Bad Passwords, Pwned Accounts and Prevention

As the ongoing industry investigation continues, into what has widely become known as Solarigate, it’s worthwhile going back to some base concepts.    

There’s an argument to be had that an organization’s privileged accounts should be considered information assets.  There is a value associated with each of these assets as well as the risk associated with these assets being known and used by unauthorized parties.  If they are used by unauthorized parties then there is also an impact associated with their unauthorized use.  There are many methods you can use to categorize, determine the value of the assets and establish the risk and impact associated with unauthorized use.

Microsoft have recently published the final update on their Solarigate investigation and it makes for interesting reading.  Two key points stand out as background to this week’s blog (taken word-for-word from the Microsoft report);

  • The search terms used by the actor indicate the expected focus on attempting to find secrets, and
  • The cybersecurity industry has long been aware that sophisticated and well-funded actors were theoretically capable of advanced techniques, patience, and operating below the radar, but this incident has proven that it isn’t just theoretical. For us, the attacks have reinforced two key learnings that we want to emphasize —embracing a Zero Trust mindset and protecting privileged credentials.

And lastly, they state that Protecting credentials is essential.  The full article can be found at https://msrc-blog.microsoft.com/2021/02/18/microsoft-internal-solorigate-investigation-final-update/

Working on the above, it’s essential for an organization to treat their privileged credentials as information assets, protect them and ensure that the passwords used are strong.  We’ll be covering Password Strength and Generator Policies next week, so this week we’ll cover off on Bad Passwords, Pwned Accounts and Passwords, and how to minimize the risk of both moving forward.

What are Bad Passwords?

Bad passwords are typically those that are based on words, a sequential series of numbers, or a basic combination of both.  These passwords are susceptible to dictionary and brute force attacks and are easily cracked.  Examples of bad passwords are;

  • Password
  • Password111
  • 12345678
  • 234567890
  • Linkedin1
  • Vikings

If users have the ability to use Bad Passwords then you’re making it that much easier for bad actors to execute an attack that will successfully hack a user’s account. 

How do I know if I’ve been pwned?

Troy Hunt developed the HIBP (Have I Been Pwned) website to allow anyone to quickly assess if they’ve been put at risk as a result of their account having been compromised (pwned) due to a data breach.  Users can look-up their email account to see if it’s been previously captured in a data breach here https://haveibeenpwned.com/

The site also provides API (Application Programming Interface) access so that passwords can be checked against the greater than 613 Million real world passwords previously exposed in data breaches. The premise is that if a password has been exposed then it’s unsuitable for ongoing use.  Passwordstate provides integration with the HIBP repository via the published API.

How to prevent the use of Bad Passwords?

Passwordstate offers a couple of options to limit the use of Bad Passwords.  The first is using the built-in customizable Bad Password Database.  This is based on a dictionary style list of common words and sequential numbers.  Please note that there are words included in the list that some people may find offensive.  They’re included as they’ve proven to be used in or as part of the most common passwords.  If you do not want these included in the database you can delete them.

The Bad Passwords configuration is located under Administration->Bad Passwords->Bad Passwords Database as shown below;

This database can be built on within your organization by adding specifics words that you want to prohibit the use of, for example the name of your company.  To add a new Bad Password simply click on Add at the bottom of the Bad Passwords Grid and enter the word you wish to add to the database.  The example below shows adding the password “clickstudios” to the database,

The second option is to select the Have I Been Pwned API from Administration->Bad Passwords->Bad Passwords Database. 

This will reference the HIBP database via the published API from the Add and Edit Password screens.  Please note that with Version 8 of Passwordstate you can only select the Custom Database or the Have I Been Pwned API.  With V9 of Passwordstate you can elect to use both at the same time.

By using the Bad Passwords feature you are removing one avenue of weakness by ensuring that your user’s passwords are not easily cracked and aren’t the same as those exposed in previous breaches.

As always, we welcome your feedback via support@clickstudios.com.au.

Your Sysadmin has resigned, what do you do next?

Change within your workforce is inevitable!  Employee departure is almost a universal constant, right up there alongside death and taxes.  Employee’s move on for a range of reasons, some leave abruptly, some unfortunately have their employment terminated, some give their required number of weeks notice and others generously provide some flexibility while you search for a replacement. 

However, no matter what the circumstances, when a Systems Administrator leaves there will be disruption.  This disruption can be thought of as a continuum ranging from mild inconvenience at one extreme to utter chaos at the other. 

As they exit your employment there is a myriad of activities that need to be undertaken spanning Human Resources, Payroll, Outplacement Services, reassignment of existing workload etc.  This blog does not cover any of the other disciplines or activities outside of IT.  Rather it is focused on how you ensure the integrity of your privileged credentials, and therefore your data and systems once a Systems Administrator has left.

First Things First!

Immediately disable all personal accounts used by your Systems Administrator.  Most organisations will start this process as the individual leaves your place of employment for the last time. The accounts should include personal and elevated privilege Active Directory Accounts, Unix / Linux accounts, VPN and mobile device connections etc.

If your Passwordstate Instance is AD Integrated this will now prevent them from logging-in and accessing any privileged credentials that they had permissions to.  If you are using Forms-based authentication, or have local Passwordstate login accounts, you will need to login to Passwordstate and set the local account to disabled by selecting the Action Menu next to the user account and clicking on Toggle Status – Enable or Disabled.

Query What Accounts They Had Access To!

One of the invaluable features in Passwordstate is being able to report on what password credentials a user has been granted access to, as well as what they’ve historically accessed.  To do so, simply navigate to Administration->Password Lists and click on the Perform Bulk Processing…  drop down list underneath the Password Lists grid as per the screen shot below;

This will bring up the Bulk Password Reset screen, which I’ve broken down into multiple parts.  The first is the section located to the left-hand side of the page called Search Filter,

Simply enter the User Account of the Systems Administrator, the Site Location you wish to report against (default is All Site Locations) and options for,

  • Recommend resets based on historical user activity, or,
  • All password the user has access to.

and,

  • Show records enabled for Reset, or,
  • Show records which are not enabled for Reset.

It’s important to note the first two are mutually exclusive, as are the second two options.  It’s also important to understand why some password records are not enabled for Reset.  In most cases these will be accounts used to login to applications or web pages where Passwordstate doesn’t have the ability to programmatically reset passwords. 

Site Locations relate to the use of the Remote Site Locations subscription module, where you can manage accounts located on disconnected networks, either firewalled on your internal network, or firewalled over the Internet.

Once you have entered your search criteria click on the Search button.  This will populate the Search Results Grid at the bottom of tReset those Accounts!

Now move over to the right-hand side of the page to Reset Schedule,

From here, you can,

  • Schedule At a specific date and time to reset the passwords for the accounts you select,
  • Add All Records to Queue – if they are accounts that are enabled for Reset, or
  • Add Selected Records to Queue – by selecting them using the check box for each account returned in the Search Results grid at the bottom of the page.  Again, this will only be available if the accounts selected are enabled for Reset.
  • Or you may want to run the Reset job immediately by clicking on Now

If you’ve selected any accounts that are disabled in AD they will still have their passwords reset to the new values.  In the event that you have records that are not enabled for Reset, you can still select them and the use the Export control shown at the bottom of the Search Results grid.  This will export the details of these accounts to a .CSV file so you can manually change these accounts.  Note the passwords for these accounts are not exported in this CSV file.

Lastly, there is a Password Reset Queue grid shown at the very bottom of the page.  This shows any currently pending scheduled Reset jobs.

So Why Do All This!

Using Passwordstate to identify accounts that your ex-Systems Administrator had historically accessed, or had permission to, is both straightforward and easy to do.  You can quickly identify and then reset those accounts to ensure there is no opportunistic or deliberate attempt to access systems.  That’s not to say your Systems Administrator may be intent on causing utter chaos, rather you have a duty to act professionally and take the actions necessary to ensure the integrity of your organization’s privileged credentials, data and systems.

As always, we welcome your feedback via support@clickstudios.com.au.

Real World Example – Importance of Password Management

Let’s start of this week’s blog with a confession.  Here at Click Studios we want businesses to buy and use Passwordstate!  When you buy licenses for our products, and take-out Annual Support and Upgrade Protection, you help us to maintain and grow our business.  We don’t deny that. 

However, take a look at our pricing structure and the catch-line on our website which summarizes our philosophy.   Password Management Should Be Affordable For Everyone.  Because It’s Important. 

We genuinely believe that all businesses should have the opportunity to access a secure, flexible and affordable Enterprise Password Management System.  One that your IT and Security staff can use to access and share sensitive password credentials.  Without a solution like Passwordstate,

  • How do you centralise control of, and allow secure access to, these sensitive credentials?
  • Do you know who is accessing your privileged credentials and when are they doing it?
  • Can you provide access to them based on an employee’s role?
  • Can you quickly change them when an employee leaves?
  • How do you ensure these critical passwords aren’t being copied, changed or exported for other uses?
  • How can you manage password resources on discreet networks?
  • Is your password store secure?
  • Can you rely on access to your passwords when you really need them?

If your business uses Information Technology, in any fashion, then the above points are important and relevant.  Your accounts, especially those with higher privileges can be used to exploit your most sensitive information and critical systems.  Privileged access gives individuals the power to alter your data, change the configuration of applications and infrastructure and have the potential to cause you irreparable reputational and financial damage.  If this were to happen would your business survive?

Credential Breaches Are Real!

On 2nd February 2021, Cybernews reported the Largest compilation of emails and passwords leaked for free on public forum, with more than 3.2 billion unique pairs of cleartext emails and passwords leaked on a popular hacking forum.  This is known to be an aggregation of past leaks from Netflix, LinkedIn, Exploit.in, Bitcoin and other sources.  This is referenced as a Compilation of Many Breaches or COMB.

A subset of entries contained in a previous COMB in 2017 were tested by Constella.  They found that “most of the tested passwords worked” and “Given the fact that people reuse passwords across their email, social media, e-commerce, banking and work accounts, hackers can automate account hijacking or account takeover”.

What’s more the breach isn’t just a list of stolen credentials, but rather an interactive database that allows quick searching of credentials.  In other words, it allows the lookup of specific credential sets to make selective targeting of individuals and businesses easier!

You can find the full report on Cybernews website: https://cybernews.com/news/largest-compilation-of-emails-and-passwords-leaked-free/ and reference their data leak checker: https://cybernews.com/personal-data-leak-check/

Implications and Impacts

The implications of this breach may be far reaching (I would have said unprecedented – but that word was done to death in 2020!).  The majority of people still reuse their passwords and usernames across multiple accounts. 

This gives our unfriendly Cyber Criminals a head start with rich information for credential stuffing attacks.  The unfortunate fact is that if a user has the same passwords for their LinkedIn or Netflix accounts and an email account, then attackers can and will target other more important business accounts. 

These users typically become recipients of targeted Spear Phishing attacks, receive high levels of spam emails and imposter attacks via social media platforms.

Use Passwordstate to Protect Your Assets

First, get Passwordstate up and running within your business!  If you already use it then look at how you can improve it’s use within your business.  If you don’t have it installed then download the 30 Day Free Enterprise Trial here.  You can see how affordable our software is here.

Second, stop reusing passwords and usernames across multiple accounts.  If you do, and your account details are compromised in a breach, it’s just a matter of time before your other accounts are targeted.  And it’s not just Celebrities and Millionaires that are targeted with Spear Phishing attacks.  It’s also Help Desk Staff, Accounts Payable Clerks, Middle Management and those IT workers with increased privileges (yes, I’m talking about you System and Network Admins).  Setup Password Strength Policies and Generators in Passwordstate that create unique, strong passwords every time.

Third, regularly reset your passwords automatically.  Don’t keep the same passwords for ever.  It’s not that hard to change a password every 90 days (just an example, your IT policies may require shorter timeframes).  It you’ve got lots of accounts then stagger the resets to make it manageable.  Use our tools like Browser Extensions, to automatically generate and save an updated password back to Passwordstate, when changing it online.  Automate wherever you can to make your life easier!

Then look at implementing 2 Factor Authentication where it makes sense.  You can still do this if you use Single Sign-On and you can selectively target accounts.  View your accounts as assets and manage them based on risk and impact.  As an example, Banking Accounts and System Administrators Privileged Accounts should always have 2FA enabled.  Even if your credentials are compromised hackers can’t access the account if you use 2FA.

Be informed, take control of your assets and as always, we welcome your feedback via support@clickstudios.com.au.

Reporting Passwords about to Expire

In previous blog entries we’ve run through setting up Scheduled Reports to alert Security Administrators and users when particular events occur.  The previous examples focused on alerting an intended audience when extremely sensitive password credentials, say for an organization’s primary bank account, were accessed.  However, you can also setup a Scheduled Report to notify an intended audience when password credentials are about to expire.  But wait…there’s more. 

You can use Passwordstate to share information, based on assigned roles and permissions and with full auditing of access to this information.  This can include information relating to,

  • Alarm/Door Codes
  • Credit Cards
  • Software Licences
  • SSL Certificates

Passwordstate provides built in templates for these, and you can create your own for things like hardware or software maintenance contracts etc.  The details on what else you can record can be located in a previous blog entry here.  Once you’ve got information and/or password credentials in Passwordstate, you can setup Scheduled Reports to notify you when they are due to expire.

Setup Report for Passwords about to Expire

Like with the previous blog examples, we’re going to use the following account for this blog (yes – it’s still a fake account).  It does however enable us to report against it,

Next, we’ll setup a Scheduled Report by navigating to Reports->Scheduled Reports as per the screenshot below,

and create a report called Passwords-Expiring-90 with the following options,

Note, I’ve elected to CC Report To one of my colleagues, Email Report As Embedded HTML, selected Do not send report if it produces no results and Selected Report Type as What passwords are expiring soon? You’ll also note under Report Description & Criteria it states to use the expiring passwords settings tab.  This is where you set the Password Lists and options you want to use.  I’ve selected the Password List called Website Logins, and the number of days in the future you want to include in the report, in this case 90 days.  You can also select if you want to include passwords that have already expired.

Then simply specify the time and frequency of the report on the Schedule tab, with options for One Time, Daily, Weekly or Monthly.  When the report has run, I receive an email as per the following screenshot,

Storing SSL Certificates and Reporting Expiry

Using the above example, being notified of passwords that are soon to expire, you can do the same for other types of information stored in Passwordstate. 

Here at Click Studios we store all our SSL Certificates, along with their expiry date in Passwordstate.  This enables us to run scheduled reports, advising what certificates are due to expire in the next 90 days.  I’ve included the redacted screenshots showing the SSL Certificate entry for our QA (Quality Assurance) environment below;

and the copy of the certificate,

and the rest is as simple as the steps in the first example.  Doing this we never get caught out with certificates expiring on us without notice!

As always, we welcome your feedback via support@clickstudios.com.au.

Improve Mobile Security

What is the single biggest threat to mobility in the workplace?  There isn’t one single threat, rather there are multiple threat categories that pose serious issue.  These range from Fake WiFi Networks, Malware Infections, Malicious Apps and Phishing Attacks. 

As more businesses embrace mobility to improve business processes, increase workplace productivity and enhance employee satisfaction, the risk transfers from traditionally IT managed infrastructure to consumer grade, largely unmanaged, mobility devices.  Add in mobile devices are used to access the multi-factor option of choice, because people are addicted to their smartphones, it’s easy to see why these devices are so desirable as an attack vector for Cyber Criminals.

Sources of Mobile Based Attack

What Cyber Criminals used to target via the desktop they are now targeting via mobile devices.  There are more vulnerabilities exposed in mobile endpoints compared to well managed IT infrastructure.  Over the last three years the number of major vulnerabilities and malware threats for mobile devices have almost tripled.  This results in increased credential theft, data leakage and fraudulent transactions.

A survey run by Enterprise Mobility Exchange reported that Fake WiFi networks were the predominate threat, followed by Malware Infections of mobile devices, Malicious Mobile Apps and Phishing Attacks.

Fake WiFi networks, often called honeypots, allow Cyber Criminals to steal credentials, browser history and perform Man-In-The-Middle attacks when users connect to them.  This is typically done by spoofing the web traffic for the websites the user visits.  Malware is often installed allowing the contents of the device to be read and enabling future theft of credentials and data.

Malware infections are typically a result of having downloaded a malicious app, downloading and opening message attachments from an email or SMS, downloading content from a website and having unpatched vulnerabilities.  Android smartphones are more vulnerable, as Google allows downloading of Apps from sources other than the official Google Play app store, and the core Operating System code is open-source. Even though Apple is a closed ecosystem they aren’t immune as the App store reviews have missed apps that were infected with Malware in the past.

Malicious Mobile Apps can be either outright malicious or introduce risk of compromise through adware, excessive permissions, or a dangerous combination of permissions.  They typically attempt to harvest account credentials or information that can be used in future attacks.  Excessive permissions can be used to intercept multi-factor authentication or send spam and phishing campaigns from your device.

Phishing attacks typically simulate well-known brands such as Banks, Retailers and Webmail, offering login portals that seek to capture specific service credentials or simply obtain email logins that are used in future credential stuffing attacks.

Make it Harder for Cyber Criminal to Exploit Your Mobile Devices

Encryption of your mobile device is critical.  Most zero-day threats require some form of jailbreak or root detection.  When your device is encrypted it acts as an additional layer of security that can help prevent zero-day threats.  By enforcing the use of a Passcode, you turn on encryption in iOS.  With Android there are some additional steps that need to be taken to ensure your device is encrypted.

Best Practices for Mobile Device Security

The following are recommended points to consider for protecting mobile devices, the sensitive credentials used from, and data contained on them:

  1. Be Clear in Your Policies, Procedures and Processes
  2. Make Strong Passwords Mandatory and conform to your Password Policies
  3. Incorporate Biometrics at the OS and Application Levels
  4. Block known Malicious Apps
  5. Encrypt Mobile Devices
  6. Prevent Public WiFi Use
  7. Budget for Mobile Security (it shouldn’t be an afterthought)

So, does Click Studios now Provide Mobile Security?

Well….no.  The point of this blog is to point out that Cyber Criminals are increasingly targeting selected users’ mobile devices.  The security on these devices tends to be less stringent than on business managed desktops and the majority of users still don’t associate the use of mobile devices with an increased risk of targeted attacks.

With the release of Passwordstate V9 we are providing native iOS and Android Apps that allow access to your Passwordstate credentials.  While these apps are secure, and have been application penetration tested, only you know the state of your mobile device cyber hygiene.  We highly recommend following Cybersecurity Practices to maintain good cyber hygiene and the use of a Mobile Device Management (MDM) or Enterprise Mobility Management (EMM) solution for protection and management of your mobility devices.

And don’t forget, when it comes to generating strong passwords that meet your Password Policies, storing them securely and sharing them amongst your team, you can rely on Passwordstate,   the web-based solution for Enterprise Password Management used by more than 29,000 Customers and 370,000 Security & IT Professionals globally.

As always, we welcome your feedback via support@clickstudios.com.au.

Cyber Criminals Tools & Techniques

Building on last week’s blog Cyber Criminals Exploit the Human Factor, this week we’ll explore a little more detail around the tools and techniques used by Cyber Criminals to convince selected and targeted individuals to take action.

