lastpass as a solution to risk analyst, uw-madison doit ......risk analyst, uw-madison doit...
TRANSCRIPT
LastPass as a Solution to Credential Stuffing
Jesse ThompsonSolutions Architect, UW-Madison DoIT User Services
John NaglerRisk Analyst, UW-Madison DoIT Cybersecurity
Credential Stuffing - A Story
The Russian Passenger - From Reply All• How was his Uber account and his Gmail hacked?• So many potential causes
• Malware• Keyloggers• Compromised Wi-fi• Uber was hacked• Gmail was hacked• Compromised phone• Compromised SMS MFA• Other guesses?
Problem: Credential Loss3600
320
Thesis for Today’s Talk
Problem: Credential Loss
• Examine the current mitigation strategies
• Credential Stuffing attacks need to be addressed
• Password managers are part of the solution
Mitigation Strategies (to date)
• Improving detection
• Phishing awareness
• Domain authentication
• Multi-factor authentication (Duo)
Challenges with Detection
• Predicting the future and changing the past is hard
Automation of Detection
Automation maintenance is labor intensive• Blue = automated• Red = human
Phishing Awareness
• Phish simulations do not help users identify advanced attacks
• Some users are more trainable than others
Domain Authentication (DMARC)
• go.wisc.edu/email-authenticity
• Email clients do not always show the sender’s address
• Compromised accounts in DMARC-authenticated domains are more valuable to attackers
Multi-Factor Authentication
• A practical MFA strategy must also secure the 1st factor
Gap Analysis
• Improving detection - timing is the enemy
• Phishing awareness - untrainable users
• Domain authentication - trust leveraged by attackers
• Multi-factor authentication - easy to bypass
Are We Solving the Underlying Problem?
Additional Observations
• Brute force password guessing is happening
• ⅔ are from IPs making less than 5 attempts/day
• Unable to distinguish successful attacks from user activity
• Duo protects only after successful authentication
• 6% of users were compromised multiple times in 2018
Anecdotes From Users
• They WERE NOT phished
• Users who no longer reuse their NetID password, but…
• Poor password manager practices
What Can We Conclude?
• Mitigation strategies (to date) are not 100%• Evidence of brute force & web automation• User behavior is still a weak link• We have blind spots• Compromised credentials not solely caused by phishing
• We see evidence of Credential Stuffing
What is Credential Stuffing?
• Credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts.
• “one of the most common techniques used to take-over user accounts”
https://www.owasp.org/index.php/Credential_stuffing
How Does Credential Stuffing Work?
• Lots of breaches
• Reused passwords
• Botnets make it easy
How Are Passwords Being Breached?
• 3rd party data breaches• https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/
• Brute force guessing and phishing attacks get smarter and automated
• Malware (e.g. TrickBot)• https://techcrunch.com/2019/07/12/trickbot-spam-millions-emails/
• Buggy software & unencrypted network connections
Credential Stuffing Economics• UW passwords get caught up in database breaches
• Even if we are not the direct target
• When they are found:• Validate (automated)• Sold (black market)
https://www.recordedfuture.com/credential-stuffing-attacks/
But my work address is obscure, right?
Credential Stuffing - A Story
• The Russian Passenger - From Reply All• What was the ultimate cause of this Uber mystery?
How to address Credential Stuffing
• Force password resets based on evidence of breaches• Detect botnets that are testing passwords• Compare our passwords with breached account data
• ... These will not find the advanced threat actors• Move to platforms less susceptible to malware
• e.g ChromeOS or TENS (Trusted End Node Security)• Help users to stop reusing and sharing passwords• Re-architect systems that require users to share passwords • Give people a tool to help - password manager
How to address Credential Stuffing
Not all password managers are created equalYou might have a bad password manager if
• It can be easily read or decrypted by others
• It is cumbersome to create unique passwords
• It relies on your system clipboard• It is not integrated with your
browser and mobile device• It is not vetted by the cybersecurity
research community• It is abandonware
You might have a good password manager if
• A good password manager never stores your passwords in a vendor-decryptable form in the cloud
• A good password manager is vetted by security researchers
• published & remediated vulnerabilities are a good metric
• Bug bounty programs are another trait of a good password manager
• A good password manager costs money
• It is profitable for the vendor to have a reputation for being secure
Not all password managers are created equal
Why allow browser/mobile integration?
• Convenience breeds strength• URL Matching• Defeats malware
Why UW chose LastPass
• LastPass is a good password manager• Adoption• Cost Effective
LastPass Enterprise Features
• Duo integration• Enterprise API• Eligibility-based deprovisioning• Delegated support• Shared folders• Enhanced Logging & alerting
LastPass Decision Points
• To SSO or not to SSO – that is a question• What to do with existing LastPass users• Automated deprovisioning, friend or foe
Future LastPass features
• Extension installs• Compromise video• Automated Password changes
Thank you!
We welcome your feedback
John Nagler - [email protected] Jesse Thompson - [email protected]
• Some podcast plugs: