Joseph Carson:
Hello, everyone. Welcome back to another episode of 401 Access Denied. I'm your host Joe Carson, and it's going to be a fantastic fun episode today. Based in Tallinn, Estonia, I'm the chief security scientist and advisory CISO at ThycoticCentrify and I'm welcomed with an awesome and amazing celebrity guest with me today. Everyone knows... So well, first of all, I'll let you introduce yourself because you're the best at introducing yourself. So Dustin, you want to give us the intro, who you are and what you do?
Dustin Heywood:
Yeah, not a problem. I'm Dustin Heywood, otherwise known in the industry as EvilMog from Team Hashcat, and I am a password cracker for X-Force Red. I break into companies and show them where their problems are so they can fix.
Joseph Carson:
Awesome. And I mean, definitely, this is a major pain in the industry. And today's topic is all about passwords and password pain, and also busting some of the myths out there as well because there's a lot of myths about passwords. And so, there's a lot of misunderstandings and assumptions and we're going to try and really educate the audience today into those challenges, busting some of those myths, and then really giving you some good, best practices in how you can become more cyber smart with your passwords as well. So that's the real theme. So Dustin, just give us a breakdown, today, what are passwords protecting and what are some of the most common mistakes that people do when choosing or using passwords?
Dustin Heywood:
Well, that's a fun part, passwords protect literally everything. I mean, if you look at the number of accounts we have, I've got stuff for my pizza delivery, my local library, my airline cards, my bank, my home alarm systems, even my fridge has a password now these days. And the biggest mistake people make is they will set their password to be the same on every single site they go to. Now, it can be long, and random and everything else, but here's the problem, you as a consumer have no way of knowing that anything you're logging into is handling that password correctly.
Dustin Heywood:
We actually used to run a demo of this at Black Hat and Defcon where we'd say you're entering a password and we'll crack it live. In the backend, we weren't doing any proper password storage, we were taking the password and hashing it two different ways in the backend to make our lives easier for recovery. Some sites will store the password in plain text and email it back to you. So now let's say they've emailed you back your password and it's a sign in for your library, that's the same password for your bank, some mystery can go and log into the bank now say that library gets popped, which will happen routinely, and now drain your bank account unless you have things like multi-factor authentication.
Joseph Carson:
Absolutely. I mean, I think that's a really important comment you made, is that not all login screens have the same security implemented in the backend, and that's a lot of assumptions. When we go in, all we see is username and password, and we don't really understand how they're dealing with that in the background. They might be still using old legacy SHA-1 hashing in order to actually encrypt to deal with that. Other might even still be using cleartexts. So-
Dustin Heywood:
Yeah, cleartext, LanMan, I've seen NTLM, we've seen all these weird proprietary ones where some even just truncated eight characters, or even worse, some will store it in portions of it enough for your pin. If someone asks you to enter in your password on the phone, IVR, how do those things match up?
Joseph Carson:
Absolutely. One of the other big mistakes, as you mentioned, using the same password in every account and that really exposes and we see that time and time again, every time there's a new data breach, and your password gets disclosed. That just means that it's very easy for an attacker to basically look at what other services potentially that person is using and then start doing brute force across all of them to find out which ones work. And even to the point where can you talk a little bit about when you're using things like rules and masking on passwords, simple variations of passwords, people might just change one letter or just one simple variation, you know how easy it is to guess those.
Dustin Heywood:
Well, here's the thing, most humans can't generate a password to save their life. I'm just going to be honest with this, the patterns are highly exploitable, even when humans are randomly typing away at a keyboard in most cases, they're following a specific pattern depending on their keyboard layout. We have everything from keyboard walk generators to massive word list, the try variations, when you can try 1.2 terahash or 1.2 trillion passwords per second in an internal corporate Windows active directory environment, for example, those passwords are going to fall incredibly quick. And the number of people that use variants of passwords that are out in the real world on their corporate environment passwords is just insane.
Dustin Heywood:
I'm going to be honest; the only real good password is one that's completely random. The problem is humans can't remember 400 different passwords. I can't, and I'm in the industry. I'm sorry, I can't. The only way I'm surviving is with a password manager that has them all stored in there so I can have them cycled routinely because the other thing is, even if they're in a password manager, you should still rotate your passwords at least once a year at a minimum.
