change to a new plan. You’ll pay £0.20 per extra local transfer, £3 per extra international transfer, etc.

Here’s a full breakdown of the new plans:

Screen Shot 2019 07 24 at 7.35.45 PM

If you’re a freelancer, there’s now a free plan. You’ll pay 0.4% on foreign exchange and £3 per international transfer, but there’s no top-up limit anymore.

Similarly, the old £7 plan for freelancers has been replaced by a new £7 plan that removes the limit on inbound transfers but adds some limits on transfers.

It’s good news if you’re a small customer. But if you vastly exceed the transfer limit in one of the categories, you might pay more than before. With this change, the company wanted to make Revolut for Business more accessible instead of making small customers subsidize bigger customers with high entry pricing.

Existing customers can switch to a new plan starting today. Revolut plans to switch everyone to the new plans on October 1st, 2019.

Revolut for Business 2

Neo-Nazi SWATters Target Dozens of Journalists

Nearly three dozen journalists at a broad range of major publications have been targeted by a far-right group that maintains a Deep Web database listing the personal information of people who threaten their views. This group specializes in encouraging others to harass those targeted by their ire, and has claimed responsibility for dozens of bomb threats and “swatting” incidents, where police are tricked into visiting potentially deadly force on the target’s address.

At issue is a site called the “Doxbin,” which hosts the names, addresses, phone number and often known IP addresses, Social Security numbers, dates of birth and other sensitive information on hundreds of people — and in some cases the personal information of the target’s friends and family.

A significant number of the 400+ entries on the Doxbin are for journalists (32 at last count, including Yours Truly), although the curators of Doxbin have targeted everyone from federal judges to executives at major corporations. In January 2019, the group behind Doxbin claimed responsibility for doxing and swatting a top Facebook executive.

At least two of the journalists listed on the Doxbin have been swatted in the past six months, including Pulitzer prize winning columnist Leonard G. Pitts Jr.

In some cases, as in the entries for reporters from CNN, Politico, ProPublica and Vox, no reason is mentioned for their inclusion. But in many others, the explanation seems connected to stories the journalist has published dealing with race or the anti-fascist (antifa) movement.

“Anti-white race/politics writer,” reads the note next to Pitts’ entry in the Doxbin.

Many of those listed on the site soon find themselves on the receiving end of extended threats and harassment. Carey Holzman, a computer technician who runs a Youtube channel on repairing and modding computers, was swatted in January, at about the same time his personal information showed up on the Doxbin.

More recently, his tormentors started calling his mobile phone at all hours of the night, threatening to hire a hit man to kill him. They even promised to have drugs ordered off the Dark Web and sent to his home, as part of a plan to get him arrested for drug possession.

“They said they were going to send me three grams of cocaine,” Holzman told KrebsOnSecurity.

Sure enough, earlier this month a small vial of white powder arrived via the U.S. Postal Service. Holzman said he didn’t open the vial, but instead handed it over to the local police for testing.

On the bright side, Holzman said, he is now on a first-name basis with some of the local police, which isn’t a bad idea for anyone who is being threatened with swatting attacks.

“When I told one officer who came out to my house that they threatened to send me drugs, he said ‘Okay, well just let me know when the cocaine arrives,’” Holzman recalled. “It was pretty funny because the other responding officer approached us and only caught the last thing his partner said, and suddenly looked at the other officer with deadly seriousness.”

The Doxbin is tied to an open IRC chat channel in which the core members discuss alt-right and racist tropes, doxing and swatting people, and posting videos or audio news recordings of their attacks.

The individual who appears to maintain the Doxbin is a fixture of this IRC channel, and he’s stated that he also was responsible for maintaining SiegeCulture, a white supremacist Web site that glorifies the writings of neo-Nazi James Mason.

Mason’s various written works call on followers to start a violent race war in the United States. Those works have become the de facto bible for the Atomwaffen Division, an extremist group whose members are suspected of having committed multiple murders in the U.S. since 2017.

Courtney Radsch, advocacy director at the nonprofit Committee to Protect Journalists, said lists that single out journalists for harassment unfortunately are not uncommon.

“We saw in the Ukraine, for example, there were lists of journalists compiled that led to harassment and threats against reporters there,” Radsch said. “We saw it in Malta where there were reports that the prime minister was part of a secret Facebook group used to coordinate harassment campaigns against a journalist who was later murdered. And we’ve seen the American government — the Customs and Border Protection — compiling lists of reporters and activists who’ve been singled out for questioning.”

Radsch said when CPJ became aware that the personal information of several journalists were listed on a doxing site, they reached out and provided information on relevant safety resources.

“It does seem that some of these campaigns by extremist groups are being coordinated in secret chat groups or dark web forums, where they can talk about the messaging before they bring it out into the public sphere,” she said.

In some ways, the Doxbin represents a far more extreme version of Exposed[.]su, a site erected briefly in 2013 by a gang of online hoodlums that doxed and swatted celebrities and public figures. The core members of that group were later arrested and charged with various crimes — including numerous swatting attacks.

One of the men in that group — convicted serial swatter and stalker Mir Islam — was arrested last year in the Philippines and charged with murder after he and an associate allegedly dumped the body of a friend in a local river.

Swatting attacks can quickly turn deadly. In March 2019, 26-year-old serial swatter Tyler Barriss was sentenced to 20 years in prison for making a phony emergency call to police in late 2017 that led to the shooting death of an innocent Kansas resident.

My hope is that law enforcement officials can shut down this Doxbin gang before someone else gets killed.

Once Again, SentinelOne Recognized on CRN’s 2019 Emerging Vendors List

As one of the youngest next-generation endpoint security vendors, SentinelOne has well over 2,500 customers, 300% growth year-on-year, 217% YoY growth in ARR, 140% YoY growth in Fortune 500 bookings and 3 of the Fortune 10 sold and deployed over the past 12 months. But we won’t stop there…

We are pleased to announce that CRN® has named SentinelOne to its 2019 Emerging Vendors list in the security category. CRN’s 2019 Emerging Vendors list recognizes new, rapidly growing vendors that are making significant IT channel contributions. It honors groundbreaking vendors that provide sophisticated technology to drive channel growth — and remain committed to ongoing innovation to shape the channel for years to come. 

SentinelOne operates in a rapidly changing environment, where cybercriminals are constantly enhancing their capabilities and are still successfully compromising too many enterprises. To meet these challenges, more and more organizations are realizing traditional solutions cannot cope with such emerging risks. SentinelOne solves this problem for the enterprise by providing next-generation protection to all endpoint types (Windows, macOS, and Linux) and visibility across your assets, including IoT devices, cloud workloads, and servers, which represents a new and lucrative attack vector.

We are experiencing 70%+ proof of concept win rates across all next-gen and legacy AV vendors on a global scale. We also recently announced in June that we raised $120 million in Series D funding led by Insight Partners, with participation from Samsung Venture Investment Corporation, NextEquity, and previous investors, bringing our total funding to more than $230M.

We are continuing to actively defend enterprise attack surfaces using the cloud, allowing enterprises to gain unprecedented visibility across their network with data from each endpoint. The end result is our solution for today and tomorrow’s attacks and rich data visibility that was never possible before – all thanks to the cloud.

This award underscores our overall strategy and focuses on innovation in cybersecurity product development, as well as a strong commitment to delivering disruptive endpoint security offering through a vibrant channel of solution providers. 

The Emerging Vendors list will be featured in the August 2019 issue of CRN Magazine and online at www.CRN.com/EmergingVendors

 

Buy a demo table at TC Sessions: Enterprise 2019

Early-stage enterprise startup founders listen up. That sound you hear is opportunity knocking. Answer the call, open the door and join us for TC Sessions: Enterprise on September 5 in San Francisco. Our day-long conference not only explores the promises and challenges of this $500 billion market, it also provides an opportunity for unparalleled exposure.

