British Prime Minister Benjamin Disraeli famously said, “There are three kinds of lies: lies, damned lies, and statistics.” In the enterprise software security world, one of those regularly-quoted statistics is that authentication-based attacks factored into about four of every five breaches involving hacking (2012 Verizon Data Breach Report). Indeed, here at STEALTHbits, we use it all the time. The question, of course, is whether the statistic reflects reality, or it’s manufactured for the benefit of Godless security software vendors as the good Prime Minister might have assumed…
To draw a conclusion on the validity of the assertion that authentication-based attacks are not only popular, but the near-exclusive choice of today’s hackers, let’s take a look at a few breaches you may have heard of, and we’ll let the words written by others speak for themselves.
“According to Krebs, sources close to the investigation said the attackers first gained access to Target’s network on Nov. 15, 2013 with a username and password stolen from Fazio Mechanical Services, a Sharpsburg, Pa.-based company that specializes in providing refrigeration and HVAC systems for companies like Target.
Fazio apparently had access rights to Target’s network for carrying out tasks like remotely monitoring energy consumption and temperatures at various stores.
The attackers leveraged the access provided by the Fazio credentials to move about undetected on Target’s network and upload malware programs on the company’s Point of Sale (POS) systems.”
The hackers reportedly stole a key password from someone in IT. US investigators told CNN the hackers stole the computer credentials of a system administrator, which gave them broad access to Sony’s computer systems.
The compromise wasn’t discovered until January 27, 2015, after a database administrator discovered his credentials being used to run a questionable query – a query he didn’t initiate.
“Anthem was the target of a very sophisticated external cyber-attack. These attackers gained unauthorized access to Anthem’s IT system and have obtained personal information from our current and former members,” Anthem President and CEO, Joseph R. Swedish, said in a statement.
The problem is, while HIPAA requires that identifying information be encrypted, that protection goes by the wayside once an attacker compromises an administrator’s credentials. So even if the data was encrypted, it didn’t matter once the attacker(s) had total control over the database.
The Associated Press, looking to confirm information first posted by Salted Hash, got Anthem on the record to confirm that not only did the incident start last December, but the company also confirmed that five tech employees had their credentials compromised. It wasn’t clear if this number included the employee who raised the alarm after noticing his credentials being abused, but the count is still significant.
Home Depot said the crooks initially broke in using credentials stolen from a third-party vendor. The company said thieves used the vendor’s user name and password to enter the perimeter of Home Depot’s network.
If you’re a company that makes its own websites and applications, make sure your developers don’t do what the Ashley Madison coders did: store sensitive credentials like database passwords, API secrets, authentication tokens or SSL private keys in source code repositories.
A London-based security consultant named Gabor Szathmari has now found evidence that ALM’s developers were careless with sensitive credentials, which might have helped attackers once they gained a foothold on the company’s network.
The attack against the bank began last spring, after hackers stole the login credentials for a JPMorgan employee, these people said.
Nonetheless, once inside JPMorgan, hackers did manage to gain high-level access to more than 90 bank servers, but were caught before they could retrieve private customer financial information, the people briefed on the investigations said.
The mechanics of the vast majority of breaches are never made public, but it’s reasonable to conclude that the six presented here are representative, and not anomalous. Moreover, the notion that authentication-based attacks are the primary choice of hackers makes logical sense. Sometimes we forget that credentials = access, and access = information. That’s some mathematics that even Prime Minister Disraeli would appreciate.