Joseph Carson:
Absolutely. And that's another big thing. We talk about a lot of industry best practices in recommendations. And a few years ago, there was the big question, if you're using multifactor authentication or two-factor authentication, do you ever need to change your password? And that was always, for me, I mean, it was a big debate in the industry about whether that's a good practice or not. I mean, for me, the question that always comes down to, well, what is it protecting? Because you mentioned earlier, it goes from everything from your fridge, to your car, to your bank account, to your bank details, to your medical records, everything's protected, but not everything's equal. And therefore, I look at what is protecting, what's behind that password, what's been protected? And therefore, even if I do have multifactor authentication, I do still look to periodically rotate those credentials because sometimes-
Dustin Heywood:
But you don't have to rotate them all, that's the thing. Sorry to interrupt. I separate my passwords into tiers. I have a tier-one, my banking passwords, my critical HR stuff, my health stuff. I have my tier two, my video game systems for the online gaming stuff, stuff that I might kind of care about, but it's not the end of the world, there's no financial impact to me. Then I've got throwaway passwords for accounts like I'm just doing a single sign-on with my phone while I'm out trying to go get a table at some restaurant, and they have to get me to sign into their proprietary thing, I'm going to use a junk password on that because quite frankly, I'll never use it again as long as I'm using on a junk email that I'm throwing away later.
Joseph Carson:
And even to your point this well, one of the things that we commonly then do is we have everything feeds back into the same email account. What I've actually gotten the practice is not only having my passwords in tiers too same, I've got my higher sensitive accounts, to my medium, to my low, and I've also then got random email accounts set up that ties those for things like password resets. So when I'm doing those junk, I've got basically my junk email that all of those notifications and subscriptions will go to, and then I've got my main communication, and then reset. So I try to also get it into separate categorizations as well, just to make it a little bit more difficult for attackers to know which email account is associated to which credential.
Dustin Heywood:
Yeah, that's the thing people don't realize. Like say, for example, a lot of popular email providers, I picked many companies, I'm going to say Google as an example on this one, they allow you to do plus at the end of your email, then type on miscellaneous additional data. So Dustin Heywood or whatever I want to be in this week, you plus junk company one, junk company two. So you can also track who's spamming you in the process, but I usually have something like FB spam at whatever email provider, just as an example for your Facebook junk.
Dustin Heywood:
Again, sorry of not naming companies, but it's just an example of social media. The thing is people can track you with open-source intelligence across these various social media platforms. If you've given them your email to sign up for a discount on your electrical or your power, for example, they might use that to stock you in cyber space. I make sure those are separate.
Joseph Carson:
Yeah, absolutely. And just so there's been big discussion here, can you also get into explaining some of the differences? For me, I look at everything as a secret, as a top kind of level, it's a secret and that's what passwords should be, and everything rolls up into that secret whether being the PIN for your ATM card, or your loyalty cards, whether it being a password, and there's been a lot of discussions into using passphrases and then using combination of random words. We see a lot of those used in multifactor authentication where you get these random words coming back and then you type it, because it's easier to remember and type those words rather than lots of random characters. Can you explain a little bit about passphrases and is it something that you would recommend people to use as more of it? For me, it's the same as a password, it's just a technique of creating a much easier but longer password.
Dustin Heywood:
Yeah. Passwords are just a shared secret, and you're going to need some kind of secret to get into your password manager. So making sure your password is actually a passphrase, reasonably long, something good to remember, the key thing is get a large amount of entropy into it so that you can at least make sure that person typing away random stuff on a machine can't crack the passphrase, and you were up against 1.2 trillion hashes. Now the thing is that the password manager, most of these, especially the online ones, the major ones out there, they're going to protect against real-time log-ons in most cases, so you're not... it's not like someone's trying that many passwords per second.
Dustin Heywood:
But when it comes to actual logging onto a site, again, it's just a shared secret. So the best ones are ones that were machine-generated, random, long, massive amounts of entropy and massive amounts of length. And despite what everybody says, NIST especially, you still need to rotate your passwords at work. And the reason for that is in Windows, password hashes are password equivalent, so I can log on with the hash even if I don't have the password, which is why it doesn't matter if your password is 128 characters long, I can still log in if I've got the hash through some of the many ways of getting those out.
Joseph Carson:
Absolutely. That's an important point and that's very commonly technique used by attackers, is that they're not looking for the password, they're just looking for residents off that hash. And if they get access to a machine in the environment that has local administrator rights, then basically they can find the hashes from anything that's logged into that device in the domain, and then if that password or system has never had that password rotated, they can reuse that, the hash, to move around laterally and even up to the point where they can actually get into the domain controller, so absolutely. I think a lot of organizations don't realize that. And sometimes even when they're creating things like service accounts that they even leave them rather than not having them log on, they actually put them as log on and therefore, they can actually also use the pass as hash as well, and that also creates a major challenge because they're not configuring those correctly.
Joseph Carson:
What are the other common mistakes? What about people that's simply using dictionary words, is that something that should be... especially in the passphrase, using four or five words just to make a long password, but using dictionary words to do so.
Dustin Heywood:
So it depends on where you're getting these four or five words from, if you're drawing them from the common here's 4,000-word dictionary like the what, five words or whatever else, we have techniques to go do combinator attacks effectively and cycle those in, your word just becomes a long token. Probably is a bit more tooling, but eventually those can be cracked. They're a bit longer and as long as the entropy is high, that's possible, but again, those things should only be used for protecting your password itself to your password manager. For a standard-issue log on site, if you can remember your password, it's probably a bad password.
Joseph Carson:
Absolutely. For me, I have the practice. I use password managers and privilege access to manage majority of my accounts. I don't know the passwords, it's extremely... whatever the system will take is what I put in as the password. And I put in as much complication as possible as much basically special characters, the maximum length, and then determining what the severity, what the risks going back to earlier, you mentioned about having different risks based on what it's protecting, then I set basically the expiration rotation timeframe. So therefore, making sure it's as difficult as possible and making sure that that password doesn't become steal or it doesn't become that if it even is disclosed a part of a breach, that attacker can't reuse it. So Windows 128 characters where possible, whatever the UI or whatever it possibly can take. And sometimes I look at the lengths, there's no way I could remember the passwords in my head. But going into-
Dustin Heywood:
No, there is a curse to this though, if you have a really long password, I'm not sure if you play video games like on consoles or have one of those set top boxes, trying to enter in your streaming service password is such a metric pain. So I bought a new fifth-gen or whatever the current generation is, of all the unobtainium consoles, finally got one in the other day. And the current console I got has this little QR code option now and I go to sign into my streaming service. It just says, "Take your phone, scan this." You scan the QR code, pulls up the sign-on page, does a proper OAuth. If your password manager hits sign on, your TV just signs in for you.
Dustin Heywood:
Now, this wasn't the case for all my services. I'm going to growl at a couple of them, I can't name names on this call, but if you're listening from a major media company, please enable OAuth QR code to replace sign-on for all your UI services, because it made my sign-up process for the accounts that supported it so much easier. Trying entering 128-character password into my console was hard.
Joseph Carson:
No, I completely agree. And there's a lot of services, whether it being media, music, streaming, gaming that they haven't got OAuth enabled that you're sitting there with its massive log. And especially if you're putting a lot of complexity into it, and you might even be using different keyboards because...
Dustin Heywood:
Yeah, because you got like an Estonia keyboard or like you'd have possible different language keyboards, for instance, you introduce an English one, yeah, for those, I used to use an eight-character password, maybe 12 tops. Randomly generated 12-character passwords are actually fairly hard to crack if they've hashed them correctly in the background. So for consoles, I will forgive reducing it down to 12 characters because I am human and I can't type that stuff in.
Joseph Carson:
No, absolutely. So another common thing that I find, we did a survey, some research recently, and one thing that really gets me is a lot of people that's using their browsers to storing passwords. For me, it's not a password manager, it's basically a password basically. It's a bit better than having a text file, but not actually any better, especially because most browsers out there, they don't actually have additional security turned on by default. So basically, by putting your password in the browser is basically just for me, like storing it in clear text in your desktop.
Dustin Heywood:
It is pretty bad. If you've seen tools like Sharp Web that will extract out your Chrome, Firefox, IE, Edge, Brave, pick your browser, it completely dumps everything out, puts them to cleartext for us. Also, things like there's invoke SessionGopher and another tools like that they'll go through and steal PuTTY keys out of memory. And the stuff that's stored in memory, if you compromise a host and there's credentials on there, we will find it.
Joseph Carson:
Yeah. Especially, I mean, I wish that it was that if you were deciding, because browsers, they just pop it up there as like, "Would you like us to remember that for you? Well, we'll store it here." And they make it sound like some additional protection and they'll also sometimes give you the degeneration, autogeneration for passwords as well when you're typing in forms. But when you simply look at it and you go and you just type in passwords in the field, or you just go to the settings, security is off by default. And for me, I always think that it should be that if you do choose to use it, they should actually force you to turn the security on and protect it with additional security.
Joseph Carson:
So therefore, it's not just something that's left open. If an attacker gets access to your laptop, your device, they'll access to your browser. And that means all the credentials, and it's very likely that they'll be able to see all the different variations of password use. And a lot of people put in their VPN in there, they put their organization's active directory accounts, they put in the SaaS-based applications, Azure, AWS is also going to be saved in the browser so it means an attacker who gains access to all that information, it's an open door for them to gain access to everything in the organization.
Dustin Heywood:
Well, and even when they do protect it, they're usually protecting it with DPAPI in Windows, which if we've already compromised your machine, we have the DPAPI master keys or people like harm drive written tools to go tell us how to grab the master keys out, so we're already covered. I mean, the stuff that's in Mimikatz now, the gentilkiwi, I'm deeply afraid of going near the Windows browser stuff again. It's not because the teams haven't done a good job of securing it, it's just the attackers have done such a great job of building attack tools for it now.
Joseph Carson:
Absolutely. And so, what was your recommend... What's some of the recommendations you would have for the audience who's really at the moment really looking... all these accounts that they have, social media, personal accounts, ordering food, booking transportation, to booking flights, to logging in to the organization systems, what recommendations would you have for them in order to actually help protect themselves and make better choices?
Dustin Heywood:
Let me start off with two recommendations. First one is to companies out there, to companies out there, get an enterprise password manager, and start a privileged access management program. Rotate your passwords, and more importantly, rotate your Kerberos TGT keys in every active directory domain twice a year at a minimum. I generally recommend every three months, that way it rolls basically twice in a year. And the reason for it rolling it twice is the previous KRBTGT hash is valid for signing tickets even after it changes. So you have to rotate it twice to kill all the tickets. But make sure it's easy for your staff to secure their passwords, because their sole job is to get their day job done, they don't care about keeping stuff secure. Even if you do all the training in the world, unless it's frictionless, they're not going to do anything about it.
Dustin Heywood:
And then in the personal side, get a password manager. Now I know we've been hearing in the media about how some password managers have been popped and when I say popped, I mean, hacked, breached, leaked, whatever else, but you to really understand this in context. Their scope of a breach was very brief or it was, "Hey, we had a briefly vulnerable piece of code that was rapidly patched, it was detected before there was mass exploitation." And a lot of these tools have the ability to rotate all your secrets after things are closed. They'll log on to all your sites for you, one by one, and change your passwords for you if you hit the rotate credential option.
Dustin Heywood:
So get one of the major four, even some of the free ones aren't terrible. If you're using the free, understand the limitations, but I mean, I pay for a family one. Or even bigger, is some companies will pay a larger one of the big four to get an enterprise plan that includes personal usage for your entire family. Just get a password manager, they're cheap, they work, and there's one for every kind of style of looking at some are online, some are offline only, some are done in a wallet.
Dustin Heywood:
The other big thing though is, back up your password. I do a printout, and I know this sounds bad, I do a printout once a year or once every six months, depending on the thing. I stick it all in an envelope and it goes into a safety deposit box offsite. Here's the thing, you have everything in a password manager, your house burns down, do you have a backup plan to get into your accounts? Make sure you have some kind of emergency kit printed out and stashed somewhere secure with somebody you trust or somewhere you trust, lawyer's office, or somewhere locked up, in case you get hit in a motorcycle accident or somebody go clear your browser history.
Joseph Carson:
Yeah, it's funny, I mean, especially if you're using things like biometrics and all of a sudden, your finger gets damaged, you can never open that device, so that becomes-
Dustin Heywood:
Yeah, store your MFA backup seeds, keep backup authentication keys around, we're in the day and age now where you need to keep backups of your authentication secrets because some of these managers are so good that you will never get back in.
Joseph Carson:
I mean, that's why I always recommend offline backups to a lot of organizations because the threat of ransomware as well, ransomware will look to encrypt if you do become a victim and you're doing only online backups, then that can make a lot of unavailable. And if your password file gets encrypted, you can never access it and so, you must have a backup. And having an offline or an offsite backup is so critical especially becoming more resilient and being able to recover. There's been a lot of talk over the years and this sometimes, for me, is around the whole passwordless concept, because I look at it and I think that, there is a bit of misunderstandings and assumptions. I get asked this all the time, what about passwordless? And for me, I like to kind of step back and think about, well, it's not entirely... I don't see it as passwordless, passwords aren't disappearing, I just see it changing how we interact with passwords. It's changing the human interface between how we actually leverage them.
Joseph Carson:
My common recommendation is that it's actually about less password interaction, it's about moving passwords into the background. They're not disappearing, they're not becoming some type of magic, was it a door opening ability where you're using things like biometrics to do so. So for me, it's about moving passwords into the background and making less friction between the human and the authentication. Can you talk a little bit more about what you see, the future of passwords going, what changes, what new techniques will help improve them?
Dustin Heywood:
Well, I mean, I was originally against passwordless until I dug into it and I realized you're right, it is, every machine, let's look at Windows Hello as an example, Windows Hello for business specifically, interacting with an Azure Active Directory. In that case, there's still a machine secret, it still exists on the box, the user never has to interact with it. The facial scan unlocks cryptographic material on the device used to log into your domain. But there's other things, if you look at like there's zero-trust concept that's kicking in with it as well now, your machine endpoints are constantly being interrogated for changes. So if all of a sudden I log in from a hostile third nation, as opposed to my local home nation, all of a sudden I'm going to be locked out because it's a change in behavior. Or let's say all of a sudden my endpoint starts displaying unusual telemetry, my trust score changes, my authentication fails in the back end. You're still using the same kind of secrets, it's just the machine's taking more endpoints so it becomes more of a fancy multifactor authentication, as opposed to a password-like type system.
Dustin Heywood:
Let's look at me logging onto my PlayStation, I still had to use passwords, but that was a passwordless style log-on. I went in, I scanned the QR code, it did a back and forth in the backend, and now it's signed in. I didn't enter a single password on the console, I entered in on another device, and that greatly reduced the friction because I send copy and paste. Someone can do passwordless systems, do the same thing, only without copy and paste, they just automatically send it. Things like logging on with ... with certificates tied to them, there's still a key on there but it's just been signed by a different method using public key crypto or public key infrastructure to make things easier.
Joseph Carson:
Absolutely, for me, I like to use it as the term, it's moving them into the background, so it makes our lives, the interaction, our experience much more better. But the password still exists. There is a secret, there's a token, there is a key, there's something that's still being exchanged in the background. And from a security perspective, they still need to be managed. Somebody still needs to rotate them. You don't want all of a sudden to have a static application password that has becomes the same key that's been exchanged, that doesn't get changed.
Joseph Carson:
And we see that a lot with integrations, with a lot of applications type of integrations where you say, I want to allow this application the access data here, and you create the static application password. Email clients is one of the most common places we see that, and they become still until you go actually and rotate it or until the only time you ever get notified, maybe when you get a new device two or three years later, that you have to enroll that device and it might mean they have to create this new application password. Is there something you recommend along, how do you manage those, especially in getting visibility of them as well?
Dustin Heywood:
Well, it depends with technology too, for example, JSON Web Token with static signing keys, commonly used in authentication components, OpenID Connect keys. The problem is, there's no one tool to go manage all of these authentication secrets. There's some tools that manage your certificates for you, some of them manage SSH keys, some will have tools for issuing JWTs that are out there, that are all written in Go, that will sort of remain nameless on this call. There's other tools out there that are built as programmable PKIs, the trick is automation and finding the right orchestration for your platform.
Dustin Heywood:
And again, because our industry is so wide and there's so many standards and when someone writes a standard, they write a standard for making standards that gets ignored ... for standards, we have a highly fragmented ecosystem. You are never going to get 100% control of all of your secrets. The trick is, do an inventory of what you've got, identify how it'd happen if that secret doesn't get rotated, and just continually do an evaluation because the landscape changes all the time. If you stop learning for two months, all of a sudden someone comes out with some new technique and you're behind the eight ball again, it's going to take you a while to catch up.
Joseph Carson:
Absolutely, and we've seen a lot of those vulnerabilities popping up this year, especially with the like PrintNightmare, being able to use your prints folder to create a little administrator account, that's pretty impressive. Organizations have many challenges to face around this area. Also-
Dustin Heywood:
I'm glad you brought up PrintNightmare by the way because Print Spooler has been the bane of our existence for at least two to three years. If you look at even before this latest RCE, there's an older technique to get a domain controller to authenticate to you with an NTLM version, one of its machine hash, then you use it at DCSync with a level user proof, everybody out there listening, turn off your Print Spoolers.
Joseph Carson:
Yeah, that's a good recommendation. It's one of the first things I did when I heard about that was actually going and starting disabling it, and patching systems as well making sure you're running the patches for them. Another thing that's quite common, we talked a briefly little bit about it is around things like biometrics and you talked about Windows Hello and Cortana, you get into also biometrics for phones and facial recognition. And one of the things I try to explain to people, people think about them as they replace passwords, but actually, those for me they're identifiers, they're not secrets. However, they have better security attributes. They come with much better security attributes.
Joseph Carson:
And it still means that the password for me is really starting to change. We talked about passwords moving to the background and the human experience with things like biometrics are making that much more easier to use, but I see the password really becoming much more of a backup recovery key or a device enrollment key rather than something you use interactively on a frequent basis, it becomes something you use to either add a new device, or to enroll a new account, or to migrate when something happens, or if the security changes, let's say the risk score that you have changes. Talk a little bit about biometrics and where that fits in. And also, what is the password really evolving into in the future?
Dustin Heywood:
So let's look at the... or look at biometrics. So the problem with biometrics, as an example is, depending on the jurisdiction you're in, some of the courts have ruled that evidence gathered via biometrics such as police officers ... fingerprints up to a phone or using things to scan faces, have been ruled admissible as evidence because you're not revealing a secret out of your mind.
Dustin Heywood:
So in many cases, the passwords, the only thing that'll save you from having evidence forcefully extracted from a system are depending on your jurisdiction. Obviously, I'm not a lawyer, so seek legal advice in your local zone. However, we have been telling people when crossing a border, for example, make sure if you look at a Mac, you have the fingerprint unlock. Fingerprint unlock doesn't work from a cold boot, same deal with a number of phones, turn your devices down or completely off so that that fingerprint authentication doesn't work. Really biometrics is a username, a highly secure username as opposed to a password. You still need something that's all only in your mind to go unlock things.
Dustin Heywood:
Otherwise, let's ignore the border thing. Let's say, you're out a bar somewhere and not that any of us drink in this industry, but let's say you're out in the bar and you meet somebody else out there. All of a sudden, you start feeling mildly lightheaded because they slip something in your drink and they try and go drain your bank because it's all set up for multifactor via your fingerprints. That's a common attack in some parts of the world unless you've got various pins and such ready to go unlock your phones. Some of this frictionless now has become a two-way street, and now there are double-edged sword and can harm you more than it helps.
Joseph Carson:
Absolutely and that's good. I mean, I think I benefit quite a bit from being located in Estonia because all of this has been actually built into society here where we have our digital identity and that's tied to what is it? A cryptography key exchange, that's also tied to that in order, you've got authentication pin, then you've got a signature pin. And that's all kind of along you. Up until a certain amount, you can do bank transfers, but then once a bit higher about 40, 50 euros, then it requires you to actually then do the authentication pin. And then it becomes a bigger amount, then you have to do the signing pin. So those types of things, become much more difficult and challenging in order to really... It's just making it more difficult for attackers to be successful and not making it too easy for them and that's ultimately kind of what our goal is. Our job in many cases, is to understand the risks, listen to the businesses and help reduce those risks by putting the right control in place.
Dustin Heywood:
Well, I'm glad you brought up risks because there's one more I forgot to talk about is, a lot of people are relying heavily on SMS-based multifactor authentication, and given the number of SIM jacking attacks out there, that's one of those things that we're highly recommending to companies to either stop doing or add on additional layers of controls in addition to just the pin via SMS, stealing, or porting a number over using SIM jacking techniques, or calling your phone company saying, "Hey, I want to move this number from one SIM to another, very easy with social engineering in the back end, highly recommended that you get some other form of authentication that's not SMS-based.
Joseph Carson:
Absolutely, and there's so many out and there's so many free versions as well. Use a lot of authenticators that you can simply download. There's ones for business that you can actually manage through the enterprise, there's one for personal use. And I highly recommend using a minimum two-factor, where possible multifactor, and again, going back to the original point, it all comes down to the risk. And not all two-factor, or two-step, or SMS-based is equal, they're not the same. So it's important to understand about what is the risks being introduced and to make sure that whatever account it is that you're protecting, whatever the risk is to that account, you want to apply the right security consoles to make it more difficult and also, as secure as possible depending on what that is, so.
Joseph Carson:
Other things to kind of remind, what about when we get into talking about reporting side of things and getting visibility? Should we be looking periodically at activities, should we be looking at how old passwords are? We mentioned a bit about rotating them. What's the case for you, not rotating a password, what would be the reasons for doing that? What about kind of getting in that visibility reporting side, looking at, for example, even failed login attempts from accounts?
Dustin Heywood:
Yeah, that's the problem, there's no universal way of looking at your failed login accounts. Say I log in, look at my library as an example, they're not going to expose that information to me in any way, shape, or form, you're really at the mercy of the provider you're logging in with. There are some cases obviously of not rotating credentials, let's say, for example, my furnace has something tied into my wifi for whatever reason if I was crazy enough for that. And it took an outage, I had to go shut down and turn off the pilot light to go change the secret. Obviously, I'm not changing that secret unless I absolutely have to, or unless I make something out of service.
Dustin Heywood:
There are a number of valid reasons, a lot of them are life safety, a lot of them are, "hey, if that resets, there's a risk of bricking it." Oil and gas with SCADA systems, for example, some of those sensors are deployed in the field and you're not getting to that without going through a substation and getting through armed guards with guns, so that stuff's never getting swapped, systems at the bottom of the ocean where you can't send a human service tech to get out, that stuff's never getting swapped. It's just a matter of going through, doing inventory of all your systems, and telling you, "Hey, if this gets popped, do a simple scoring on a scale of one to 10, how much will my life be altered if this gets hit. One being, I don't really care, I'll put the past in a billboard, 10 being if this thing gets hit, I'm changing careers and quitting.
Joseph Carson:
I completely agree, it's all about risk. It's about understanding what the impact and if it is ever compromised, what is the result? One of the things I want you to talk about is, there was big news early this year about this 14, whatever, gigabytes of passwords, and when we really get into it, it wasn't actually passwords, it was a word list. Can you explain to the audience a bit about what's the difference between disclose compromised passwords and that of a wordlist? Because sometimes, I think in the industry, there's a lot of confusion into what the difference is.
Dustin Heywood:
There is, let's look at RockYou, for example, the standard wordlist, most of it used in hashtag, that was a wordlist. What happened was somebody breached the site, they extracted out all of the credentials, but the wordlist we use doesn't have any of the user names versus when we talk about leaked credential sets, we're really talking about something we call password stuffing effectively or credential stuffing. And what that is, is we've got a list of username-password pairs, and we're trying them out on multiple other sites. So there's also variance in password cracking called shucking, where we'll get things down to an intermediate level of the ending and we'll use previously password or cracked pairs to try and get yourself down to... Instead of trying a couple of billion passwords on a Bcrypt, for example, that's going to take forever, I'm going to try a hundred variants on Bcrypt with a highly targeted password attack. This was pioneered by ChickenMan, also somebody that works with me over at XFR.
Dustin Heywood:
So there's techniques like that, but really what we're talking about is, people trade live credential pairs, so when there's a major breach, we're talking about here's all the stuff leaked on some foreign hacker site that has complete lists and some of them have varying levels of quality, so that's at the top tier of the password world. Then there's what we call combination lists, a combination list, someone went out and grabbed a bunch of passwords from multiple other sets and combined them together into one set and they'll leak that out. And those are generally junk, but they make great headlines. The collection number one was an example of that, where it was just here's a giant list of stuff.
Dustin Heywood:
So credential pair sets are the most dangerous and those leaks, but those typically get picked over really quickly by ... out there, they'll test them all out and they'll extract what they can and then within a couple of months, they're basically useless versus a password set, it's just, here's all the passwords we've tried over the world. Some of the various sites that are rather large publish them, hashtag.org publishes them as well. Those are handy, if you got a wordlist, I'm going to use a known wordlist against passwords because that's just passwords people have tried in the field. The problem is, people like me pollute those lists, so there's less usefulness in them. There's other folks that'll sit there and they'll take, here's a junk list or they'll make up junk list to get leaked onto the scenes. They'll take existing passwords, combine them with bad user names, attach in randomly generated passwords and they say, "Here's my new magic list," just so they can get some scene credit.
Dustin Heywood:
So the stuff that's out there, sometimes you take with a grain of salt. There's also a lot of encoding errors in the data. Trying to get into collecting and analyzing what's out there is difficult because no one has a primary or completed list of everything because no one trusts each other.
Joseph Carson:
Absolutely. And I think, for me, most kinds of cases of ransomware in the past year, I've seen it from basically criminals and attackers who specialize in gaining access. And what they do is, they have those combination pairs, they've got the username and password and they become very valuable. And all they do is, they look to gain access. They will maybe do it through brute force, find that combination pair and they will sell it to other criminals who will then use it and gain access, whether it to be to steal data or to deploy ransomware. And what you'll end up seeing a lot of times, getting involved in instant response, what you'll see is all of a sudden, maybe four or five months ago, the credential was discovered. And then all of a sudden, two weeks before the ransomware gets deployed, somebody was confirming that it was still active. And then it gets sold and the criminal comes in, they log in whether through RDP or through whatever access or through web interface, and all of a sudden, it's only a matter of time before they deploy ransomable or malicious activity in your organization, so definitely those pairs.
Joseph Carson:
And one thing I used to look for as well was when you look for field login attempts over a longer period of time for the same account. Because a lot of times what they do is they won't do it to create a lot of noise, they want to stay stealthy as much as possible so they'll actually spread it over a longer period of time. Because one thing that they do have is a lot of time and it's only a case until that one time is successful. So it's really important to make sure when you're looking for any type of noise, you try to make sure you're looking over for a longer period of time because sometimes when we look at it from a period of a day, you may not get that visibility into what the real attempts are.
Dustin Heywood:
Yeah, you need to look into over the course of months, I mean, there's some stat I heard and it's probably inaccurate now, so don't quote me on this. But the average dwell time was something like 154 days or longer and that it could even be longer. I mean, I heard numbers as high as 270 or even 300 days. So that means someone's logged on, found a password, gained the access, farmed it, made sure it hasn't expired out by trying the variance of it, and sat there for the time that's right, and then popped in. That just means we need to go find better detection controls because... I mean, that's why we're seeing things like red team engagements or adversarial simulation engagements now being popular because it's a dirty secret in the security industry, so I'm going to spill the beans, no security is 100% foolproof. All the controls you put in place, are there for one purpose, and that is to slow down the attacker long enough for you to find them and evict them. They're going to get in, whether it's a zero-day, whether it's be something else, someone's going to pop through every layer of your control at some point. And there's two types of companies out there, those that have had an attacker in their environment and those that don't know it.
Joseph Carson:
Yeah, absolutely, and I have my own motto as well that kind of goes along to that, is that my job is to force, to slow the attackers down, but not only slow them down but force them to take more risks. And my job is to make sure that whatever techniques that they're doing, is actually going to create more noise in the network. So the more noise in your logs, more noise and visibility, the more noise they create, it will give you a chance of being able to detect them much earlier and getting them out of your network before they do something malicious, before they elevate privileges, before they gain access your sensitive data.
Joseph Carson:
The more noise that we can force them to create, by making it more challenging, by rotating the Kerberos ticket, by creating more challenging, more complicated passwords, by not allowing them to use hash techniques across the network. And forcing them to repeat their techniques more frequently, will give more visibility in their log, more noise, more errors for you to be able to detect. A lot of times when working on instances in digital forensics and you might be working on one specific attack and all of a sudden you'll uncover that actually another attacker had access to the same network, maybe at another point in time. So sometimes you find that there's multiple attackers in the network, just some of them have different motives. Some of them have financial motives, some of them have data theft motives. So absolutely you're right, there's two companies, the ones who know and the ones who don't know.
Dustin Heywood:
Well, that's the thing and if you look at the security engineering, there's this concept that we borrow in some cases from the military-industrial complex, from nuclear weapons design specifically, called weak links and strong links. And so what that is is, you basically build up your environment because attackers are lazy, you build your environment in such a way that there's certain paths that will be a bigger pain to exploit than others. And so, they're going to go for the low-hanging fruit. So you heavily instrument the weak links, the areas that were slightly intentionally weakened, but there's an increased detection controls behind it, concept of a honey pot, for example. So you want to steer them into the line of fire and then make sure you concentrate fire where they're entering. There's techniques like that to basically enhance traffic engineering to ensure that they wind up in a place where you can detect them and remove them.
Joseph Carson:
Absolutely, so for the audience, let me kind of summarize a few things up as well, is that, really, one we can get down to it is, one question is passwords going away? Will we see the end of passwords any time soon?
Dustin Heywood:
No. I mean, I'm not going to see the end of passwords before I retire. I mean, I've still got another 10, 15 years before that happens so, I mean, I'll be happy to eat those words, but for now, it's a good career choice.
Joseph Carson:
Absolutely. No I completely agree with you. And I think the point, what we made earlier, is that they are moving more into the background, so people will see them less and less, and they're moving to the background. But they will still exist, we will still have to manage them, we will still have to secure them, we will still have to rotate them, we will still have to compliment them with additional security controls. And some of the best practices we talked about today, is really, get into the habit of using a password manager. If you're in a business, get into the habit of using privileged access security that will integrate, and automate, and rotate passwords periodically so you don't have to. Because the one thing I hate is having to do things manually and having to do them repetitively. And in our business, what we can automate is the best thing because it makes... There's one of the most valuable things that we have in a world, and it's not oil and it's not money, it's not gold, it's time.
Joseph Carson:
All of us have one thing in common, is we all have a set amount of time in this world to do what we want to do. And the more that we can save and reduce waste of time, for me, is the most valuable thing in this world. So the more we can actually put a lot of those things, mundane tasks, into the background, that's the most valuable thing that we can actually give employees is reward them by removing and reducing wasted time. And that's what I kind of get into using password managers and privileged access security.
Dustin Heywood:
Well, the other thing is, if you don't make security frictionless, people are going to do workarounds and find other ways of making things get around it. So we can put all the controls in the LAN or in the world we want, but if Bob does some kind of bypass to get around the controls, yeah, all that goes out the window. Someone could put a webcam up to multifactor authentication tokens, so they can sign in to make things effective so they can work from home during the pandemic, if your tools aren't in place now to make things easy, they're already being bypassed.
Joseph Carson:
Absolutely. And you're so right, and I've heard it getting more and more discussed is that we need to be making security usable. One of the things I've mentioned in a lot of interviews recently, when I'm doing press articles and stuff like that, when I'm giving my feedback, and I get into is that, anytime we are going to implement the security control, it has to be better and actually more efficient than the existing control in place today. If your security is actually causing more friction or taking more time, they're going to find workarounds, they're going to find ways around that to circumvent it. So anytime we're actually putting a security in place, it must be better than the existing one in place today.
Joseph Carson:
We want to get to the point where actually people want to be using security because it's better than the alternative. That's ultimately the path, because ultimately, if we don't, people are just going to hate it. That friction, that security is preventing people from doing their job. But we want actually people to see security as helping them do their job better, more automated, more efficiently, more effectively, and to a point, what hopefully, is moving passwords more into the background.
Dustin Heywood:
Yes, speaking of passwords in the background, one final public safety announcement, if you are a Unix admin, please rotate your SSH keys that you use to sign in to your systems. Those things have probably sat there for the last four or five years and you've forgotten about them, you might want to add a fresh one and rotate them out.
Joseph Carson:
Absolutely, and another thing from me is that I got my top one today, so sudo is the root of all evil. So make sure you actually go and review all your sudoers files as well because a lot of times, they becomes stale feel and not updated. You might have a lot of users who may have left the organization, might still actually have sudo rights in a lot of the systems because they're not being managed.
Joseph Carson:
So for the audience, hopefully, this has been an entertaining and interesting discussion all around password pain. We've covered lots of different elements, and hopefully, you will look at passwords, you will take a risk-based approach, you will actually make sure that you're starting to use a password manager, starting to make better choices. Dustin, it has been awesome having you on the show today, look forward to us hopefully catching up in the near future. And for everyone out there, stay safe and stay secure. Tune in every two weeks for the 401 Access Denied, thank you.
Dustin Heywood:
Thanks for having me.
Joseph Carson:
It's been a pleasure, thanks.