How’s that? Buy a Startup Demo Package and showcase your genius to more than 1,000 of the most influential enterprise founders, investors, movers and shakers. This event features the enterprise software world’s heaviest hitters. People like SAP CEO Bill McDermott; Aaron Levie, Box co-founder, chairman and CEO; and George Brady, executive VP in charge of technology operations at Capital One.

Demo tables are reserved for startups with less than $3 million, cost $2,000 and include four tickets to the event. We have a limited number of demo tables available, so don’t wait to introduce your startup to this very targeted audience.

The entire day is a full-on deep dive into the big challenges, hot topics and potential promise facing enterprise companies today. Forget the hype. TechCrunch editors will interview founders and leaders — established and emerging — on topics ranging from intelligent marketing automation and the cloud to machine learning and AI. You’ll hear from VCs about where they’re directing their enterprise investments.

Speaking of investors and hot topics, Jocelyn Goldfein, a managing director at Zetta Venture Partners, will join TechCrunch editors and other panelists for a discussion about the growing role of AI in enterprise software.

Check out our growing (and amazing, if we do say so ourselves) roster of speakers.

Our early-bird pricing is still in play, which means tickets cost $249 and students pay only $75. Plus, for every TC Sessions: Enterprise ticket you buy, we’ll register you for a complimentary Expo Only pass to TechCrunch Disrupt SF on October 2-4.

TC Sessions: Enterprise takes place September 5 at San Francisco’s Yerba Buena Center for the Arts. Buy a Startup Demo Package, open the door to opportunity and place your early-stage enterprise startup directly in the path of influential enterprise software founders, investors and technologists.

Looking for sponsorship opportunities? Contact our TechCrunch team to learn about the benefits associated with sponsoring TC Sessions: Enterprise 2019.

Google updates its speech tech for contact centers

Last July, Google announced its Contact Center AI product for helping businesses get more value out of their contact centers. Contact Center AI uses a mix of Google’s machine learning-powered tools to help build virtual agents and help human agents as they do their job. Today, the company is launching several updates to this product that will, among other things, bring improved speech recognition features to the product.

As Google notes, its automated speech recognition service gets to very high accuracy rates, even on the kind of noisy phone lines that many customers use to complain about their latest unplanned online purchase. To improve these numbers, Google is now launching a feature called “Auto Speech Adaptation in Dialogflow,” (with Dialogflow being Google’s tool for building conversational experiences). With this, the speech recognition tools are able to take into account the context of the conversation and hence improve their accuracy by about 40%, according to Google.

Speech Recognition Accuracy

In addition, Google is launching a new phone model for understanding short utterances, which is now about 15% more accurate for U.S. English, as well as a number of other updates that improve transcription accuracy, make the training process easier and allow for endless audio streaming to the Cloud Speech-to-Text API, which previously had a five-minute limit.

If you want to, you also can now natively download MP3s of the audio (and then burn them to CDs, I guess).

dialogflow virtual agent.max 1100x1100

Vulnerability Assessment, Penetration Testing, Redteaming…Oh My God!

A guest post by Florian Hansemann – @HanseSecure 

Vulnerability Assessment, Penetration Testing, Redteaming, oh my god...

More and more frequently the terms ‘Vulnerability Assessment’, ‘Penetration Testing’ and ‘Redteaming’ are misused or misinterpreted. Whether the reason for this wording lies with the sales teams of the corresponding service providers (Pentesting sounds more like CyberCyber than Vulnerability Assessment 😉 ) or elsewhere is irrelevant.

The important thing is that the company knows what is hidden behind the term and when it should be used. Therefore, this article will describe the various technical security audit possibilities and explain when each method should be used.

Vulnerability Assessment

Vulnerability Assessment (1)

Description
A vulnerability assessment uses mostly automated procedures and generic scanners to detect security vulnerabilities in systems. These can be, for example, pending patches, weak passwords or a misconfiguration. These scans should be done periodically as the result of a one-time scan may be irrelevant after the next patchday. In the end, there should be a process of vulnerability management which prioritizes and documents the detected problems accordingly.

Possible Findings

  1. Default Credentials [cisco:cisco]
  2. Missing Patches [CVE-2017-0144]
  3. Open Ports [databases]
  4. Missing Security Configurations [HTTP Security Header, SMB Signing, etc.]
  5. Weak Cryptography [SSH or TLS]

Goal
A vulnerability assessment should continuously identify as many vulnerabilities as possible in a short period of time in order to find and fix “simple” security vulnerabilities as quickly as possible.

Penetration Testing

Description
In contrast to vulnerability assessments with automated procedures, penetration testing is primarily using manual techniques to detect more complex vulnerabilities that could not be detected by scanners. These can be both logic errors in the implementation of some software, as well as problems in organizational regulations of a company.

In addition, the vulnerabilities in a penetration test are validated and exploited to achieve a predefined target. This goal may be acquiring domain administrator rights or accessing an email from a specific user of the company.

Possible Findings

  1. Cleartext Credentials on Client/ Server [excel sheet on client]
  2. Discovering unknown Vulnerabilities [CVE-2018-7272]
  3. SQL Injection [CVE-2019-7139]
  4. Deserialization [CVE-2017-9822]
  5. Local Privilege Escalation (through misconfiguration or vulnerable software) [CVE-2019-12042]
  6. Bypassing Security Measurements [Applocker, MS SmartScreen]
  7. Bad Asset Management [discovering forgotten/ unknown systems]

Goal
More complex vulnerabilities are sought which can not be found by automated scanners and the effectiveness of the security measures taken at the technical, organizational and personnel level is checked.

Redteaming

Description
These types of assessments use state-of-the-art attack and obfuscation techniques (such as MITRE ATT&CK) to penetrate a business and achieve a specific goal. At the same time, the “defense team”, the so-called BlueTeam, should detect the intrusion and react accordingly. For more information on this new type of assessment, I recommend this blog, which published a number of sources at the end of 2018 that provide additional information about redteaming.

Possible Findings

  1. Missing Logging on One or More Server/ Clients 
  2. Weak Log-Correlation
  3. Bad Detection Rate
  4. No Automated Notification

Goal
Of course, redteaming is also about uncovering vulnerabilities in all levels of the goal, but training the BlueTeam is clearly in focus.

Which Method is Right for Your Company?

This can not be answered on a flat-rate basis, as this depends on the security level of the company/target.

Security Level: Low to Medium

If security assessments have not yet been carried out, then only vulnerability scans should be used to determine how the security level basically looks and to raise this to a satisfactory level.

Security Level: High

After a company performs vulnerability scans and closes the detected gaps, penetration testing can be used to uncover more complex gaps.

Security Level: High to Very High

If the company already uses aspects such as SOC, SIEM and Blueteam in the company, then at this stage these elements should be trained and optimized through redteaming assessments.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Slack speeds up its web and desktop client

Slack is launching a major update to its web and desktop today that doesn’t introduce any new features or a new user interface. Instead, it’s almost a complete rebuild of the underlying technology that makes these two experiences work. Over the course of the last year or so, Slack worked on shifting the web and desktop clients (which essentially use the same codebase) to a modern stack and away from jQuery and other technologies it used when it first introduced these tools in 2012.

“We want people to be able to run Slack alongside anything else they’re using to get their job done and have that be easy, uncumbersome, delightful even. So we took a look at the environment we’re in,” Jaime DeLanghe, director of Product Management at Slack, told me. “I think the other thing to note is that the ecosystem for client-side development has just changed a lot in the past five years. There have been some major updates to JavaScript and new technologies like React and Redux to make it easier to build dynamic web applications. We also wanted to update our stack to fit in with the modern paradigm.”

02 Speed Slack desktop side by side

Over the course of the last few months, the team actually quietly rolled out a lot of the prep work for this move, though the full extent of the work is only going to become apparent once you update the client to the latest version, as it’s the new Electron app that will bring it all together.

Slack promises that this new version will use up to 50% less memory than before and that Slack will load 33% faster. Joining an incoming call will also be 10 times faster now.

A lot of these changes will be especially apparent to users who are part of multiple workspaces. That’s because, as DeLanghe stressed, the team designed the new architecture with the assumption that many users are now part of multiple workspaces. Those used to take up a lot of memory and CPU cycles when you switched between them, as each workspace used to get its own Electron process in the old app. 2019 07 21 1907

In the updated app, Slack went with React to build all of the UI components, and instead of waiting for all the data to load before displaying the UI, the new app now lazily loads data as it becomes available.

The result of this is an experience that also now allows you to at least read previously opened channels and conversations when you are offline.

04 Low connectivity Slack desktop side by side

What’s maybe even more important, though, is that Slack now has a modern client to build on, which should speed up feature development going forward. “I’m not going to over-promise,” DeLanghe said. “This removes one of the barriers that any company that’s scaling and building features at the same time has to think about. […] This makes that trade-off a little bit easier.”

The update will roll out to all users over the course of the next few weeks. That’s because this is a two-part change. You’ll need both the new desktop application and become eligible for the new version. Some of this is out of Slack’s hands, as your IT department may decide how it rolls out updates, for example.

03 Memory Slack desktop side by side

Serverless, Inc. expands free Framework to include monitoring and security

Serverless development has largely been a lonely pursuit until recently, but Serverless, Inc. has been offering a free framework for intrepid programmers since 2015. At first, that involved development, deployment and testing, but today the company announced it is expanding into monitoring and security to make it an end-to-end tool — and it’s available for free.

Serverless computing isn’t actually server-free, but it’s a form of computing that provides a way to use only the computing resources you need to carry out a given function — and no more. When the process is complete, the resources effectively go away. That has the potential to be more cost-effective than having a server that’s always on, regardless of whether you’re using it or not. That requires a new way of thinking about how developers write code.

While serverless offers a compelling value proposition, up until Serverless, Inc. came along with some developer tooling, early adherents were pretty much stuck building their own tooling to develop, deploy and test their programs. Today’s announcement expands the earlier free Serverless, Inc. Framework to provide a more complete set of serverless developer tools.

Company founder and CEO Austen Collins says that he has been thinking a lot about what developers need to develop and deploy serverless programs, and talking to customers. He says that they really craved a more integrated approach to serverless development than has been available until now.

“What we’re trying to do is build this perfectly integrated solution for developers and developer teams because we want to enable them to innovate as much as possible and be as autonomous as possible,” Collins told TechCrunch. He says at the same time, he recognizes that operations need to connect to other tools, and the Serverless Framework provides hooks into other systems, as well.

Screenshot 2019 07 22 09.27.24

The new tooling includes an integrated environment, so that once you deploy, you can simply click an error or security event and drill down to a dashboard for more information about the issue. You can click for further detail to see the exact spot in the code where the issue occurred, which should make it easier to resolve more quickly.

While no tool is 100% comprehensive, and most large organizations, and even individual developers, will have a set of tools they prefer to use, this is an attempt to build a one-stop solution for serverless developers for the first time. That in itself is significant, as serverless moves beyond early adopters and begins to become more of a mainstream kind of programming and deployment option. People starting now probably won’t want to cobble together their own toolkits, and the Serverless, Inc. Framerwork gives them a good starting point.

Serverless, Inc. was founded by Collins in 2015 out of a need for serverless computing tooling. He has raised more than $13.5 million since inception.