To be effective in obtaining credentials and/or sensitive information through phishing attacks Cyber Criminals rely on an arsenal of tools and techniques. These are focused on building rapport with selected individuals, creating situations that appear to be authentic, and help to establish credibility and typically a sense of urgency.

Social Engineering

Social engineering principles form the core of the majority of attacks. These range from simple lures designed to appeal to our curiosity, for example a fake invoice sent to the Accounts Payable Department, or a Job Description for an attractive role/vacancy to an IT Department Systems Administrator. 

More sophisticated approaches can include union action over a fabricated unresolved Health and Safety incident or media exposure of non-conformance to government procurement guidelines.  Themes can vary based on Cyber Criminal groups, industry type and selected individuals.  Typical themes spanning most industry types include Love, Money, Food and Real Estate.

The Carbanak Campaign

A well known example is the Carbanak campaign, predominately targeting financial institutions for the purpose of monetary theft.  A Windows based malware payload was introduced via phishing emails and has been reported to have resulted in over $900 Million USD from Banks and selected individuals.  The email attack used authentic looking lures with professional documentation in the form of attachments that distributed multiple strains of malware.  The email author claimed to have been double-charged and demanded an urgent resolution. It used stolen vendor branding and claimed to be protected by that vendor’s technology.  Instructions provided for unencrypting the document were actually the steps required to enable macros and allow the installation of the malware.

Real Estate Lures

Real estate transactions typically involve multiple parties, a degree of urgency, and the opening and exchanging of both personal information and digital signatures.  This is why they represent a frequent target for Cyber Criminals using phishing and malware attacks. DocuSign, a trusted source for electronic signatures, is routinely abused using Brand Impersonation along with Real Estate and Bank Portals that look legitimate. The processes of buying a home and/or applying for a rental property create readily exploitable opportunities, especially when the selected individuals are not familiar with the many steps involved.

Fake Jobs

An increasingly effective tactic, especially as economies commence rebuilding post COVID-19, is the fake job add.  These typically use multiple points of contact to establish a relationship with the selected individual.  Popular career platforms such as LinkedIn are used to send invitations from a legitimate account to the selected individual.  These are then followed up with personalised emails without any malicious content.  At some stage in the ongoing exchange, once a rapport has been built, Cyber Criminals sends the malware bearing email.  Selected individuals, typically with access to corporate accounts or sensitive information, are targeted with the ultimate aim of initiating fraudulent money transfers or providing sensitive personal and/or business information.  In most cases the Cyber Criminals impersonate a known business leader in a position of authority.

Brand Theft

Believable (but fake) domains and web presences tangibly support social engineering efforts. Fraudulent Websites using stolen branding and registered domains resembling real brands are all part of the Cyber Criminals arsenal.  Look-alike domains are becoming increasingly sophisticated and are close enough to the original that they are infrequently questioned.  Legitimate sounding variations of known brands provide Cyber Criminals with the ability to execute account fraud, also known as angler phishing, impostor email attacks and more.

Legitimate Platform Abuse

Cyber Criminals are increasingly taking advantage of file-sharing and collaboration tools as businesses move to Software as a Service platforms.  This is made easier due to business familiarity and whitelisting allowing easy distribution of malware and phishing templates.  Frequently abused platforms include;

  • Google Drive and Microsoft Office 365
  • Box and Dropbox
  • MailChimp and SendGrid
  • Payment services allowing outbound mailing of invoices
  • Social Media Platforms

These services readily leverage the human factor as we work from a position of trust, opening links received via email without considering the potential for malware or reconnaissance leading to credential theft.  Targeted infiltration of a SaaS platform enables secondary attacks that are hard to detect and be identified by users. It allows for internal phishing and can result in credential dumps that are used for credential stuffing or brute-force attacks.

Imposter Attacks

Impostor attacks utilize a range of techniques to convince targeted individuals they are communicating with a trusted entity. These include display-name spoofing, where the email appears to be coming from a known trusted source, domain spoofing, where an attacker appears to use a company’s domain to impersonate a company or employee, and look-alike domains.  The basis of these attacks is Identity Deception, as opposed to more common attacks simply using throwaway attacker-owned addresses and domains, and they are proving to be highly effective.

How can Click Studios Help?

Another element of the human factor is the reuse of passwords.  Recent research suggests that greater than 40% of businesses have at least one compromised account and 6% of businesses have at least one VIP account that is compromised.  This makes internal phishing and Business Email Compromise easy for Cyber Criminals.

Click Studios Passwordstate, an on-premise web based solution for Enterprise Password Management, facilitates unique combinations of account and passwords for all systems.  Passwords can automatically be reset on a scheduled basis, only be accessed by authorised users via Role Based Access Control, and full end-to-end auditing keeps track of who has accessed the credentials and when.

As always, we welcome your feedback via support@clickstudios.com.au.

Cyber Criminals Exploit the Human Factor

Cyber criminals use social engineering approaches to install malware, steal information, perform fake transactions and even shutdown businesses. Greater than 97% of reported attacks target “the human factor” as opposed to making use of known system vulnerabilities.

Social engineering approaches used by Cyber Criminals focus on people, their role in the business, the data they have access to and the likelihood they can be enticed to perform an action. The human factor, our ability to be curious, the biases we have and their effect on our decision-making processes, our emotional state of mind, the way in which we monitor and evaluate situations on the basis of risk or reward, and the level of boredom in our roles all contribute to people being the most effective attack vectors in infiltrating businesses to facilitate fraud, theft and potentially worse.

Over the last 3 years there has been a marked shift towards information-stealing malware, with “the human factor” becoming ever more effective at preying on people. From impostor messages, where an email appears to come from a person the target knows, or malware that silently profiles individuals and steals data and credentials for future attacks, Cyber Criminals have their eyes firmly set of your businesses most valuable assets and the monetary value it holds.  This ultimately fuels their revenue streams and funds future attacks.

Who is the Focus?

The Social Engineering approach, focused on “the human factor”, is all about exploiting select individuals and identities in targeted industries, not infrastructure and systems.  Conversely, most businesses focus their IT Security budgets on infrastructure and systems,

The largest attack vector is still email, with 93% of all breaches targeting select individuals via approaches ranging from spam to imposter attacks.  These select individuals are targeted on the basis of obtaining credentials to,

  • Feed further attacks against the targeted business,
  • Improve the effectiveness of the Social Engineering techniques with which they can obtain credentials and information,
  • Committing fraud

The people representing the greatest source of risk in business are,

  • Very Attacked Persons or VAPs.  These are easily discovered identities and shared accounts.  More than 35% of identified VAPs details are found online via corporate Websites, social media platforms, newsletters and annual reports
  • VIPs and C-Level executives.  Again, these are readily discovered via social media platforms and more than 20% of the email addresses can be discovered via simple Google Searches
  • VAPs, VIPs and shared accounts in Education, Finance and Banking, Automotive & Manufacturing, IT, Media & Advertising (including Marketing) and Retail are frequently the most targeted

What are the Attacks?

As shown in the diagram, email is still the biggest initial attack vector for businesses.  In 2018-19 generic email harvesting accounted for almost 25% of all phishing schemes.  These were in the main focused toward credential harvesting.  Over 99% of emails distributing malware require human intervention, this includes following links, opening attached documents, enabling macros, accepting security warnings and saving and unzipping executables for them to be effective.

Malware free Imposter Message attacks, including Business Email Compromise (BEC) are on the rise.  Imposter Messages and BEC are used by Cyber Criminals to build rapport with attacked individuals, obtain multiple points of contact and create a sense of urgency around the activities they require the targeted individuals to perform.  These activities include approving payments for fake invoices, or releasing business data.

Phishing lures typically simulate well-known brands such as Banks, Retailers and Webmail, offering login portals that seek to capture specific service credentials or simply obtain email logins that are used in future credentialstuffing attacks.

Domain fraud continues to increase, with attackers using techniques from look-alike domains to legitimate certificates to make malicious Websites appear trustworthy.

How are Select Individuals Identified?

Cyber Criminals are increasingly focused on attacking select individuals in a business instead of every user and reviewing which attacks are successful. These select individuals are either targets of opportunity or identified users with sufficient access and privilege.  These people make up the group of VAPs in a business.

VIPs, C-level Executives and Members of the Board are often not VAPs.  VAPs are typically more easily identified online, presenting a simpler and more direct means for Cyber Criminals to discover their role and contact details, then targeting them with multiple attacks. On average, across all industries, more than 35% of VAPs details can be found online.  The following graph shows the average % of VAPs identified by Web based source,

as opposed to the common source of VIP identities,

However, one area of significant risk for businesses is VIPs who are also VAPs.  In these cases, the average, across all industries, is greater than 20% of their email identities could be discovered online via a Google search.

How can Click Studios Help?

Click Studios specialises in the development of Passwordstate, an on-premise web based solution for Enterprise Password Management, allowing teams of people to access and share sensitive password resources.  Our solution uses role based access control, with end-to-end event auditing, to provide a secure platform for password storage, management and collaboration. 

For more information on how we can help please contact sales@clickstudios.com.au and as always, we welcome your feedback via support@clickstudios.com.au.

Passwordstate V9 Changes for Authorized Web Servers

With the soon to be released Passwordstate V9 Beta we’ve overhauled the Authorized Web Servers functionality.  The Authorized Web Servers is used to mitigate against the theft of your Passwordstate Database and the credentials it contains.  This is done by explicitly tethering the Database to specific NetBIOS Server Names, preventing your Database being hosted in an untrusted environment. 

Enabling this is straight forward, by navigating to Administration->Authorized Web Servers and adding the NetBIOS names of all servers you want to explicitly authorize being able to host the Passwordstate Website.  The current version 8 of Passwordstate screenshot is shown below,

New Authorized Web Servers

With Passwordstate V9 we’ve consolidated the location for all Passwordstate Servers and provided greater functionality.  The new Authorized Web Servers allows you to specify the NetBIOS names for your Passwordstate Servers, including High Availability members as well as for your App Server.  It provides,

  • A status indicator for each server showing the Polling Health and the last time polled
  • The build number of each server
  • The assigned Server role, either Primary or App
  • The High Availability mode status
  • The installation path for each server

The new screen can be seen below,

Note that the Polling is performed in line with all hosts and performed by the Windows Service.  The Last Poll Time is the last Poll that occurred.  Each Server’s Build No and Install Path is also automatically retrieved on a successful Poll.

When you Add New Authorized Web Server you now have to provide it with not only the Host Name, but also the Server Role (Primary Server, High Availability Server or App Server) but also the type of High Availability Node (Active or Passive) when you have selected the Server Role as High Availability Server,

Note the functionality above replaces the PassiveNode functionality previously located in the Web.config file.

What is the App Server Mentioned Above?

Passwordstate V9 introduces a new Server Role, that of the App Server.  But what does it do you ask….well that’s for next week’s blog 😊

Remember, all feedback is welcome via support@clickstuidios.com.au

Auditing and Graphs

Passwordstate provides comprehensive reporting to ensure you can meet the governance requirements within your organization.  All reporting makes use of the built-in audit events.  There are more than 110 audit events in Passwordstate, providing a rich source of information that spans multiple categories, including,

Access to PasswordstateAccess to PasswordsAll Passwords Exported
Auditing Data ArchivedDiscovery JobsDocuments
EmailsEmail TemplatesEmergency Access
Encryption KeysFailed APIHosts
LoginsPasswordsPassword Lists
Password ResetsPassword ValidationPrivileged Accounts
Remote SessionsReportingRestricted Features
Security AdministratorsSecurity GroupsSelf Destruct
TemplatesUser AccountsUser Identity

When reporting on audit events, you can specify all sources or be selective.  For example, you could report on only audit events relating to your Windows Service or your High Availability node.  These events can then be exported to Microsoft Excel for further analysis, or summarized using the built-in Auditing Graphs.

…But before we get into the details for Auditing and Graphs

If you are trying to diagnose issues around a specific Password or Account you can quickly check the Recent Activity grid for the Password List that contains that account.  This will provide useful information relating to the account and why activities such as Password Resets may not have occurred.  The example below is for the helpdesk account which has been temporarily locked out;

Selecting Data using Auditing Filters

To begin with navigate to Administration->Auditing and decide on the events you want to review.  By default, the display grid will show all audit events that have occurred.  The Auditing Filters, show in the image below, help you to selectively focus on the specific types of events you are interested in reviewing;

The Platform options shown in the green rectangle are;

  • All, as the name implies this includes audit events for all the platform categories
  • Web, this platform category includes all audit events related to your Passwordstate Website
  • Mobile, this category includes all audit events related to either your Mobile Client installation in Passwordstate up to and including Version 8, or related to the new native Mobile Apps included in Passwordstate V9.  Please note that as of the release of Passwordstate V9 the original Mobile Client is deprecated and no longer included with the Installer Files.
  • API, the API category includes those audit events associated with API Calls
  • Windows Service, includes all audit events associated with AD synchronization, Password Resets, Host and Account Discovery jobs, sending emails and querying event logs
  • Browser Extension, covers Browser Extension authentication with Passwordstate, saving, retrieving and updating of passwords and the use of the password generator,
  • Instance, you can also select your Instance to focus on, either your Primary or HA instance or Both

Lastly, you can elect to include Archived Data by selecting either the No or Yes radio buttons.  By selecting No you will be querying the live audit events, if you select Yes it will query the Archived Data.  Now you can filter down on a number of items as per the image below;

The fields in the Green rectangle above cover;

  • Max Records, allows you to specify the maximum number of records you wish to return as part of the search.  If you wish to return all records you can enter 0 in this field
  • Password List, allows you to focus on a specific Password List in the drop down list, or search for events across all Password Lists
  • Activity Type, allows you to focus on specific audit events, or report against All Activities
  • Site Location Activity, allows you to focus on events for a specific Remote Site Location.  This only applies if you have deployed and have an active subscription for Remote site Locations.  The default for all installations is internal.  For Remote Site Locations enter the number that corresponds with the Remote Site Location you wish to report against.
  • Begin and End Date, narrows the focus to the selected date range.  Simply use the calendar date pickers for the start date and end dates you wish to focus on.  A blank begin date will report all events that match the selected criteria up until the specified end date.  By default, the End Date is always the current days date

Then simply click on Search to narrow the focus down to those specific events.  Don’t forget that you can also filter down using the standard filter boxes under the column headings in the display grid (shown in the gold rectangle).

Export and Purging Audit Records

You may want to take a copy of the selected records, so that they can be included in a report or you may want to periodically Purge specific Audit Records.  The options for these are situated at the bottom of the display grid as per the image below,

The Export to Excel will produce an Excel file called AuditingReport.xls containing the contents as per the executed filter. 

If you select Purge Audit Records you will be taken to the Purge Auditing Data screen which explains the process necessary to perform the purge.  Please note there is no automated purge within Passwordstate.  You will need a Database Administrator, or someone responsible for support and maintenance on your SQL database, to perform the activities required.  The Purge Auditing Data screen is shown below,

Graphs based on Auditing Data

Auditing Graphs provide a great summary view of your audited events.  Like with the Auditing section, you can define filters for the Graphs that are very similar to those on the Auditing screen. 

In the example below I’ve run a simple view based on Audit Activity of Login Attempt Failed for 1 year.

The key difference to note is that the duration timeframe is retrospective from the day the graph is based.  In the example above it looks back 1 year from the current date.

The Auditing and Graphing capabilities are extremely useful and enable comprehensive reporting against your governance requirements.  If you have any comments or feedback we’d love to hear it via support@clickstudios.com.au.

Ignored URLs and Browser Extensions

There is no doubt that Browser Extensions make your browser-based-life easier.  The ability to securely manage website logins, while enforcing a reduced attack vector through unique login credentials, should not be understated.  The statistics speak for themselves,

  • A 2018 Global Password Security Report revealed 50% of users reuse the same passwords for personal and work accounts
  • A 2019 online survey by Google identified 65% of people use the same password for multiple or all accounts
  • In the first six months of 2019, data breaches exposed 4.1 billion records
  • A 2018 Data Breach Incident Report confirmed compromised passwords are responsible for 81% of hacking-related breaches
  • Globally businesses are losing $4M on average each year due to credential stuffing attacks using leaked and exposed passwords and credentials

The reuse of usernames and passwords from a compromised site leads to a significantly increased attack vector for your business.  So how do Browser Extensions help to reduce this risk, and why do I have issues with some websites.

Encourage and Support the Desired Behaviour

To begin with you need to provide the tools along with the education to your users.  There is significant value in encouraging and allowing staff to use Personal Password Lists.  This is reflected as one of Click Studios Best Practices for Passwordstate and more information can be found here.

Enabling Personal Password Lists needs to be performed alongside a robust training and education program for staff.  This training should help them understand the real world impact associated with credential theft and hacking-related breaches.  They’ll need to understand why they should have unique credentials, how they generate and store unique credentials and what to be aware of so they can identify when something doesn’t look right.  Don’t forget, to get buy-in you need to show your users what’s in it for them.

Create Strong Passwords Using the Passwordstate Password Generator

One of the features of the Passwordstate Browser Extension is the ability to use the defined Password Generator.  This can be set globally, via Administration->System Settings->password options->With the Password Generator on the menu Tools -> Password Generator, select the following Password Generator Policy as the default:  and prevent users from selecting a different policy by selecting the Yes radio button,

This will make the default Password Generator for Browser Extensions reflect what was set under System Settings as detailed above.  Note, the user can still choose another Generator if they want.  This is why the education part is so important, Click Studios provides users the choice, however the business should reinforce the security standards they have put in place and the benefits those standards provide.

Understanding the Add Site to Passwordstate Dialog

When navigating to a website, one that you don’t have any saved credentials for, on logging in you will be prompted to Add Site to Passwordstate?  The dialog provides you with 3 options, Close, Ignore and Save (note I’ve removed the username for the image below), 

Save is straightforward and will create the password record in the chosen Password List.  Clicking Close will simply close down the Add Site to Passwordstate dialog box.  The tricky option is Ignore.  When you click on Ignore you are not only dismissing the Add Site to Passwordstate dialog box, you are also adding an Ignored URL for that website login screen.  The end result is that you will now never be prompted to save your credentials for that website URL again – until you delete the Ignored URL record. 

To delete an ignored URL, login to Passwordstate and navigate to Preferences->Preferences->browser extension->Ignored URLs, select the URL to delete and click on the Actions icon and click Delete,

It’s worth noting that clicking on Ignore isn’t the only way to prevent the dialog for Add Site to Passwordstate from appearing.  Ignored URLs can be manually entered by Security Administrators under Administration->Browser Extension Settings->ignored urls.  These ignored URLs are global in effect and prevent all Passwordstate Users from saving credentials for those websites via the Browser Extensions.

Report Sites that have Issues

On occasion you will find a website that our Browser Extension has an issue with, specifically in correctly mapping the user name and password fields.  When you come across this, we encourage you to report the issue by clicking on Report Site Issue.  This will open up the Report Site Issue page in another Tab and allow you to record the details of the issue.  We encourage you to supply as much detail as possible so that our Technical Support and Development Teams can investigate and provide a fix.

As always, we welcome your feedback via support@clickstudios.com.au.