LastPass as a Solution to Credential Stuffing

Jesse ThompsonSolutions Architect, UW-Madison DoIT User Services

John NaglerRisk Analyst, UW-Madison DoIT Cybersecurity

Credential Stuffing - A Story

The Russian Passenger - From Reply All• How was his Uber account and his Gmail hacked?• So many potential causes

• Malware• Keyloggers• Compromised Wi-fi• Uber was hacked• Gmail was hacked• Compromised phone• Compromised SMS MFA• Other guesses?

Problem: Credential Loss3600

320

Thesis for Today’s Talk

Problem: Credential Loss

• Examine the current mitigation strategies

• Credential Stuffing attacks need to be addressed

• Password managers are part of the solution

Mitigation Strategies (to date)

• Improving detection

• Phishing awareness

• Domain authentication

• Multi-factor authentication (Duo)

Challenges with Detection

• Predicting the future and changing the past is hard

Automation of Detection

Automation maintenance is labor intensive• Blue = automated• Red = human

Phishing Awareness

• Phish simulations do not help users identify advanced attacks

• Some users are more trainable than others

Domain Authentication (DMARC)

• go.wisc.edu/email-authenticity

• Email clients do not always show the sender’s address

• Compromised accounts in DMARC-authenticated domains are more valuable to attackers

Multi-Factor Authentication

• A practical MFA strategy must also secure the 1st factor

Gap Analysis

• Improving detection - timing is the enemy

• Phishing awareness - untrainable users

• Domain authentication - trust leveraged by attackers

• Multi-factor authentication - easy to bypass

Are We Solving the Underlying Problem?

Additional Observations

• Brute force password guessing is happening

• ⅔ are from IPs making less than 5 attempts/day

• Unable to distinguish successful attacks from user activity

• Duo protects only after successful authentication

• 6% of users were compromised multiple times in 2018

Anecdotes From Users

• They WERE NOT phished

• Users who no longer reuse their NetID password, but…

• Poor password manager practices

What Can We Conclude?

• Mitigation strategies (to date) are not 100%• Evidence of brute force & web automation• User behavior is still a weak link• We have blind spots• Compromised credentials not solely caused by phishing

• We see evidence of Credential Stuffing

What is Credential Stuffing?

• Credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts.

• “one of the most common techniques used to take-over user accounts”

https://www.owasp.org/index.php/Credential_stuffing

How Does Credential Stuffing Work?

• Lots of breaches

• Reused passwords

• Botnets make it easy

How Are Passwords Being Breached?

• 3rd party data breaches• https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/

• Brute force guessing and phishing attacks get smarter and automated

• Malware (e.g. TrickBot)• https://techcrunch.com/2019/07/12/trickbot-spam-millions-emails/

• Buggy software & unencrypted network connections

Credential Stuffing Economics• UW passwords get caught up in database breaches

• Even if we are not the direct target

• When they are found:• Validate (automated)• Sold (black market)

https://www.recordedfuture.com/credential-stuffing-attacks/

But my work address is obscure, right?

Credential Stuffing - A Story

• The Russian Passenger - From Reply All• What was the ultimate cause of this Uber mystery?

How to address Credential Stuffing

• Force password resets based on evidence of breaches• Detect botnets that are testing passwords• Compare our passwords with breached account data

• ... These will not find the advanced threat actors• Move to platforms less susceptible to malware

• e.g ChromeOS or TENS (Trusted End Node Security)• Help users to stop reusing and sharing passwords• Re-architect systems that require users to share passwords • Give people a tool to help - password manager

How to address Credential Stuffing

Not all password managers are created equalYou might have a bad password manager if

• It can be easily read or decrypted by others

• It is cumbersome to create unique passwords

• It relies on your system clipboard• It is not integrated with your

browser and mobile device• It is not vetted by the cybersecurity

research community• It is abandonware

You might have a good password manager if

• A good password manager never stores your passwords in a vendor-decryptable form in the cloud

• A good password manager is vetted by security researchers

• published & remediated vulnerabilities are a good metric

• Bug bounty programs are another trait of a good password manager

• A good password manager costs money

• It is profitable for the vendor to have a reputation for being secure

Not all password managers are created equal

Why allow browser/mobile integration?

• Convenience breeds strength• URL Matching• Defeats malware

Why UW chose LastPass

• LastPass is a good password manager• Adoption• Cost Effective

LastPass Enterprise Features

• Duo integration• Enterprise API• Eligibility-based deprovisioning• Delegated support• Shared folders• Enhanced Logging & alerting

LastPass Decision Points

• To SSO or not to SSO – that is a question• What to do with existing LastPass users• Automated deprovisioning, friend or foe

Future LastPass features

• Extension installs• Compromise video• Automated Password changes

Thank you!

We welcome your feedback

John Nagler - john.nagler@wisc.edu Jesse Thompson - jesse.thompson@wisc.edu

• Some podcast plugs: