How were we hacked? Part 1

Do words like password spraying, phishing, credential stuffing make you feel vulnerable? Get into the mind of your hacker and understand how hackers hack passwords.
Cybersecurity
Written by
Rob McFeely
Published on
May 5, 2020

When we read about hackers, we either think of people in Anonymous wearing Guy Fawkes masks or else that film from the mid-’90s were roller blade rolling teens bring down the baddies with elaborate rabbits and trojan horses.  While complicated CIA type hacking may exist the VAST majority of hacking is simply someone getting your password and logging in online just like you would

The VAST majority of hacking is simply someone getting your password and logging in online just you would

How do hackers get your credentials?

So how are hackers getting our passwords?  Understanding this will lead us to be more careful in how we create, manage, use, and re-use our credentials.

1)  It was so bad it got guessed - Password spraying

Many people simply cannot fathom that they will ever be the one to get their account hacked.  “Sure, it will never happen to me.  Why would a hacker be interested in me?  I’ll just use “Password1” cause I could not be bothered coming up with a better one and remembering it”.   Many of us would gasp at this contrived example, but it does happen.  A lot.  One way or another, there is a reason why “Password1” is on the list of most used passwords because there is no end of people like this.  I’ve seen it used and hacked in corporate environments.  

The reason this happens is not that the password is weak in and of itself, but rather that people think they are unimportant, off the beaten track, it will happen to someone else.  This is where they are wrong.  Using a technique called password spraying, hackers use automated programs to try random accounts against the most common passwords rapidly. It is happening 24x7, 365 days a year.  So it is only a matter of time before you are hit.  

2)  A strong password, but used everywhere - Credential Stuffing

So you now have a strong password.  Its m2knaKaKatlB*”, derived from the first letters of each word in the sentence “my two kids names are Karl and Kate and They like Big * (stars)“.  This is an excellent approach.  It’s memorable to you, contains secret knowledge, and includes capitals and symbols.  However, you liked it so much you used it for a few sites, including dodgy-garden-gnomes.com  and yahoo.com. The problem now is that the well-meaning but much less security-conscious people at the gnomes sites, and yahoo may get hacked and lose all passwords. Now all sites using the same password are also wide open.  These hacks frequently happen and from big names too (including yahoo).  When usernames and passwords get breached en mass, they get re-distributed amongst the baddies who then try them for other sites/domains in a technique called credential stuffing

So by using the same password at Office365 and dodgy-garden-gnomes.com, you implicitly make the typically reasonably secure Office 365 as weak as the dodgy gnome site.  And the more you do it, the higher the risk.  So STOP.  Make up a new password for EACH site and use a free password manager like LastPass, 1Password, Dashlane or similar, to remember them all for you.  

Thankfully, for existing passwords, it is possible to safely check your usernames and passwords against these credential stuffing lists.  haveibeenpwned.com is reputable and safe to use for this purpose.  Make sure you check the URL and send it directly to your employees to ensure this, and only this, is used.  

3) Clicked a link and entered credentials - Phishing

You get a legit-looking email purporting to be from a reputable vendor or site asking you to come in and do something.  It looks important.  You click, it takes you to offices.com (note the extra ‘s’), requests for credentials which you duly enter.  

Phishing (and its variants: spear phishing, smishing, whaling, vishing) is some of the hardest attacks types to combat because it is a social engineering trick.  Again a human weakness completes the exploit.  No matter how we inform and educate employees, they just keep clicking those links eventually.

The best defence is a combination of regular education, anti-phishing policies and anti-spoofing in your Office 365 tenant, using Multi-Factor Authentication, and checking/managing the location of user activities.

4) Wrote password on a yellow sticky note

Then you stuck it to your monitor.  You can trust all the people who pass your desk, right?  All of them?  Forever?  What happens if you work in an open office, or the cleaner moonlights as a hacker or Bob the disgruntled ex-employee decides to “show them” how wrong they were to fire him.   The list goes on.  Again the best solution is simply DONT do this.  Use a password manager, MFA

5) Brute Force

Unless you are using a 30 digit randomised password, then there is always a chance this can happen.  Especially if you are someone of importance in your company or outside of it.  The risk, however, is low.  With a strong password, it’s far more likely that a phishing attack or re-using it elsewhere will lead you to ruin.  

6) Keyloggers

Key loggers are another risk on the lower end of possibilities.  Keyloggers are used in targetted attacks where the attacker either knows you personally or targets you specifically.  The odds increase if you are a high-value employee (CEO, CFO, accountant, etc.) or if you work in a large or high-value organisation.  Keyloggers can use hardware or software (malware) to gather information.  Naturally, software versions are higher risk since they require only malware installation to get what they need.  

Preventing against software keyloggers requires everything from good general hygiene, malware detection and prevention etc.  Update Malware filter policies

General of Preventions and Solutions

Unfortunately, given the myriad of ways that credentials are at risk, the best approach is on many fronts.

  1. Use a password manager to generate a strong and unique password for every site/domain.
  2. Monitor remote access events in the audit logs.
  3. Role out MFA to high value, high risk and administrators
  4. Update Malware filter policies
  5. Anti-Phishing Policies
  6. Anti Spoofing Intelligence
  7. Ask your employees to check their credentials against haveibeenpwned.com.  Act accordingly

Octiga - An easy All Angles solution?

Octiga to the rescue!  

Octiga offers Office 365 automated solutions to help you configure many of the above items easily. Octiga's detect feature monitors for changes and dodgy logins. If you suspect a breach, then the recover feature will help you with rapid detection and remediation. Schedule an appointment to experience an easy, guided and automated security journey today.

Have a question?

If you’d like more information, we’re here to help

Heading

This is some text inside of a div block.
Cybersecurity
Written by
This is some text inside of a div block.
Published on
This is some text inside of a div block.

Heading 1

Heading 2

Heading 3

Heading 4

Heading 5
Heading 6

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.

Block quote

Ordered list

  1. Item 1
  2. Item 2
  3. Item 3

Unordered list

  • Item A
  • Item B
  • Item C

Text link

Bold text

Emphasis

Superscript

Subscript